Ultimate guide to CMMC 2.0 compliance requirements

CMMC 2.0 now applies to all DoD contracts. Are you ready?

Infor_3D Platform Image_Library_Dark_06.jpg

Guide to CMMC 2.0 compliance

What is CMMC 2.0?
Revised CMMC 2.0 framework
Who needs to comply with CMMC 2.0?
Understanding FCI and CUI
New CMMC 2.0 Levels
How to achieve CMMC 2.0 compliance
Time and cost of compliance
CMMC 2.0 FAQs

The Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) framework to protect the Defense Industrial Base (DIB) from adversarial intelligence collection efforts and corporate proprietary data theft that could compromise U.S. national security. The framework is designed to ensure that defense contractors can meet the cybersecurity requirements built on the National Institute of Standards and Technology (NIST) 800-171 standards.

The DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to mandate compliance with CMMC 2.0. Since November 10, 2025, CMMC are included as award criteria in new contracts as well as when exercising option years for existing contracts.

Use the following guide to understand the key components of CMMC 2.0 and get answers to frequently asked questions about the CMMC 2.0 compliance requirements.

What is CMMC 2.0?

The CMMC framework was created to protect the availability, confidentiality, and integrity of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) throughout the DoD’s extensive contractor supply chain. CMMC 2.0 – an advancement of CMMC 1.0 based on input from stakeholders – was released in October 2024. The revised framework streamlines and simplifies the original one with the goal of increasing the accountability and uniformity of cybersecurity procedures for contractors operating within the DIB.

With the introduction of CMMC 2.0, the DoD is pursuing three objectives:

Guaranteeing that suitable cybersecurity controls and procedures are in place
Streamlining certification
Lowering compliance obstacles and costs for smaller organizations

Effective since December 2024 (32 CFR Final Rule), the revised CMMC Program is characterized by a tiered model and its assessment requirements aligned to NIST SP 800-171, a set of cybersecurity requirements published by the National Institute of Standards and Technology, and a phased rollout.

The 4 pillars of the revised CMMC 2.0 framework

Tiered model

Businesses entrusted with FCI and CUI are required to implement the progressive cybersecurity standards mandated by CMMC 2.0. The program also explains the process for mandating information that is flowed down to subcontractors to be protected.

The new model has been simplified to three maturity levels instead of the previous five.

Assessment requirement

The DoD can confirm the use of precise cybersecurity standards through CMMC evaluations.

Self-evaluation is sufficient for Level 1, but third-party assessment is required for Level 2, and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment is required for Level 3.

Phased implementation

Certain DoD contractors handling FCI and CUI will need to reach a specific CMMC level as a requirement of contract award once CMMC regulations go into effect.

CMMC 2.0 has a well-defined implementation schedule; the new requirements will be put into effect over a three-year period, utilizing a four-phase implementation plan.

Standard alignment

Unlike the earlier program, CMMC 2.0 fully aligns with the controls set out in NIST SP 800-171 Revision 2.

Who needs to comply with CMMC 2.0?

To be awarded contracts and for the continuance of contracts, all DoD contractors and subcontractors must have a current CMMC record in the DoD Supplier Performance Risk System (SPRS) or all information systems that process, store, or transmit FCI or CUI during contract performance.

DFARS mandates contractor compliance with the CMMC requirements at the specified level for contract award. Depending on the kind and level of sensitivity of the data that companies may receive, retain, and transmit, the Department of Defense will determine which CMMC level will be applicable to a contract.

As CMMC 2.0 seeks to secure the entire Defense Supply Chain, via the “flow-down” principle, DFARS clauses also apply to subcontractors, making contractors responsible for their enforcement.

Prime contractors are companies that work directly with the DoD on defense-related contracts
Subcontractors are third-party businesses that supply prime contractors with goods or services

Contractors and subcontractors must submit a current assessment of their compliance with SPRS prior to contract award.

Loading component...

