Hero Background
December 10, 2024

What Is CMMC 2.0 Compliance? Essential Insights for Businesses

Topics: Aerospace & DefenseCMMC ComplianceCompliance & Risk ManagementCybersecurity

What’s New (Updated for Eligibility, Assessments & Requirements)

This blog has been updated to reflect the CMMC Final Rule (32 CFR Part 170), fully enforceable as of November 10, 2025. Contractors must now meet their required CMMC level at contract award, ensure accurate SPRS scoring, and use cloud and external service providers that meet FedRAMP Moderate (or equivalent) standards. CMMC Level 1 and CMMC Level 2 requirements now appear in active DoD solicitations, replacing prior expectations of “future rollout.” References to pending rules, phased implementation, and anticipated timelines have been updated to reflect current enforcement.

Understanding What CMMC 2.0 Means for Your Organization Today

The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to safeguard sensitive but unclassified information. Importantly, CMMC 2.0 plays a pivotal role in national security by responding to increasingly sophisticated cyber threats that cost the defense sector an estimated $600 billion each year.

For nearly a decade, DFARS 7012 has required firms to adhere to cybersecurity standards and continues to require implementation of NIST SP 800-171, but under DFARS 7021 and the Final Rule, DoD solicitations now require contractors to validate Level 1 and Level 2 requirements at contract award. The pivotal change brought by CMMC 2.0, under DFARS 7021, is that a considerable number of Defense Industrial Base (DIB) organizations may be required to undergo a C3PAO assessment when CMMC Level 2 solicitations mandate it, while others will complete a self-assessment with executive affirmation. Entities still eligible for self-assessment will encounter heightened scrutiny, requiring an executive to annually attest that their organizations comply with NIST SP 800-171 or other relevant standards based on the type of information handled.

To clarify, in this article, we will explore the most frequently asked questions about CMMC 2.0 and the associated regulations and compliance requirements starting to take effect for DIB organizations.

Frequently Asked Questions About CMMC 2.0 Compliance

1. What does CMMC mean? What is CMMC Compliance?

CMMC stands for Cybersecurity Maturity Model Certification, a streamlined cybersecurity program initiated by the Department of Defense. Its aim is to protect Controlled Unclassified Information (CUI) that DIB organizations store, process, or transmit. As a result, this framework ensures that personnel working on DoD contracts operate in a secure environment that shields CUI from unauthorized access aimed at theft or misuse.

2. What does it mean to be CMMC 2.0 compliant? 

Achieving CMMC 2.0 compliance means a DIB organization meets the required CMMC 2.0 standards based on its maturity level. In other words, CMMC levels define the controls an organization must implement and how those controls should be verified.

  • For Maturity Level 1, which encompasses protection for Federal Contract Information (FCI), there are 15 practices allowing self-assessment.
  • Maturity Level 2 includes 110 practices aligned with NIST SP 800-171 r2 controls. Some firms that do not handle sensitive CUI may self-assess under CMMC Level 2. However, most organizations will require an external assessment by a C3PAO. 
  • Maturity Level 3 comprises 134 practices, including an additional 24 controls from NIST SP 800-172, and requires assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Organizations must validate their practices to maintain DoD contracts, evade penalties, and safeguard sensitive data. 

3. How Do Organizations Meet CMMC Compliance Standards?

To meet CMMC compliance cybersecurity standards, your organization must:

  • Implement the required controls for your level, whether 15 basic safeguards at Level 1 or all 110 NIST SP 800-171 controls for CMMC Level 2 compliance.
  • Validate through assessment, either a self-assessment with executive affirmation or an external C3PAO evaluation, depending on the solicitation.
  • Submit accurate SPRS scores that reflect your actual security posture, with executive attestation carrying False Claims Act liability.
  • Maintain compliance continuously through annual reaffirmation or triennial C3PAO recertification.
  • Ensure service providers handling CUI meet FedRAMP Moderate (or equivalent) CMMC compliance standards.

4. How do I know which CMMC level my organization needs to achieve?

In practice, the CMMC 2.0 level required for your DIB firm depends on the contract solicitations you plan to pursue, as each contract sets a specific Maturity Level (ML). The type of information your organization manages also affects CMMC compliance requirements. Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) carry different security obligations.. The three levels are:

Level 1 (Foundational)

This initial level primarily targets companies dealing only with FCI, which must implement basic cybersecurity measures based on FAR 52.204-21. These measures help safeguard contractors’ information and restrict access to authorized individuals only.

