CMMC 2.0 Readiness: What Government Contractors Need to Know in 2026

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for verifying that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). After years of development and revision, the CMMC final rule (32 CFR Part 170) took effect on December 16, 2024, with phased implementation beginning in 2025.

Unlike the original CMMC 1.0 -- which proposed five maturity levels and a complex assessment ecosystem -- CMMC 2.0 simplifies the framework to three levels and aligns directly with existing NIST standards that contractors are already contractually obligated to implement under DFARS clause 252.204-7012.

"CMMC 2.0 does not introduce new cybersecurity requirements. It introduces accountability. The controls have been required since 2017 under DFARS 7012 -- CMMC simply adds verification."

The Three CMMC 2.0 Levels

Level 1: Foundational (Self-Assessment)

Who needs it: Any contractor that handles Federal Contract Information (FCI) -- essentially all DoD contractors.

Requirements: 15 basic cybersecurity practices derived from FAR 52.204-21. These cover fundamental security hygiene:

• Limit system access to authorized users
• Authenticate user identities before granting access
• Sanitize or destroy media containing FCI before disposal
• Limit physical access to organizational systems
• Escort visitors and monitor visitor activity
• Monitor and control connections to external systems
• Update malicious code protection mechanisms
• Perform periodic scans and real-time scans of files from external sources

Assessment: Annual self-assessment with affirmation by a senior company official. Results are submitted to the Supplier Performance Risk System (SPRS). No third-party assessment required.

Key detail: The senior official who affirms the assessment is attesting to its accuracy under penalty of the False Claims Act. This is not a checkbox exercise -- inaccurate self-assessments carry real legal risk.

Level 2: Advanced (Third-Party Assessment)

Who needs it: Contractors that handle Controlled Unclassified Information (CUI) on prioritized programs. This is the level that most defense contractors focused on IT, engineering, and professional services will need to achieve.

Requirements: All 110 security controls from NIST SP 800-171 Rev 2, organized across 14 control families:

Assessment: Conducted by a CMMC Third-Party Assessment Organization (C3PAO) accredited by the Cyber AB (formerly the CMMC Accreditation Body). Assessments are valid for three years.

Note on self-assessment option: For non-prioritized programs involving CUI, DoD may allow Level 2 self-assessment instead of third-party assessment. The determination is made on a program-by-program basis and specified in the solicitation.

Level 3: Expert (Government-Led Assessment)

Who needs it: Contractors working on the highest-priority DoD programs with the most sensitive CUI.

Requirements: All 110 NIST 800-171 controls plus a subset of enhanced controls from NIST SP 800-172. The specific 800-172 controls required for Level 3 are defined by the government and currently include 24 additional practices.

Assessment: Conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This is a government-led assessment, not a commercial C3PAO engagement.

The Assessment Timeline

CMMC requirements are being phased into DoD contracts through four phases:

• Phase 1 (Starting 2025): Level 1 self-assessment or Level 2 self-assessment required in applicable solicitations
• Phase 2 (Starting 2026): Level 2 C3PAO assessments begin appearing as requirements in solicitations for prioritized CUI programs
• Phase 3 (Starting 2027): Level 2 C3PAO assessments required more broadly; Level 3 assessments begin
• Phase 4 (Starting 2028): Full implementation across all applicable contracts

What this means for 2026: If you handle CUI on DoD contracts, you should be actively preparing for a Level 2 assessment. Waiting until a solicitation requires it leaves insufficient time -- most organizations need 12-18 months from initial gap assessment to assessment readiness.

SSP and POA&M: The Critical Documents

System Security Plan (SSP)

Your SSP is the single most important CMMC document. It describes how your organization implements each of the 110 NIST 800-171 controls within your CUI environment.

What the SSP must include:

• System boundary definition: Precisely define which systems, networks, and devices are in scope for CUI handling
• Control implementation statements: For each of the 110 controls, describe specifically how your organization implements it -- not generic language, but your actual implementation
• Roles and responsibilities: Who is responsible for each security function
• Network architecture diagrams: Visual representation of your CUI environment, including data flows, boundary devices, and external connections
• Interconnection details: How your system connects to other systems, particularly government networks

Common SSP mistakes:

1. Copy-paste from templates: Assessors immediately recognize generic implementation statements that do not reflect your actual environment
2. Scope creep: Defining the CUI boundary too broadly increases the number of systems requiring controls and assessment
3. Missing inherited controls: If you use a FedRAMP-authorized cloud service, document which controls are inherited from the cloud provider
4. No version control: Your SSP is a living document. Without version control, you cannot demonstrate that it reflects your current environment

Plan of Action and Milestones (POA&M)

A POA&M documents security controls that are not yet fully implemented, along with the specific plan and timeline for achieving full implementation.

