CMMC 2.0 Compliance: What Every DoD Contractor Must Know Before the Deadline

The original CMMC program — published in 2020 — had five maturity levels, required third-party assessments at every level, and layered DoD-specific practices on top of existing NIST requirements. Defense contractors hated it. The compliance burden was enormous, the costs were unclear, and the certification bodies didn't exist in sufficient numbers to handle the volume.

CMMC 2.0, announced in November 2021 and codified in the final DFARS rule published September 10, 2025, simplified the model significantly. Three levels instead of five. Only Level 2 and Level 3 require third-party assessments — Level 1 is self-assessed. And critically, the requirements now align directly to established NIST standards that contractors should already be working toward.

The DFARS rule — specifically clause 252.204-7021 — is what makes CMMC contractually enforceable. When that clause appears in a solicitation, CMMC certification isn't optional. It's a condition of award. No certification, no contract.

One major change in CMMC 2.0: Plans of Action and Milestones (POA&Ms) are now permitted under certain conditions for Level 2, meaning you don't have to achieve 100% compliance before assessment — but only for specific non-critical practices, and only with an approved remediation timeline. For Level 1 self-assessments, POA&Ms are not permitted at all. Every one of the 17 practices must be fully implemented before you can affirm compliance.

Your required CMMC level depends on the type of federal information you handle. The DoD separates its data into two categories: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Understanding which category your work falls into determines everything.

If you handle FCI but not CUI — meaning you receive contract deliverables or performance information but not classified or sensitive technical data — Level 1 applies. This covers a large share of commercial service providers, staffing firms, and supply chain vendors doing DoD work.

If your contract involves technical specifications, designs, proprietary research data, export-controlled information, or anything marked "CUI" — Level 2 is your requirement. The DoD estimates roughly 80,000 companies in the Defense Industrial Base handle CUI and will need Level 2 compliance. If you're doing work on sensitive weapons programs or advanced research with DARPA or defense labs, Level 3 may apply.

Not sure which level you need? Check the draft solicitation's CUI requirements or ask your contracting officer directly. If they're including DFARS 252.204-7021 in the contract, the required level will be specified.

CMMC 2.0 rolls out in four phases over three years. Understanding where we are — and where we're headed — tells you how much runway you actually have.

The Phase 2 deadline in November 2026 is the one that matters most right now. If your contracts require CUI handling, you need a C3PAO assessment completed before then. The problem: the DoD estimates 80,000 companies need Level 2 certification, and as of mid-2026, fewer than 100 organizations are authorized as C3PAOs. Many are already booked through the end of 2026.

Waiting until Q3 2026 to start your certification process is a real risk. Contractors who don't have a scheduled assessment before Phase 2 hits could find themselves ineligible to bid on or receive awards for new solicitations with CUI requirements.

Level 1 covers the 17 basic cybersecurity practices from FAR clause 52.204-21. These are the foundational controls every contractor should already have: access controls, media protection, physical protection, system integrity — the table stakes of responsible IT security.

The self-assessment process is straightforward. You review each of the 17 practices against your current implementation. Every single one must be fully implemented — there's no partial credit and no POA&Ms allowed at Level 1. If even one practice is not met, you cannot claim compliance.

Once you've confirmed all 17 practices are implemented, you submit your results to the Supplier Performance Risk System (SPRS) at sprs.csd.disa.mil. Your submission must include your CMMC level, assessment date, assessment scope, and all CAGE codes associated with the information systems in scope. A senior official from your company then provides an annual affirmation confirming the assessment is current and accurate.

The self-assessment isn't just a checkbox exercise. Your SPRS score is visible to contracting officers when they pull your registration. A missing or outdated SPRS entry raises red flags. An entry showing full compliance builds credibility before you've written a word of your proposal.

