Ultimate guide to CMMC 2.0 compliance requirements
CMMC 2.0 now applies to all DoD contracts. Are you ready?
CMMC 2.0 now applies to all DoD contracts. Are you ready?
The Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) framework to protect the Defense Industrial Base (DIB) from adversarial intelligence collection efforts and corporate proprietary data theft that could compromise U.S. national security. The framework is designed to ensure that defense contractors can meet the cybersecurity requirements built on the National Institute of Standards and Technology (NIST) 800-171 standards.
The DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to mandate compliance with CMMC 2.0. Since November 10, 2025, CMMC are included as award criteria in new contracts as well as when exercising option years for existing contracts.
Use the following guide to understand the key components of CMMC 2.0 and get answers to frequently asked questions about the CMMC 2.0 compliance requirements.
The CMMC framework was created to protect the availability, confidentiality, and integrity of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) throughout the DoD’s extensive contractor supply chain. CMMC 2.0 – an advancement of CMMC 1.0 based on input from stakeholders – was released in October 2024. The revised framework streamlines and simplifies the original one with the goal of increasing the accountability and uniformity of cybersecurity procedures for contractors operating within the DIB.
With the introduction of CMMC 2.0, the DoD is pursuing three objectives:
Effective since December 2024 (32 CFR Final Rule), the revised CMMC Program is characterized by a tiered model and its assessment requirements aligned to NIST SP 800-171, a set of cybersecurity requirements published by the National Institute of Standards and Technology, and a phased rollout.
Businesses entrusted with FCI and CUI are required to implement the progressive cybersecurity standards mandated by CMMC 2.0. The program also explains the process for mandating information that is flowed down to subcontractors to be protected.
The DoD can confirm the use of precise cybersecurity standards through CMMC evaluations.
Certain DoD contractors handling FCI and CUI will need to reach a specific CMMC level as a requirement of contract award once CMMC regulations go into effect.
Unlike the earlier program, CMMC 2.0 fully aligns with the controls set out in NIST SP 800-171 Revision 2.
To be awarded contracts and for the continuance of contracts, all DoD contractors and subcontractors must have a current CMMC record in the DoD Supplier Performance Risk System (SPRS) or all information systems that process, store, or transmit FCI or CUI during contract performance.
DFARS mandates contractor compliance with the CMMC requirements at the specified level for contract award. Depending on the kind and level of sensitivity of the data that companies may receive, retain, and transmit, the Department of Defense will determine which CMMC level will be applicable to a contract.
As CMMC 2.0 seeks to secure the entire Defense Supply Chain, via the “flow-down” principle, DFARS clauses also apply to subcontractors, making contractors responsible for their enforcement.
Contractors and subcontractors must submit a current assessment of their compliance with SPRS prior to contract award.
The level of CMMC 2.0 compliance you require is determined by the type of information you handle: Federal Contract Information (FCI) or Controlled Classified Information (CUI). CUI is information that needs to be protected and may also be subject to dissemination regulations, whereas FCI is any information that is "not intended for public release." Title 32 CFR Part 2002 defines CUI, while FAR clause 52.204-21 defines FCI.
The revised CMMC framework includes three levels for a progressive and simplified journey to cybersecurity maturity. Each level is characterized by a set of cybersecurity best practices, standards, and processes as defined in NIST SP 800-171 Revision 2.
This level prioritizes safeguarding FCI. It mandates that an organization’s systems and procedures adhere to 15 fundamental cybersecurity practices specified under 48 CFR 52.204-21, also known as the FAR clause (see FAQ ). This level may be applicable to a subset of programs that need to meet CMMC Level 2 requirements, if CUI is not involved; however, it is only applicable when the organization does not receive or hold Controlled Unclassified Information.
A self-assessment conducted once a year is sufficient at Level 1. Organizations must score their assessment against DoD requirements and report the results to SPRS for the assessment to be considered valid. The yearly submission of self-assessment results serves as an affirmation of continuous compliance.
The protection of CUI is the main focus of this level. At this level, organizations need to document their processes to guide their compliance efforts and follow them as prescribed.
CMMC Level 2 is often referred to as "advanced cyber-hygiene.” It requires the implementation of 110 practices, under the 14 domains specified in NIST SP 800-171 Revision 2 (see FAQ ).
CMMC Level 2 requires certification and, therefore, third-party assessment, which must be carried out by Certified Third-Party Assessment Organizations (C3PAOs). After initial certification, affirmation of continuous compliance must be made yearly by an organization official and posted to the Supplier Performance Risk System. Three years after initial certification, a full reassessment must be carried out by a C3PAO.
Concerned with protecting CUI from advanced persistent threats (APTs), this CUI level is also described as "High Value Assets.” CMMC Level 3 requires the implementation of 24 additional controls from NIST SP 800-172 enhanced standards related to greater cybersecurity risk management.
The certification is only conducted by the DoD via DIBCAC every three years. As a prerequisite for this level, organizations must already be holding a valid Level 2 certification. After initial certification, organizations certified at this level should follow the same process for affirmation of continuous compliance and reassessment as CMMC Level 2 certified organizations.
Once certified at a given NIST revision, organizations remain locked to that revision for the three-year certification cycle. Transition to future revisions (e.g., NIST 800-171 Revision 3) will require new rulemaking, and likely fresh Class deviations for both DFARS 7012 and the 32 CFR CMMC program.
The CMMC accreditation body is Cyber AB.
Achieving CMMC compliance and certification, especially Levels 2 and 3, takes significant time and resources and is a project that involves the entire organization. Here is an overview of the steps that you need to follow:
The certification level you need is driven by the type of information you handle – Federal Contract Information (FCI) or Controlled Classified Information (CUI).
Analyze your current cybersecurity procedures and compare them to the certification level requirements. What are the areas that need improvement to meet the requirements of the CMMC level you are aiming for?
To improve your cybersecurity posture, implement the procedures described in FAR 52.204-21 (Level 1) and NIST SP 800-171 (Level 2), or NIST SP 800-172 (Level 3).
To achieve Level 2 and Level 3 certifications, work with certified third-party assessment organizations (C3PAOs) or with government-led assessors (DIBCAC).
Continuous cybersecurity excellence is emphasized in CMMC 2.0. To handle new risks, make sure you update and enhance your procedures on a regular basis. When working with subcontractors, make sure they have a valid SPRS record and check their scores.
Under the CMMC 2.0 final rule, organizations may achieve “conditional certification” at Level 2 and Level 3. To transition to full certification, they have 180 days to address the gaps identified with the corrective actions plan and road map formally outlined in a POA&M document.
Achieving certification should typically take 6 to 18 months. However, costs to achieve this vary depending on scope – i.e., volume of CUI and assets that store CUI, the CMMC Level aimed for, and an organization’s cybersecurity maturity at the start of the process. To enhance readiness and prepare your organization for certification, you can work with a CMMC Registered Provider Organization (RPO), authorized by the Cyber AB, or a C3PAO (which, in this case, cannot also be your certifying entity).
Learn how Infor supports your compliance requirements in a CMMC 2.0-ready environment.