CMMC 2.0: What Changed and Why It Matters Now
The Cybersecurity Maturity Model Certification (CMMC) program was created by the Department of Defense to verify that defense contractors actually implement the cybersecurity controls they've been claiming under DFARS 252.204-7012 since 2017. Years of self-attestation produced inconsistent results — contractors would score themselves at 110/110 on NIST 800-171 while running critical CUI workflows on unpatched consumer software.
CMMC 2.0, the current version of the program, simplified the original five-level model into three levels:
| Level | Based On | Controls | Assessment Type | Who Needs It |
|---|---|---|---|---|
| Level 1 | FAR 52.204-21 (Basic Safeguarding) | 17 practices | Annual self-assessment | Contractors handling FCI (Federal Contract Information) only |
| Level 2 | NIST SP 800-171 Rev. 2 | 110 controls across 14 families | Self-assessment or C3PAO third-party assessment | Contractors handling CUI |
| Level 3 | NIST SP 800-172 (enhanced controls) | 110 + additional enhanced controls | Government-led assessment (DIBCAC) | Contractors on highest-priority programs |
The critical change from CMMC 1.0 to 2.0: The number of levels dropped from five to three, the framework aligned directly to existing NIST standards (eliminating proprietary CMMC-specific practices), and Plans of Action & Milestones (POA&Ms) are now allowed under specific conditions — contractors are no longer required to be 100% compliant at the time of assessment.
POA&Ms under CMMC 2.0 are not a loophole — the rules are narrow enough to prevent that — but they are creating a false sense of security across the DIB. To qualify for a POA&M at Level 2, an organization must score at least 80% on the assessment (88 out of 110 points), and only single-point deficiencies can be deferred. Of the 110 controls, 63 are explicitly ineligible for POA&M treatment — including your SSP, all physical protection controls tied to CUI, and foundational access controls like external connections and public information handling. Every deferred item must be closed within 180 days, verified by a C3PAO closeout assessment, with no second attempt allowed. The problem is not that the rules are weak. The problem is that contractors hear "POA&Ms are allowed" and assume they can paper over fundamental gaps. They cannot. A contractor who reaches assessment day without 88 points of implemented controls does not get a POA&M — they get a failure. C3PAOs have no discretion here; the scoring methodology is deterministic. The contractors treating POA&Ms as a safety net are the same ones who will miss the Phase 2 window entirely.
CMMC Phase 1: What's Required Right Now (March 2026)
Phase 1 of CMMC enforcement began on November 10, 2025 and runs through November 9, 2026. The DoD estimates that approximately 65% of the Defense Industrial Base is affected.
What Phase 1 Requires
During Phase 1, the DoD is including CMMC requirements in new contracts and solicitations on a rolling basis. The primary requirement is self-assessment:
- Level 1 contractors: Complete a self-assessment against the 17 basic safeguarding requirements in FAR 52.204-21 and enter scores into the Supplier Performance Risk System (SPRS).
- Level 2 contractors (self-assessment): Complete a self-assessment against all 110 NIST 800-171 Rev. 2 controls and enter scores into SPRS.
- Level 2 contractors (C3PAO): Some contracts are already requiring third-party certification, even during Phase 1.
What's Coming in Phase 2
Beginning November 10, 2026, third-party C3PAO certification becomes mandatory for contracts involving CUI that require Level 2. This means:
- Organizations that cannot demonstrate CMMC Level 2 readiness will be ineligible to bid on affected contracts
- C3PAO assessment backlogs are already running 6-12 months, with costs estimated at $75K-$150K
- Major primes (Lockheed Martin, Boeing, Northrop Grumman, Raytheon) have already issued supply chain directives making CMMC compliance a condition of continued partnership
The Timeline That Matters
| Date | Milestone |
|---|---|
| November 10, 2025 | Phase 1 begins. CMMC requirements appear in new contracts. |
| Throughout 2026 | Increasing number of contracts include CMMC Level 2 requirements. |
| October 31, 2026 | CMMC compliance required for all new DoD contract awards. |
| November 10, 2026 | Phase 2 begins. Mandatory C3PAO certification for CUI contracts. |
| November 10, 2027 | Phase 3 begins. CMMC requirements flow to all option periods on existing contracts. |
| November 10, 2028 | Phase 4. Full implementation across all DoD contracts. |
Here is the math that should concern every defense contractor who has not started the certification process. The DoD estimates approximately 80,000 companies in the Defense Industrial Base will need CMMC Level 2 certification. As of February 2026, roughly 1,000 organizations have voluntarily obtained or are actively undergoing third-party CMMC certification — approximately 1.25% of the companies that need it. The Cyber AB has authorized 92 C3PAOs as of December 2025, with another 28 at various stages of approval. Each Level 2 assessment requires roughly 200 hours of C3PAO time.
