Contact UsLogin
All Insights
CMMC

CMMC 2.0: What Defense Contractors Need to Know

PolicyCortex Team|November 20, 2025|3 min read
CMMCdefense contractorscomplianceNIST 800-171

Key Takeaways

  • CMMC 2.0 is officially active — the 32 CFR Part 170 final rule took effect in December 2024, and assessments are underway through authorized C3PAOs.
  • Level 2 certification (110 NIST 800-171 controls) is required for most contractors handling CUI, with mandatory third-party assessment.
  • Reducing scope through CUI environment segmentation is the single most effective way to lower assessment cost and complexity.
  • CMMC requires continuous monitoring, not one-time audits — automated compliance platforms dramatically reduce the operational burden of maintaining certification.
  • Common mistakes include treating CMMC as a checkbox exercise, waiting too long to start, and ignoring cloud environment configurations.

CMMC 2.0 Overview

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework establishes cybersecurity requirements for the Defense Industrial Base (DIB). It streamlines the original five-level model down to three levels and codifies the requirement for third-party assessments at Level 2 and above.

If you handle Controlled Unclassified Information (CUI) for the Department of Defense, CMMC affects you.

The Three Levels

Level 1 — Foundational covers 15 basic cybersecurity practices from FAR 52.204-21. This level requires annual self-assessment and applies to contractors handling Federal Contract Information (FCI).

Level 2 — Advanced maps directly to the 110 security requirements in NIST SP 800-171. Most contractors handling CUI will need Level 2 certification, which requires assessment by an authorized C3PAO (Certified Third-Party Assessor Organization).

Level 3 — Expert adds requirements from NIST SP 800-172 for enhanced security against advanced persistent threats. This level requires government-led assessment and applies to a smaller set of critical programs.

Timeline and Enforcement

The CMMC program is now officially active. The 32 CFR Part 170 final rule took effect in December 2024, and CMMC requirements are being phased into DoD contracts through the 48 CFR DFARS rulemaking process. Assessments are conducted by the CMMC Accreditation Body (the Cyber AB) ecosystem through authorized C3PAOs.

This is no longer a future requirement. Contractors who haven’t started preparation are already behind.

Practical Steps for Preparation

1. Scope Your CUI Environment

Identify exactly where CUI flows and is stored in your organization. The scope of your assessment — and the cost — depends entirely on this boundary. Many organizations reduce scope by segmenting their CUI environment from their broader IT infrastructure.

2. Conduct a Gap Assessment

Map your current security posture against all 110 NIST 800-171 practices. Be honest about where you have gaps. Common problem areas include:

  • Access control and multi-factor authentication
  • Audit log management and retention
  • Configuration management and change control
  • Incident response planning and testing
  • System and communications protection

3. Build Your System Security Plan (SSP)

Your SSP documents how you implement each security requirement. This is a living document that assessors will review closely. It should describe your actual implementations, not aspirational ones.

4. Address Gaps with a POA&M

A Plan of Action and Milestones (POA&M) documents known gaps and your plan to close them. Under CMMC 2.0, certain controls may have limited POA&M allowance, but this should not be your primary compliance strategy.

5. Establish Continuous Monitoring

CMMC is not a one-time audit. Organizations must maintain their security posture continuously between assessments. This means ongoing monitoring of configurations, access controls, and security events.

Common Mistakes

Treating CMMC as a checkbox exercise. The assessors are looking at actual security posture, not just documentation.

Waiting too long to start. Achieving compliance takes most organizations months, not weeks. C3PAO availability is limited.

Over-scoping the CUI boundary. Every system in scope must meet all 110 requirements. Reducing scope through segmentation can dramatically reduce cost and complexity.

Ignoring the cloud. Many contractors use AWS, Azure, or GCP without properly configuring these environments for CUI handling. Cloud misconfigurations are a leading source of assessment findings.

Cloud misconfigurations are among the top findings in CMMC assessments. If your CUI touches cloud infrastructure, your cloud environment is in scope.

How PolicyCortex Helps

PolicyCortex automates the continuous monitoring, evidence collection, and remediation aspects of CMMC preparation. Rather than manually auditing 110 controls before your assessment, the platform maintains a real-time view of your compliance posture and assembles evidence automatically.

This doesn’t replace the work of building your security program — but it dramatically reduces the operational burden of maintaining it.

Ready to automate your cloud governance?

See how PolicyCortex replaces your disconnected compliance tools with one autonomous platform.

Request a DemoContact Us

Related Insights

NIST 800-171 Rev 3: Key Changes and How to Prepare

NIST SP 800-171 Revision 3 brings significant changes to the security requirements for protecting CUI. Here’s what changed and what it means for your compliance program.

Why Traditional GRC Tools Fall Short for Cloud-Native Organizations

Legacy GRC platforms were built for on-premise compliance. Here’s why they struggle with modern multi-cloud environments and what the alternative looks like.

What Is Autonomous Cloud Governance?

Cloud governance has evolved from manual checklists to autonomous platforms that detect, decide, and remediate in real time. Here’s what that actually means.