Understanding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

The level of CMMC 2.0 compliance you require is determined by the type of information you handle: Federal Contract Information (FCI) or Controlled Classified Information (CUI). CUI is information that needs to be protected and may also be subject to dissemination regulations, whereas FCI is any information that is "not intended for public release." Title 32 CFR Part 2002 defines CUI, while FAR clause 52.204-21 defines FCI.

Federal Contract Information (FCI)

Is provided by or generated for the U.S. Government under a contract to develop or deliver a product or service to the Government
Is not marked as public or for public release
Examples of FCI can include communication and representation of knowledge, such as facts, data, or opinions in text, numerical, graphical, or audiovisual format

Controlled Unclassified Information (CUI)

Is created or owned by the U.S. Government or its partners
Can be critical (CUI with prioritized acquisitions) or non-critical (CUI with non-prioritized acquisitions) – it depends on the specific information’s content, its relation to national security, economic interests, or individual privacy, and requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government policies to protect national security
Is not classified under Executive Order 13526 or the Atomic Energy Act
Is marked as CUI
Examples of CUI include DoD personnel identifiable information, technical specifications for military equipment, critical infrastructure information, and contract performance data

Loading component...

What are the new CMMC 2.0 levels?

The revised CMMC framework includes three levels for a progressive and simplified journey to cybersecurity maturity. Each level is characterized by a set of cybersecurity best practices, standards, and processes as defined in NIST SP 800-171 Revision 2.

CMMC Level 1 requirements (foundational)

This level prioritizes safeguarding FCI. It mandates that an organization’s systems and procedures adhere to 15 fundamental cybersecurity practices specified under 48 CFR 52.204-21, also known as the FAR clause (see FAQ ). This level may be applicable to a subset of programs that need to meet CMMC Level 2 requirements, if CUI is not involved; however, it is only applicable when the organization does not receive or hold Controlled Unclassified Information.

CMMC Level 1 assessment

A self-assessment conducted once a year is sufficient at Level 1. Organizations must score their assessment against DoD requirements and report the results to SPRS for the assessment to be considered valid. The yearly submission of self-assessment results serves as an affirmation of continuous compliance.

CMMC Level 2 requirements (advanced)

The protection of CUI is the main focus of this level. At this level, organizations need to document their processes to guide their compliance efforts and follow them as prescribed.

CMMC Level 2 is often referred to as "advanced cyber-hygiene.” It requires the implementation of 110 practices, under the 14 domains specified in NIST SP 800-171 Revision 2 (see FAQ ).

CMMC Level 2 assessment

CMMC Level 2 requires certification and, therefore, third-party assessment, which must be carried out by Certified Third-Party Assessment Organizations (C3PAOs). After initial certification, affirmation of continuous compliance must be made yearly by an organization official and posted to the Supplier Performance Risk System. Three years after initial certification, a full reassessment must be carried out by a C3PAO.

Since November 10, 2025, as part of the CMMC 2.0 roll-out phase, new Level 2 contracts and option years require self-assessments. Starting in November 2026, third-party assessments will be required.

CMMC Level 3 requirements (expert)

Concerned with protecting CUI from advanced persistent threats (APTs), this CUI level is also described as "High Value Assets.” CMMC Level 3 requires the implementation of 24 additional controls from NIST SP 800-172 enhanced standards related to greater cybersecurity risk management.

CMMC Level 3 assessment

The certification is only conducted by the DoD via DIBCAC every three years. As a prerequisite for this level, organizations must already be holding a valid Level 2 certification. After initial certification, organizations certified at this level should follow the same process for affirmation of continuous compliance and reassessment as CMMC Level 2 certified organizations.

Prime contractors and subcontractors may require different degrees of certification depending on their activities and the sensitivity of the information (flow down).

Three-year certification cycles

Once certified at a given NIST revision, organizations remain locked to that revision for the three-year certification cycle. Transition to future revisions (e.g., NIST 800-171 Revision 3) will require new rulemaking, and likely fresh Class deviations for both DFARS 7012 and the 32 CFR CMMC program.