Run the numbers on a mid-market defense subcontractor — a 200-person engineering firm with three active DoD contracts involving CUI. They completed their NIST 800-171 self-assessment in 2024, scored a 78, and planned to "get to it" before Phase 2. It is now March 2026. They contact a C3PAO and learn the earliest available assessment slot is Q1 2027 — four months after Phase 2 makes certification mandatory. Their prime has already sent a letter requiring CMMC Level 2 documentation by September 2026. They now face a choice: remediate 32 control gaps, engage a Registered Practitioner Organization for readiness assessment, and hope a cancellation opens a C3PAO slot — or lose their subcontract position. A March 2026 GAO report flagged this exact scenario, identifying "CMMC ecosystem capacity" and "program demand" as external risk factors that could undermine the entire rollout. The GAO also warned that program costs may drive small businesses out of the defense industrial base entirely. The contractors who started 18 months ago are getting certified. The ones starting now are competing for scraps of C3PAO availability.
How CMMC Maps to NIST 800-171
CMMC Level 2 is a direct mapping to the 110 security requirements in NIST SP 800-171 Rev. 2. These requirements are organized into 14 control families:
| # | Control Family | Requirements | What It Covers |
|---|---|---|---|
| 1 | Access Control (AC) | 22 | Who can access CUI, under what conditions, and with what restrictions |
| 2 | Awareness and Training (AT) | 3 | Security training for personnel handling CUI |
| 3 | Audit and Accountability (AU) | 9 | Logging, monitoring, and retention of security events |
| 4 | Configuration Management (CM) | 9 | Baseline configurations, change management, least functionality |
| 5 | Identification and Authentication (IA) | 11 | User identity verification, multifactor authentication |
| 6 | Incident Response (IR) | 3 | Detection, reporting, and response to security incidents |
| 7 | Maintenance (MA) | 6 | System maintenance controls and oversight |
| 8 | Media Protection (MP) | 9 | Protecting CUI on digital and physical media |
| 9 | Personnel Security (PS) | 2 | Screening and termination procedures |
| 10 | Physical Protection (PE) | 6 | Physical access controls and monitoring |
| 11 | Risk Assessment (RA) | 3 | Vulnerability scanning and risk analysis |
| 12 | Security Assessment (CA) | 4 | Internal assessments and system connections |
| 13 | System and Communications Protection (SC) | 16 | Boundary protection, encryption, network segmentation |
| 14 | System and Information Integrity (SI) | 7 | Flaw remediation, monitoring, malicious code protection |
The practical implication: If your organization already has a documented NIST 800-171 SSP (System Security Plan) with a current SPRS score, you have the foundation for CMMC Level 2. CMMC adds the verification mechanism — either self-assessment with senior official affirmation or third-party C3PAO assessment — on top of what NIST 800-171 already requires.
NIST 800-171 Rev. 3: The Incoming Complication
NIST published SP 800-171 Rev. 3 in May 2024, which restructures the control families and aligns more closely with NIST 800-53 Rev. 5. However, CMMC Level 2 currently maps to Rev. 2, not Rev. 3. The DoD has not yet announced when CMMC will transition to Rev. 3.
This creates a compliance planning challenge: contractors need to meet Rev. 2 for CMMC today while preparing for an eventual Rev. 3 transition. Platforms that already exceed 800-171 requirements — such as those with FedRAMP High authorization based on the full 800-53 Rev. 5 framework — provide a buffer against this transition.
As of March 2026, DoD has not announced a Rev. 3 transition timeline for CMMC. Class Deviation 2024-O0013 remains in effect with no expiration date, explicitly locking DFARS 252.204-7012 compliance to Rev. 2 regardless of which NIST version is current. CMMC Level 2 assessments — including Phase 2, which begins November 2026 — use Rev. 2. DoD did publish Organization-Defined Parameters for Rev. 3 in April 2025, signaling preparation for an eventual transition, but no proposed rule or effective date has been issued. Contractors should build to Rev. 2 for certification and track Rev. 3 ODP guidance for future-proofing.