Level 2 (Advanced)

Organizations engaging with CUI must achieve this minimum level of compliance. CMMC Level 2 compliance requirements align with NIST SP 800-171 r2 controls, consisting of 14 levels and 110 controls, which are vital for protecting the CUI managed by the DIB.

Level 3 (Expert)

This is the highest security level designated for DIB organizations working closely with the DoD. Its controls and requirements target Advanced Persistent Threats (APTs). Notably, the DoD says that this level will consist of the 110 controls in NIST SP 800-171 alongside additional controls from NIST SP 800-172.

5. CMMC 1.0 vs CMMC 2.0: What Is The Difference?

The CMMC program was revised to streamline the compliance framework and simplify compliance for contractors. Protecting sensitive information remains the priority, but CMMC 2.0 refines the approach by aligning more closely with established NIST standards than the original CMMC while offering more flexibility.

The primary differences include:

  • A Simpler Model: CMMC 2.0 reduces the number of compliance tiers from five to three (Level 1, Level 2, and Level 3), eliminating the previous transitional levels.
  • Revised Assessment Needs: Under CMMC 1.0, all organizations required a third-party assessment. CMMC 2.0 allows companies at Level 1 and a subset of those at Level 2 to conduct annual self-assessments instead.
  • Greater Flexibility: CMMC 1.0 required perfect compliance for certification. CMMC 2.0 allows companies to use a Plan of Action & Milestones (POA&M) to address certain lower-risk security gaps related to non-critical controls after an assessment, making it possible to achieve certification while still working to close minor findings.
  • Elimination of CMMC-Specific Controls: CMMC security compliance now relies entirely on established NIST standards. All CMMC-unique practices and maturity processes were removed. CMMC Level 2 requirements now align directly with NIST SP 800-171 and Level 3 adds controls from NIST SP 800-172.

6. How do I obtain CMMC 2.0 certification? 

First, review the CMMC 2.0 requirements that apply to your organization. Create a System Security Plan (SSP) and develop internal policies for secure CUI handling. Organizations may use a self-assessment for Maturity Level 1 (ML1), mostly applicable to firms handling only FCI. 

For Maturity Level 2 (ML2) and beyond, if your organization manages more sensitive CUI, you may need an external assessment by a C3PAO. Next, submit your score to the DoD’s Supplier Performance Risk System (SPRS) after your self-assessment or C3PAO assessment. Address any identified gaps with a Plan of Action and Milestones (POA&M). C3PAO certifications remain valid for three years, but companies must reaffirm compliance annually. ML1 self-assessments are also required yearly.

7. How long does it take to achieve CMMC 2.0 compliance?

The journey to CMMC 2.0 compliance is unique for every business, taking anywhere from a few months to over a year. Your timeline depends on your current cybersecurity maturity and the CMMC level your contracts require. Organizations with mature, NIST-aligned programs will move faster, but for many, CMMC security compliance is a strategic undertaking that requires significant preparation. Early planning is essential.

8. How is CMMC 2.0 connected to cybersecurity? 

The CMMC 2.0 framework largely focuses on cybersecurity, with most rules emphasizing stringent security around digital materials during storage, transmission, and collaborative use. Furthermore, there are controls on physical security and organizational training. The CMMC 2.0 compliance framework is designed to enforce the security measures the DoD mandates for its contractors and subcontractors. 

9. The CMMC 2.0 timeline: When will CMMC 2.0 be implemented?

CMMC requirements already appear in active DoD solicitations, and contractors must meet the required level at contract award. The Final Rule establishes the governing requirements; organizations must maintain continuous compliance rather than prepare for a future phased rollout.

10. What are the consequences of not complying with CMMC 2.0? 

Failing to comply with CMMC 2.0 can lead to severe consequences for DoD contractors. These include lost contracts, legal exposure, and reputational damage. Moreover, legal risks under the False Claims Act could arise if compliance is misrepresented. Company executives must attest to the accuracy of reported SPRS scores, making both the organization and the individuals liable to prosecution by the Department of Justice for any misstatements. Non-compliance can also tarnish a company’s reputation, jeopardizing potential future contracts. 

11. Is GCC High required for CMMC 2.0? What is GCC High? 

GCC High is a Microsoft cloud service tier tailored to meet robust security and compliance standards for handling sensitive government information, including CUI and ITAR data. Although CMMC does not specifically mandate GCC High, numerous contractors dealing with sensitive CUI utilize it to satisfy security criteria for cloud services. 

