Home/Resources/CMMC 2.0 Compliance: A Practical Guide for Contractors
Compliance

CMMC 2.0 Compliance: A Practical Guide for Contractors

CMMC 2.0 Compliance: A Practical Guide for Contractors
Quick answer

CMMC (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense framework that requires contractors handling federal contract information or controlled unclassified information to meet defined cybersecurity standards. CMMC 2.0 has three levels, built largely on NIST SP 800-171, and is being phased into DoD contracts.

What is CMMC?

CMMC is the Department of Defense's program for verifying that companies in its supply chain protect sensitive government data. If your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you will need to meet a CMMC level to remain eligible for DoD contracts. The framework is built largely on the security controls in NIST SP 800-171.

What are the three CMMC 2.0 levels?

  • Level 1 (Foundational) — 17 basic safeguards for organizations that handle only FCI. Verified by an annual self-assessment.
  • Level 2 (Advanced) — the 110 controls of NIST SP 800-171, for organizations that handle CUI. Verified by self-assessment or, for many contracts, a third-party assessment by a C3PAO.
  • Level 3 (Expert) — adds controls from NIST SP 800-172 for the most sensitive programs, with a government-led assessment.

Who needs to be CMMC certified?

Any business in the defense supply chain that processes, stores, or transmits FCI or CUI — including many subcontractors and suppliers who never deal with the DoD directly. If a prime contractor passes CUI down to you, the requirement flows with it. The required level is specified in the contract.

What is the CMMC timeline?

The DoD finalized the CMMC Program rule (32 CFR Part 170), which took effect in December 2024, and is phasing certification requirements into solicitations through a multi-year rollout. Because exact dates depend on your contracts and the acquisition rule (48 CFR), the practical takeaway is simple: the requirement is real and the lead time to prepare is long. Verify current requirements against official DoD CIO CMMC guidance and your contracting officer.

How do you prepare for CMMC?

  1. Determine which level your contracts require and where FCI/CUI lives in your environment.
  2. Define the boundary — the systems and people that touch that data — to scope the assessment.
  3. Run a gap assessment against NIST SP 800-171 and produce a System Security Plan (SSP) and Plan of Action and Milestones (POA&M).
  4. Remediate gaps: access control, multifactor authentication, encryption, logging, and incident response are common shortfalls.
  5. Record your SPRS score and prepare for self-assessment or a C3PAO assessment as required.

How Splashwire helps

Splashwire vCIOs build solutions on the NIST framework and guide organizations through readiness for NIST 800-171 and CMMC Level 2 — gap assessments, remediation, and the documentation assessors expect. See our cybersecurity services and vCIO program.

This guide is general information, not legal or contractual advice. Confirm your specific obligations with your contracting officer and current DoD guidance.

Frequently asked questions

CMMC stands for Cybersecurity Maturity Model Certification, the U.S. Department of Defense framework requiring contractors to protect Federal Contract Information and Controlled Unclassified Information.

Three: Level 1 (Foundational, 17 safeguards, self-assessed), Level 2 (Advanced, the 110 controls of NIST SP 800-171), and Level 3 (Expert, adding NIST SP 800-172 controls with a government-led assessment).

Any organization in the DoD supply chain that handles Federal Contract Information or Controlled Unclassified Information, including subcontractors. The required level is specified in the contract.

Yes. CMMC Level 2 is built on the 110 security controls in NIST SP 800-171, and Level 3 adds controls from NIST SP 800-172.

Back to the Resource Library