The Connection Between CMMC and FedRAMP
Here's where most CMMC guides stop: they tell you what CMMC requires but don't address the security posture of the tools you use to manage CUI.
CMMC compliance isn't just about your internal network and policies. It extends to every system that processes, stores, or transmits CUI — including your acquisition intelligence platform, proposal management tools, and contract analytics software.
Why FedRAMP Authorization Matters for CMMC
Under NIST 800-171, requirement 3.13.14 states: "Control the remote access and mobile devices connecting to organizational systems." This applies to cloud services handling CUI. The DoD's position is clear: cloud services processing CUI should be FedRAMP authorized.
FedRAMP Moderate satisfies the baseline cloud security requirements for most CUI handling. But consider:
- FedRAMP Moderate covers ~287 controls from NIST 800-53. FedRAMP High covers ~370.
- The gap between Moderate and High includes enhanced access control, stricter audit requirements, advanced incident response, and supply chain risk management.
- For contractors on DoD programs where CUI intersects with national security concerns, the additional controls in FedRAMP High provide measurable risk reduction.
- CMMC Level 3 (for the most sensitive programs) requires enhanced security measures from NIST 800-172 that align more closely with FedRAMP High than Moderate controls.
How GovSignals Supports CMMC Compliance
GovSignals holds FedRAMP High authorization — the most stringent level — plus IL5 authorization for DoD environments. For contractors working toward CMMC compliance, this means:
-
Your acquisition intelligence runs in a FedRAMP High environment. Proposal data, contract analysis, compliance workflows, and CUI all operate within infrastructure that exceeds CMMC's underlying NIST 800-171 requirements.
-
You can document inherited controls. During your CMMC assessment (self or C3PAO), controls related to cloud service security can reference GovSignals' FedRAMP High authorization rather than requiring you to implement equivalent protections independently.
-
Your SSP is stronger. A System Security Plan that references FedRAMP High authorized tools demonstrates to assessors that your CUI handling meets a higher standard than the minimum required.
-
You're prepared for Level 3. If your programs escalate to CMMC Level 3, the enhanced controls from NIST 800-172 are better supported by FedRAMP High than Moderate-authorized alternatives.
When you use a FedRAMP High authorized SaaS platform like GovSignals, the shared responsibility model works directly in your favor during CMMC assessment. FedRAMP High covers 421 security controls from NIST 800-53 Rev. 5 — a framework that fully encompasses all 110 NIST 800-171 requirements, since 800-171 is derived from 800-53. As a SaaS customer, you receive the highest inheritance rate of any service model. GovSignals provides a Customer Responsibility Matrix (CRM) in Appendix J of the System Security Plan, a Control Implementation Summary (CIS) documenting how each control is implemented and by whom, third-party penetration test results, and continuous monitoring reports including monthly vulnerability scans and POA&M updates. For your CMMC assessment, this means entire control families — Physical Protection, Maintenance, Media Protection — are fully inherited. Shared controls across Access Control, Audit, Identification and Authentication, and System Communications Protection are partially satisfied through the platform's FIPS-validated encryption, IAM services, and logging infrastructure. Your assessor sees a documented, independently verified security posture rather than a promise.
CMMC Compliance Checklist: Where to Start
If you're a defense contractor working toward CMMC Level 2 compliance, here's the practical sequence:
1. Determine your required CMMC level. Check your current and pipeline contracts for DFARS 252.204-7012 clauses and CMMC requirements language. If you handle CUI, you need at least Level 2.
2. Complete your NIST 800-171 self-assessment. Score your current implementation against all 110 controls. Enter your score into SPRS. Be honest — inflated self-assessments under CMMC carry legal risk under the False Claims Act.
3. Develop your SSP and POA&M. Document your current controls, identify gaps, and create a remediation plan with realistic timelines.
4. Evaluate your tool stack. Every platform that touches CUI needs to meet DFARS 252.204-7012 requirements. Cloud services should be FedRAMP authorized. Platforms handling sensitive defense acquisition data should be FedRAMP High authorized.
5. Engage a C3PAO (if required). Given current backlogs of 6-12 months, schedule your assessment early. The CMMC Accreditation Body (Cyber AB) maintains the list of authorized C3PAOs.