However, organizations relying on External Service Providers (ESPs), such as Cloud Service Providers (CSPs) or Managed Service Providers (MSPs), must ensure that these providers hold the proper CMMC and/or FedRAMP accreditations to assist in fulfilling CMMC practices. Companies should meticulously assess their cloud and service vendors to confirm alignment with CMMC compliance standards. 

12. How many controls are included in CMMC 2.0? 

For Maturity Level 2, there are 110 practices that organizations must meet to continue engaging in DoD contracts. These controls are organized across 14 domains, each addressing a distinct area of cybersecurity:

  • Access Control 
  • Audit and Accountability 
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Together, these domains cover the full scope of the CMMC 2.0 standards for protecting CUI, from how users access systems and data to how organizations detect and respond to security incidents.

13. Is CMMC 2.0 complete? 

Yes. Both rules required to make CMMC 2.0 fully enforceable have been finalized and are now in effect. The first rule, 32 CFR Part 170, was published in October 2024 and took effect on December 16, 2024, formally codifying the CMMC program structure and its three certification levels.

The second rule, 48 CFR (the DFARS rule), was published in the Federal Register on September 10, 2025 and became effective on November 10, 2025, incorporating CMMC requirements into DoD contract solicitations.

With both rules enacted, CMMC enforcement is now active: applicable DoD solicitations and contracts now include the relevant CMMC level requirement, and organizations must demonstrate compliance at contract award.

14. Is CMMC mandatory? 

The short answer is yes. CMMC is now officially enforced under the Final Rule. With CMMC 2.0’s introduction, DIB organizations will now face stricter compliance measures through mandated third-party assessments by C3PAOs. Any entity handling Controlled Unclassified Information (CUI) must submit its assessment to the DoD and obtain certification for three years to secure or pursue DoD contracts. Given the similarities between DFARS 7012 and DFARS 7021, many companies should already be positioned to meet CMMC. 

15. How do CMMC and NIST SP 800-171 differ? 

CMMC expands on NIST SP 800-171, which is a security framework crafted by NIST that specifies 110 controls geared towards safeguarding Controlled Unclassified Information (CUI). Prior to DFARS 7012, companies were expected to self-evaluate and attest to their compliance with these controls; however, this method proved insufficient. CMMC Maturity Level 2 (ML2) aligns its standards with these 110 NIST controls but now mandates that most businesses undergo a third-party evaluation conducted by a CMMC Third Party Assessment Organization (C3PAO) to confirm that these controls are effectively implemented and maintained before accreditation is granted. 

CMMC 2.0 Is Now Active, Demanding DIB Business Compliance 

While the DoD is still finalizing CMMC 2.0, it’s clear that its implementation is imminent and currently in the final stages of approval as of this writing. Adherence is now compulsory when required by active DoD solicitations. The compliance process can be intricate and may take months, which is why companies should begin preparations without delay. 

Given active enforcement, if your organization is unsure whether it meets the evidence, documentation, and cloud requirements enforced under the Final Rule, now is the time to reassess your posture. Explore tools that help contractors align NIST SP 800-171 controls, streamline self-assessments, and prepare for Level 1 or Level 2 obligations.

Businesses don’t have to tackle this challenge alone or manage the entire process independently. Exostar’s CMMC Ready Suite™ offers software and services designed to support CMMC compliance. These tools help organizations prepare for assessments and validate readiness. To learn more about our CMMC Ready Suite™ and its offerings, visit our webpage and schedule a conversation with one of our representatives for additional details.

What You Need to Do

To comply with the Final Rule, organizations should take the following steps:

  • Identify whether you handle FCI or CUI, and confirm the CMMC level required for your upcoming solicitations.
  • Map all 110 NIST SP 800-171 controls to your System Security Plan (SSP) and verify that your SPRS score is accurate and supported by evidence.
  • Determine whether your Level 2 requirement calls for a self-assessment or a C3PAO assessment.
  • Address any POA&M items tied to critical controls and verify that external service providers meet FedRAMP Moderate (or equivalent) requirements.
  • Ensure all documentation is audit-ready before contract submission.

Not sure which level applies to you? Take the CMMC Levels Quiz to determine your assessment path and readiness.

For organizations that need a streamlined path to compliance, Exostar’s CMMC Ready Suite provides a fully managed solution covering all 110 NIST SP 800-171 controls, from secure infrastructure to automated documentation and assessment support. And if your team needs a secure, compliant environment for collaboration and CUI handling, Exostar Managed Microsoft 365 delivers a Microsoft Teams workspace built for CMMC requirements.