The CMMC accreditation body is Cyber AB.

Loading component...

How to achieve CMMC 2.0 compliance

Achieving CMMC compliance and certification, especially Levels 2 and 3, takes significant time and resources and is a project that involves the entire organization. Here is an overview of the steps that you need to follow:

Determine your CMMC 2.0 certification level

The certification level you need is driven by the type of information you handle – Federal Contract Information (FCI) or Controlled Classified Information (CUI).

Perform a gap analysis

Analyze your current cybersecurity procedures and compare them to the certification level requirements. What are the areas that need improvement to meet the requirements of the CMMC level you are aiming for?

Put the necessary procedures into action

To improve your cybersecurity posture, implement the procedures described in FAR 52.204-21 (Level 1) and NIST SP 800-171 (Level 2), or NIST SP 800-172 (Level 3).

Select a CMMC-certified C3PAO

To achieve Level 2 and Level 3 certifications, work with certified third-party assessment organizations (C3PAOs) or with government-led assessors (DIBCAC).

Maintain continuous improvement

Continuous cybersecurity excellence is emphasized in CMMC 2.0. To handle new risks, make sure you update and enhance your procedures on a regular basis. When working with subcontractors, make sure they have a valid SPRS record and check their scores.

Conditional certification

Under the CMMC 2.0 final rule, organizations may achieve “conditional certification” at Level 2 and Level 3. To transition to full certification, they have 180 days to address the gaps identified with the corrective actions plan and road map formally outlined in a POA&M document.

Loading component...

Time and cost of CMMC 2.0 compliance

Achieving certification should typically take 6 to 18 months. However, costs to achieve this vary depending on scope – i.e., volume of CUI and assets that store CUI, the CMMC Level aimed for, and an organization’s cybersecurity maturity at the start of the process. To enhance readiness and prepare your organization for certification, you can work with a CMMC Registered Provider Organization (RPO), authorized by the Cyber AB, or a C3PAO (which, in this case, cannot also be your certifying entity).

Learn how Infor supports your compliance requirements in a CMMC 2.0-ready environment.

Explore Infor A&D software

Loading component...

Ultimate guide to CMMC 2.0 compliance requirements

Guide to CMMC 2.0 compliance

What is CMMC 2.0?

The 4 pillars of the revised CMMC 2.0 framework

Tiered model

Assessment requirement

Phased implementation

Standard alignment

Who needs to comply with CMMC 2.0?

Loading component...

Understanding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

Federal Contract Information (FCI)

Controlled Unclassified Information (CUI)

Loading component...

What are the new CMMC 2.0 levels?

CMMC Level 1 requirements (foundational)

CMMC Level 1 assessment

CMMC Level 2 requirements (advanced)

CMMC Level 2 assessment

CMMC Level 3 requirements (expert)

CMMC Level 3 assessment

Three-year certification cycles

Loading component...

How to achieve CMMC 2.0 compliance

Loading component...

Time and cost of CMMC 2.0 compliance

CMMC 2.0 FAQs

What are the FAR 52.204-21 15 fundamental cybersecurity practices?

What are the 14 domains of cybersecurity practices in the CMMC 2.0 framework?

What is the timeline for CMMC 2.0 implementation?

Loading component...

Let's Connect

Loading component...

Who needs to comply with CMMC 2.0?

Understanding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

Federal Contract Information (FCI)

Controlled Unclassified Information (CUI)

What are the new CMMC 2.0 levels?

CMMC Level 1 requirements (foundational)

CMMC Level 1 assessment

CMMC Level 2 requirements (advanced)

CMMC Level 2 assessment

CMMC Level 3 requirements (expert)

CMMC Level 3 assessment

Three-year certification cycles

How to achieve CMMC 2.0 compliance

CMMC 2.0 FAQs

What are the FAR 52.204-21 15 fundamental cybersecurity practices?

What are the 14 domains of cybersecurity practices in the CMMC 2.0 framework?

What is the timeline for CMMC 2.0 implementation?

Let's Connect