6. Prepare for ongoing compliance. CMMC requires annual affirmation from a senior company official. This isn't a one-time certification — it's a continuous obligation.
The numbers paint a stark picture of where the Defense Industrial Base actually stands. The CyberSheath State of the DIB Report 2025 found that only 1% of defense contractors report full readiness for CMMC — down from 4% the prior year and 8% in 2023, a decline that reflects growing awareness of what compliance actually requires rather than declining security. A joint Kiteworks and Coalfire study of 209 DIB organizations found that only 41% have completed a gap analysis against NIST 800-171 — the foundational first step. Meanwhile, roughly 1,000 organizations have obtained or are pursuing C3PAO certification out of an estimated 80,000 that need it. That is 1.25%. With 92 authorized C3PAOs and Phase 2 eight months away, the math does not resolve in time. Organizations that have not started CMMC preparation are not late — they are at risk of being locked out of the defense market entirely.
Frequently Asked Questions
What is CMMC 2.0 and how is it different from CMMC 1.0?
CMMC 2.0 simplified the original five-level model to three levels, aligned directly to existing NIST standards (800-171 for Level 2, 800-172 for Level 3), and introduced limited allowance for Plans of Action & Milestones (POA&Ms). The changes reduced the compliance burden for smaller contractors while maintaining rigorous requirements for organizations handling CUI.
When does CMMC Phase 1 end and Phase 2 begin?
Phase 1 runs from November 10, 2025 through November 9, 2026, focusing on self-assessment requirements in new contracts. Phase 2 begins November 10, 2026, when mandatory third-party C3PAO certification becomes required for contracts involving CUI at Level 2.
What are the CMMC Level 2 requirements?
CMMC Level 2 requires implementation of all 110 security requirements from NIST SP 800-171 Rev. 2, organized across 14 control families. Assessment is either through self-assessment with senior official affirmation or third-party C3PAO assessment, depending on the sensitivity of the CUI involved.
How much does CMMC compliance cost?
Costs vary significantly by organization size and current security posture. Self-assessment costs are primarily internal labor. C3PAO third-party assessments are estimated at $75K-$150K, with potential increases as demand grows and C3PAO capacity remains limited. Implementation costs for remediation of control gaps can range from $50K for small contractors to $500K+ for larger organizations.
Do I need CMMC if I only handle FCI, not CUI?
If you only handle Federal Contract Information (FCI) and no CUI, you need CMMC Level 1, which requires self-assessment against 17 basic safeguarding practices from FAR 52.204-21. Level 1 does not require third-party assessment.
How does FedRAMP relate to CMMC compliance?
FedRAMP and CMMC address different aspects of the same problem. CMMC certifies your organization's cybersecurity posture; FedRAMP authorizes the cloud platforms you use. Both are rooted in NIST standards. Using FedRAMP authorized tools strengthens your CMMC compliance posture by ensuring your CUI handling tools meet or exceed the underlying NIST 800-171 requirements. GovSignals is the only FedRAMP High authorized AI platform for government contracting — learn more.
What happens if I'm not CMMC compliant by Phase 2?
Beginning November 10, 2026, contracts requiring CMMC Level 2 C3PAO certification will be ineligible to organizations that haven't completed the assessment. Additionally, major defense primes are already requiring CMMC compliance from their supply chains as a condition of partnership, meaning non-compliance affects not just prime contract eligibility but subcontract opportunities as well.
Can I use a POA&M to pass my CMMC assessment?
Under CMMC 2.0, limited use of POA&Ms is allowed. However, POA&Ms must be closed within 180 days of the assessment, and certain critical controls cannot be placed on a POA&M. The specifics of which controls qualify for POA&M treatment are defined in the CMMC assessment guidance. Assessors expect to see a credible remediation plan, not a list of unfunded intentions.
Take Action Before Phase 2
The CMMC compliance window is closing. Phase 2 enforcement begins November 2026, C3PAO backlogs are already 6-12 months, and primes are issuing supply chain compliance mandates now. If your acquisition intelligence platform isn't running on FedRAMP authorized infrastructure, that's a gap in your CMMC posture.
GovSignals is the only FedRAMP High authorized AI platform for government contracting, with IL5 authorization for DoD environments. See how we support defense contractor compliance.