CMMC 2.0 POA&M rules:

• POA&Ms are allowed for Level 2 assessments, but with constraints
• You cannot have a POA&M for more than a limited number of controls (currently, no more than 20% of controls can be on POA&M)
• Certain critical controls cannot be on POA&M at all (these are specified in the CMMC assessment guide)
• All POA&M items must be closed within 180 days of the assessment
• If you fail to close POA&Ms within 180 days, your conditional certification is revoked

"A POA&M is not a parking lot for controls you do not want to implement. It is a documented commitment to close specific gaps on a specific timeline. Assessors evaluate the credibility of your POA&M -- unrealistic timelines or vague remediation plans will not pass."

Practical Steps to Prepare

Step 1: Define Your CUI Environment

Before anything else, determine where CUI lives in your organization. Map every system, application, and data flow that touches CUI. The goal is to define the smallest possible boundary -- every system in scope must meet all 110 controls.

Strategies to minimize scope:

• Segment CUI into a dedicated enclave separate from your general IT environment
• Use FedRAMP-authorized cloud services (Microsoft GCC High, AWS GovCloud) for CUI processing and storage
• Implement data loss prevention (DLP) to prevent CUI from spreading beyond the defined boundary

Step 2: Conduct a Gap Assessment

Evaluate your current implementation against each of the 110 NIST 800-171 controls. For each control, document:

• Implemented: Control is fully in place with evidence
• Partially implemented: Some elements are in place, specific gaps identified
• Not implemented: Control is not addressed

A thorough gap assessment typically reveals 30-60 gaps for organizations that have been informally following cybersecurity best practices but have not conducted a structured NIST 800-171 review.

Step 3: Develop Your Remediation Roadmap

Prioritize gaps by:

1. Controls that cannot be on POA&M: These must be fully implemented before assessment
2. Controls with the greatest risk reduction: Focus on access control, multi-factor authentication, encryption, and audit logging first
3. Controls with the longest implementation timeline: Technology purchases, network architecture changes, and staff training require lead time

Step 4: Build Your Documentation

Documentation is where most assessments succeed or fail. You need:

• System Security Plan (SSP): Detailed, specific, and current
• POA&M: For any controls not yet fully implemented
• Policies and procedures: Formal, written policies for each control family
• Evidence artifacts: Logs, screenshots, configuration files, training records that demonstrate control implementation

Step 5: Conduct Internal Assessments

Before engaging a C3PAO, conduct at least one internal mock assessment. Use the CMMC Assessment Guide (available from the Cyber AB) to evaluate your own readiness. Many organizations engage a Registered Practitioner Organization (RPO) to conduct a pre-assessment.

Step 6: Select a C3PAO and Schedule Assessment

C3PAOs are listed on the Cyber AB Marketplace. When selecting a C3PAO:

• Verify their accreditation status is current
• Ask about assessor experience with organizations of your size and type
• Understand the expected timeline from scheduling to final report
• Clarify costs -- C3PAO assessments typically range from $30,000 to $100,000+ depending on scope and complexity

Cost Considerations

CMMC readiness is not inexpensive. Budget realistically:

These costs are allowable and allocable as indirect costs on DoD contracts. Factor them into your indirect rate structure.

What Happens If You Are Not Ready?

Contractors who cannot demonstrate CMMC compliance at the required level will be ineligible for contract award on solicitations that include CMMC requirements. As phased implementation continues through 2028, this will affect an increasing share of DoD procurements.

Additionally, the Department of Justice has used the False Claims Act to pursue contractors who submitted inaccurate NIST 800-171 self-assessment scores. The legal risk of non-compliance extends beyond lost contracts to potential civil liability.

The bottom line: CMMC readiness is a business-critical investment for any contractor that intends to compete for DoD work.

---

Aliff Solutions helps government contractors track compliance requirements across their opportunity pipeline. Our platform identifies which opportunities require CMMC certification, monitors regulatory changes, and supports your compliance readiness journey. Explore our free tools to assess your competitive position in the defense market.