CMMC 2.0 is the latest version of the DoD’s cybersecurity compliance standard. It’s essentially the framework that organizations should be using to secure sensitive information when working with the government, such as Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

CMMC 2.0 is important to contractors and subcontractors doing business with the federal government. Non-compliance could mean an inability to bid on DoD contracts, delayed payments, or penalties. Early adoption of CMMC 2.0 requirements puts organizations in pole position to win DoD contracts and build credibility with partners.

Understanding your required level is the first step to achieving CMMC 2.0 compliance. 

Levels align with the type of data you handle and your business relationships with the DoD:

• Level 1: Foundational cyber hygiene

• Implements the 15 basic safeguarding requirements from FAR 52.204-21

• Annual self-assessment with annual affirmation in SPRS
  
  

• Level 2: Advanced cybersecurity

• Designed for organizations that require additional cybersecurity to handle CUI

• Requires third-party assessment from a Certified Third-Party Assessment Organization (C3PAO)
  
  

• Level 3: Expert

• For handling of CUI tied to the most sensitive programs, such as national security

• Government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBAC) every three years

• Adds a subset of 24 requirements from NIST SP 800-172

Key changes from CMMC 1.0

• Fewer CMMC levels: The original five-level framework has been streamlined into three levels.

• Removed many custom practices: The new version eliminates many complex, organization-specific requirements.

Achieving CMMC 2.0 compliance might seem daunting, but breaking it down into clear, actionable steps can simplify the process. 

1. Identify your required CMMC level: Determine which level applies based on the information you handle and your DoD supply chain role.

2. Hire a consultant to perform a gap assessment: Work with a certified consultant to assess your current cybersecurity posture against your designated level requirements. 

3. Develop and implement a System Security Plan (SSP): Document your security policies, procedures, and controls. Working with a consultant and/or GRC platform is encouraged.

4. Implement the necessary security controls: For Level 2, implement all 110 security practices from NIST 800-171. Working with a consultant and/or GRC platform is encouraged.

5. Document any remaining gaps in a POA&M: Create a Plan of Action and Milestones (POA&M) with timelines for any gaps you can't immediately remediate. Working with a consultant and/or GRC platform is encouraged.

6. Schedule your assessment: Arrange a self-assessment (Level 1), third-party assessment (Level 2) with a C3PAO, or government-led assessment (Level 3). Start this early, since once a CMMC clause appears in a solicitation, your status must be current in SPRS at contract award. Note that conditional Level 2 or Level 3 status may be accepted for up to 180 days to close eligible POA&Ms.

7. Ensure continuous compliance: Implement continuous monitoring, perform internal audits, and update security controls as threats evolve.

8. Plan for reassessment triggers:  A Level 2 certification is good for three years, unless you make a change to your certified environment that requires a reassessment.

Key details of CMMC 2.0 enforcement:

• When DFARS 252.204-7021 is included in a contract, CMMC status (final or conditional) is required at contract award and must be recorded in SPRS

• The new version is being gradually phased in over time

• The urgency of now: Prime DoD contractors are already requesting documentation from subcontractors for their certification or planned assessment dates, so don't delay

Level-specific expectations

• Level 1: Yearly self-assessment

• Level 2: Third-party assessment for CUI-handling organizations once every three years

• Level 3: Implements enhanced security requirements from NIST SP 800-172 and is assessed exclusively by the government (DIBCAC)  for highly sensitive programs

From official DoD guides to Huntress’s tailored tools and expert support, these resources are designed to simplify implementation, strengthen your security posture, and keep your organization audit-ready.

Official DoD, CyberAB, and NIST resources

• CMMC model overview and assessment guides

• CMMC marketplace for certified assessors and consultants

• NIST SP 800-171: Protecting CUI in nonfederal systems

• NIST SP 800-171A: Assessment procedures

Huntress tools and support

• Huntress platform for end-to-end CMMC readiness, with continuous monitoring and threat detection across endpoints, security information and event management (SIEM), and identity threat detection and response (ITDR) 

• Assessor-ready documentation to help shave weeks off your certification timeline

Got questions about CMMC 2.0? You’re not alone. From understanding who needs to comply to breaking down certification costs and requirements, we’ve got the answers you need to navigate this updated cybersecurity framework with confidence.

Is CMMC 2.0 released?

Yes. CMMC 2.0 is the current version of the DoD cybersecurity compliance framework, and it replaces the original five-level model.

Who’s required to comply with CMMC 2.0?

Any organization that receives revenue from a DoD contract 

Do I need an audit for CMMC Level 2?

Yes. Organizations at Level 2 are required to undergo a third-party assessment from a C3PAO.

What’s the difference between CMMC 2, SOC 2, and NIST 800-171?

SOC 2 focuses on internal controls for service organizations. NIST 800-171 is a federal standard. CMMC 2, is an enforcement mechanism of NIST standards, turned into required controls, specifically designed for DoD contractors.

How much does CMMC 2.0 cost?

Costs vary depending on level, organizational readiness,  and assessment type. Preparation will ultimately cost more than the assessment. Work with a certified consultant with a good reputation to streamline the process.

How to get CMMC 2.0 certified? 

Determine your required level, implement necessary security controls, document the implementation, and then complete the appropriate assessment. Level 1 requires self-assessment, while Levels 2 and 3 require formal third-party or government assessments.

What’s CMMC level 2 compliance? 

CMMC Level 2 compliance includes 110 security controls from NIST 800-171 to protect CUI. It’s designed for DoD subcontractors who may handle sensitive government data. Certification requires a third-party assessment conducted by a C3PAO.

How to get CMMC level 2 certification? 

To get Level 2 certification, work with a certified consultant to conduct a gap assessment against NIST 800-171 requirements, implement missing controls, document your security posture in an SSP, and schedule an assessment with a C3PAO. The assessor will verify your implementation through document review, interviews, and testing. Successful completion results in certification valid for three years.

Huntress combines endpoint protection, log monitoring, identity threat detection, and security awareness training into a single, continuously monitored security stack and provides the assessor-ready documentation needed to shave weeks off of the assessment process. Book a demo to see how we can help your organization get audit-ready.