Understanding CMMC 2.0: What Defense Contractors Need to Know

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now in full enforcement, and defense contractors without certification are being excluded from new contract awards. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) and you haven't started the certification process, the time to act is now.

What Changed from CMMC 1.0 to 2.0

The original CMMC framework included five maturity levels, each with its own set of practices and processes. CMMC 2.0 streamlined this into three levels:

• Level 1 (Foundational): 17 practices based on FAR 52.204-21. Self-assessment is sufficient.
• Level 2 (Advanced): 110 practices aligned with NIST SP 800-171 Rev 2. Requires third-party assessment by a C3PAO for critical national security information.
• Level 3 (Expert): Based on a subset of NIST SP 800-172 controls. Government-led assessments.

The reduction from five to three levels eliminated the transitional levels (2 and 4) that caused confusion in the original framework.

The Assessment Process

For most defense contractors, Level 2 is the target. The assessment process involves:

1. Gap Analysis: Identify where your current security posture falls short of the 110 NIST 800-171 controls.
2. Remediation: Implement the missing controls and document your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
3. Pre-Assessment: Many organizations conduct an internal or third-party readiness review before the formal assessment.
4. C3PAO Assessment: A CMMC Third-Party Assessment Organization conducts the formal evaluation.
5. Certification: Upon successful assessment, your organization receives CMMC certification valid for three years.

Steps to Take Right Now

If you haven't begun the CMMC journey, here's your action plan:

1. Determine your required level. Review your contracts and speak with your contracting officer to understand whether you need Level 1, 2, or 3.
2. Scope your CUI environment. The fewer systems that touch CUI, the fewer controls you need to implement.
3. Conduct a gap assessment. Measure your current posture against the required controls.
4. Build a remediation roadmap. Prioritize high-impact controls and address them systematically.
5. Engage a Registered Provider Organization (RPO) if you need expert guidance through the process.

How PCShards Can Help

PCShards specializes in guiding defense contractors through the CMMC certification process. From initial scoping through assessment readiness, we provide the technical expertise and documentation support your organization needs to achieve certification efficiently and maintain it long-term.

Schedule a consultation to discuss your CMMC readiness.