Level 2 is where the real work lives. You need to implement all 110 security requirements from NIST Special Publication 800-171, Revision 2 — covering 14 domains from access control and incident response to risk assessment and system and communications protection. Then, for prioritized programs (which is most DoD CUI work), you need a Certified Third-Party Assessor Organization (C3PAO) to verify your implementation.

The C3PAO assessment process has several distinct stages. First, you'll document your System Security Plan (SSP) — a comprehensive description of your information system, boundaries, security controls, and how each of the 110 practices is implemented. This document alone is typically 50-150 pages for a small business. It's the foundation of your entire certification.

The C3PAO bottleneck is real. As of mid-2026, the DoD has authorized fewer than 100 C3PAOs globally. Several of the larger ones have waitlists extending into Q4 2026. If you're targeting a Phase 2 deadline, you need to start your vendor search now — not after you win your next contract.

The Supplier Performance Risk System (SPRS) is the DoD's contractor performance database — and it's where your CMMC compliance status lives. Contracting officers check SPRS before award. A missing, outdated, or low SPRS score can kill a procurement before your proposal is ever evaluated on its merits.

For NIST 800-171 compliance (the predecessor to formal CMMC Level 2 certification), your SPRS score is calculated using a specific DoD scoring methodology: you start at 110 points and deduct points for each unimplemented or partially implemented practice. The deductions range from 1 to 5 points depending on the practice's weight. A perfect implementation scores 110. Most companies, when they first assess honestly, score much lower.

Once CMMC 2.0 Phase 2 is fully in effect, the SPRS self-score for NIST 800-171 will be supplemented — and in many cases replaced — by your formal CMMC certification status in eMASS. But during the transition, your SPRS score remains an important signal. Contractors who never submitted an SPRS score are already at a disadvantage in Phase 1 solicitations.

The key here: honesty. The Department of Justice has pursued False Claims Act cases against contractors who submitted inflated SPRS scores without actually implementing the claimed controls. A fraudulent affirmation is not a compliance strategy — it's a federal fraud exposure. Score what you actually have, fix what's missing, and update your score as you improve.

CMMC compliance costs vary enormously based on your environment size, complexity, and how far you are from the requirements today. Anyone quoting a single flat number is guessing. Here are realistic ranges based on current market data.

These costs can often be passed through to contracts as allowable costs under FAR Part 31 for cost-reimbursable contracts. For fixed-price work, you need to factor CMMC compliance into your overhead structure or price it into your rates. Either way, treat it as a cost of doing business with DoD — not an optional expense.

C3PAOs don't publish pass/fail statistics, but practitioners working with defense contractors consistently identify the same categories of failure. These aren't obscure technical edge cases — they're foundational practices that companies either haven't implemented or haven't documented well enough to demonstrate during an assessment.

The good news: none of these gaps are unfixable. The bad news: fixing them takes time. MFA deployment alone can take weeks when you factor in user training and legacy system compatibility. SSP rewrites, audit log configuration, and supply chain scoping add more. Start the gap analysis now while you still have runway.

The hardest part of CMMC compliance is the same as every large compliance initiative: starting. It's easy to defer to "when we win our next DoD contract." But that's backwards. The contract will require CMMC before award. If you haven't started, you can't win the contract.

Here's a realistic 90-day starting sequence for a small business:

CMMC compliance is a multi-month effort even for small businesses with relatively clean environments. For a company starting from scratch with legacy systems and no documented security controls, 12-18 months is a realistic timeline to achieve Level 2 certification.

The contractors winning DoD work in 2027 and 2028 are the ones building their compliance infrastructure now. This is a competitive advantage as much as a compliance requirement — because a lot of your competition is still hoping the deadline gets pushed back.

If you're tracking DoD opportunities as part of your BD pipeline, you should be flagging CMMC requirements at the opportunity stage — before you start writing a proposal. CapturePilot's opportunity matching and intelligence tools surface this context automatically, so you know your compliance status before you invest BD resources in an opportunity you can't yet win. Pair that with your pipeline management process and you have a system that keeps compliance from being a last-minute surprise.