The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now a contractual requirement for Department of Defense contractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). If you are pursuing DoD contracts in 2025, understanding CMMC compliance is no longer optional — it is a prerequisite for contract eligibility. This guide explains what CMMC 2.0 requires, how the three levels differ, and what you need to do to get compliant.
CMMC (Cybersecurity Maturity Model Certification) was created by the Department of Defense in response to a dramatic increase in cyberattacks targeting the Defense Industrial Base (DIB) — the network of private companies that supply goods and services to the DoD. Foreign adversaries, particularly China and Russia, have systematically targeted DoD contractors to steal sensitive technical data, weapons designs, and military logistics information.
The original CMMC 1.0 framework, released in 2020, required third-party certification for all five maturity levels. CMMC 2.0, released in November 2021 and fully implemented in 2024, streamlined the framework to three levels and introduced self-assessment options for lower-level requirements. The core goal remains the same: ensure that every company in the DoD supply chain has adequate cybersecurity practices to protect sensitive government information.
Level 1 — Foundational: Applies to contractors who handle Federal Contract Information (FCI) — information provided by or generated for the government under a contract, but not intended for public release. Level 1 requires compliance with 17 basic cybersecurity practices from FAR 52.204-21. Self-assessment is allowed — you do not need a third-party assessor. Level 1 applies to the vast majority of small DoD contractors.
Level 2 — Advanced: Applies to contractors who handle Controlled Unclassified Information (CUI) — information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. Level 2 requires compliance with all 110 security requirements in NIST SP 800-171. For most Level 2 contractors, a third-party assessment by a C3PAO (CMMC Third-Party Assessment Organization) is required every three years. Some Level 2 contracts may allow annual self-assessments.
Level 3 — Expert: Applies to contractors working on the DoD's highest priority programs, handling the most sensitive CUI. Level 3 requires compliance with NIST SP 800-172 requirements in addition to all Level 2 requirements. Government-led assessments are required. Level 3 applies to a small subset of prime contractors and subcontractors working on critical national security programs.
Controlled Unclassified Information (CUI) is one of the most misunderstood concepts in CMMC compliance. Many contractors assume they don't handle CUI because they don't work with classified information — but CUI is not classified. It is sensitive but unclassified information that requires protection under federal law, regulation, or policy.
Common types of CUI in the defense contracting context include technical data and engineering drawings, export-controlled information (ITAR/EAR), privacy information (personally identifiable information about DoD personnel), procurement and acquisition information, and controlled technical information related to weapons systems.
If your DoD contract includes a DFARS 252.204-7012 clause (Safeguarding Covered Defense Information and Cyber Incident Reporting), you are handling CUI and are subject to NIST SP 800-171 requirements — which means you need at minimum CMMC Level 2 compliance.
Level 1 compliance requires implementing 17 basic cybersecurity practices drawn from FAR 52.204-21. These practices are organized into six domains:
Access Control (2 practices): Limit system access to authorized users and limit the types of transactions and functions that authorized users are permitted to execute.
Identification and Authentication (2 practices): Identify information system users and authenticate their identities before allowing access. Enforce minimum password complexity and change requirements.
Media Protection (2 practices): Sanitize or destroy information system media before disposal or reuse. Protect and control portable storage devices containing Federal Contract Information.
Physical Protection (2 practices): Limit physical access to organizational information systems to authorized individuals. Escort visitors and monitor visitor activity.
System and Communications Protection (2 practices): Monitor, control, and protect organizational communications at external boundaries and key internal boundaries. Implement subnetworks for publicly accessible system components.
System and Information Integrity (7 practices): Identify, report, and correct information and information system flaws in a timely manner. Provide protection from malicious code. Update malicious code protection mechanisms. Perform periodic scans of the information system and real-time scans of files from external sources. Provide security alerts and advisories. Monitor the information system to identify attacks and indicators of potential attacks.
If your DoD contracts require Level 2 compliance, preparation for a C3PAO assessment is a significant undertaking. Here is the process most contractors follow:
Step 1: Conduct a Gap Assessment. Compare your current cybersecurity practices against all 110 NIST SP 800-171 requirements. Document which requirements you meet, which you partially meet, and which you do not meet. This gap assessment becomes the foundation of your System Security Plan (SSP).
Step 2: Develop a System Security Plan (SSP). The SSP is a comprehensive document that describes your information system, the security requirements applicable to it, and how those requirements are implemented. Every Level 2 contractor must have a current SSP.
Step 3: Develop a Plan of Action and Milestones (POA&M). For any requirements you do not yet meet, document your plan to achieve compliance, including specific milestones and target completion dates.
Step 4: Implement Missing Controls. Work through your POA&M to implement the security controls you are missing. This often requires technology investments (multi-factor authentication, endpoint detection and response, encrypted email), process changes, and employee training.
Step 5: Engage a C3PAO. Once you believe you are compliant, engage a CMMC Third-Party Assessment Organization to conduct your formal assessment. The assessment typically takes 1–3 weeks and results in a CMMC Level 2 certification valid for three years.
CMMC requirements are included in DoD solicitations through specific DFARS clauses. When reviewing a DoD solicitation, look for the following:
DFARS 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement): This clause specifies the required CMMC level for the contract and requires the contractor to maintain that certification throughout the contract period.
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting): This clause requires contractors to implement NIST SP 800-171 security requirements and report cyber incidents to the DoD within 72 hours.
If a solicitation includes DFARS 252.204-7021 and requires Level 2 certification, you must have a current C3PAO assessment on file in SPRS (Supplier Performance Risk System) before you can be awarded the contract. Submitting a proposal without the required certification level will result in disqualification.
BidWriteBuddy helps defense contractors navigate CMMC compliance requirements and write winning proposals for DoD solicitations. Book a free strategy call to discuss your situation.
Book a Free Strategy Call