The Cybersecurity Maturity Model Certification 2.0 is no longer optional — it's a contract gate for DoD contractors. If your organization handles Federal Contract Information or Controlled Unclassified Information, CMMC applies to you, your primes, and your subcontractors. We help you get certified.
CMMC 2.0 simplified the original five-level model to three tiers. Each level specifies a set of security practices, an assessment model, and the type of information you handle. The level you need depends on your contract requirements and the sensitivity of CUI in your environment.
CMMC requirements flow down from prime contractors to all subcontractors in the Defense Industrial Base. If your organization processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of any DoD engagement, you're subject to CMMC obligations. The level depends on what information you handle and what your contract specifies.
Organizations holding direct contracts with the DoD. Prime contracts typically carry the highest CMMC level required by the solicitation. If you're a prime handling CUI, you likely need CMMC Level 2 or Level 3 — and you need to ensure your subcontractors meet the appropriate level as well.
CMMC requirements do not stop at the prime. DFARS clauses flow security obligations down the supply chain. A subcontractor handling CUI on a DoD program — even indirectly — must meet the CMMC level specified in the subcontract. Many SMBs discover they have obligations only when their prime asks for evidence.
FCI is information not intended for public release that is provided by or generated for the government under a contract. Organizations that handle FCI — even without handling CUI — may need CMMC Level 1 self-assessment. FCI requirements are the baseline; many organizations underestimate how broadly FCI flows.
CUI is information the government creates or possesses that requires safeguarding per law, regulation, or government policy. DoD contracts that involve CUI almost universally require CMMC Level 2 (NIST SP 800-171 alignment). If your organization produces, processes, or stores CUI on behalf of a DoD customer, Level 2 certification is your target.
CMMC Level 2 maps directly to NIST SP 800-171 — the 110 security requirements in 800-171 are the same practices assessed at CMMC Level 2. Organizations that have invested in NIST CSF or NIST SP 800-171 are substantially closer to CMMC Level 2 certification than they realize. Here's how NIST CSF functions map to the CMMC assessment.
| NIST CSF Function | Scope | CMMC Level 2 Practice Domains | Est. NIST CSF Overlap |
|---|---|---|---|
| GV — Govern | Organizational context, risk management, supply chain | Risk Management (RM), Supply Chain Risk Management (SCRM) | |
| ID — Identify | Asset management, risk assessment, improvement planning | Asset Management (AM), Configuration Management (CM), Identification & Authentication (IA) | |
| PR — Protect | Access control, awareness, data security | Access Control (AC), Media Protection (MP), Physical Protection (PE), Awareness & Training (AT) | |
| DE — Detect | Continuous monitoring, anomaly detection | Audit & Accountability (AU), Security Assessment (CA), System & Communications Protection (SC) | |
| RS — Respond | Incident management, analysis, mitigation | Incident Response (IR), Contingency Planning (CP) | |
| RC — Recover | Recovery planning, improvements | Contingency Planning (CP), System Recovery (RE) |
What this means for you: If you've already built NIST CSF policies or have a NIST SP 800-171 System Security Plan (SSP), your CMMC Level 2 foundation is largely in place. A NIST-to-CMMC gap assessment identifies which 800-171 controls your existing documentation satisfies and which still require implementation evidence — saving weeks of redundant documentation work before your C3PAO assessment. See the NIST Policy Package →
CMMC engagement follows a structured sequence. We start by determining your required level and current posture, then close gaps toward your assessment. Whether you need Level 1 self-assessment or Level 2 C3PAO prep, the path is clear and time-bound.
Determine your required CMMC level based on your current DoD contracts and the type of information you handle (FCI vs. CUI). Scope your assessment boundary: which systems, people, and facilities are in scope. The scoping decision is the most consequential in CMMC — over-scoped means wasted effort; under-scoped means uncovered gaps before your assessment.
For Level 1: review all 17 practices against your current controls. For Level 2: systematic assessment against all 110 NIST SP 800-171 requirements. Each practice is marked Implemented, Partial, Not Implemented, or Not Applicable with evidence citations. You receive a prioritized gap register with remediation effort estimates — no ambiguity about what needs to be done before assessment.
Develop or update your System Security Plan (SSP) documenting all in-scope controls. Create Plans of Action & Milestones (POA&Ms) for any gaps that can't be closed before assessment — permitted at Level 2 within defined thresholds. Execute technical remediation: access controls, media protection, logging configuration, incident response procedures, and policy documentation. For organizations with existing NIST policies, this phase is substantially faster.
Prepare for your C3PAO (Level 2) or self-assessment (Level 1). For Level 1: complete and submit the self-assessment to SPRS with company leadership attestation. For Level 2: conduct a pre-assessment simulation to identify any remaining gaps before the official C3PAO assessment. You receive a complete evidence package documenting every practice — organized for assessor review, cyber insurance underwriters, and primes requesting your CMMC status.
Start with a free security posture check. Understand your required level and current gaps before your next contract review.