All new DoD contracts require CMMC certification starting October 2026. Our roadmap takes you from gap assessment to audit-ready in 90 days.
Last updated:
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the Defense Industrial Base (DIB). Starting October 2026, all new DoD contracts require verified CMMC compliance at the appropriate level. Subcontractors who handle CUI are also in scope.
For organizations handling Federal Contract Information (FCI). Covers basic cyber hygiene aligned to FAR 52.204-21. Annual self-assessment with executive affirmation submitted to SPRS.
For organizations handling Controlled Unclassified Information (CUI). Aligned to all 110 practices in NIST SP 800-171 across 14 control families. Triennial C3PAO third-party assessment required for most contracts.
For organizations on the most sensitive DoD programs. Adds 24 practices from NIST SP 800-172 on top of all Level 2 requirements. Government-led DIBCAC assessment required every 3 years.
CMMC requirements appear in select DoD contract solicitations. Self-assessments for Level 1 and some Level 2 contracts are due to SPRS before contract award. Prime contractors begin requiring subcontractor compliance.
Third-party assessment organizations face growing backlogs. Companies that wait until mid-2026 to begin remediation will not receive C3PAO assessment slots before the October deadline. Booking now is critical.
All new DoD contracts and contract renewals require verified CMMC compliance at the appropriate level. Companies without valid certification or a current self-assessment SPRS score will be ineligible to bid.
Level 1 self-assessments are annual. Level 2 C3PAO assessments are triennial. System Security Plans and POA&Ms must be maintained and current at all times as a contractual obligation.
We evaluate your current posture against all 110 NIST SP 800-171 practices across 14 control families. Output: a scored gap analysis, current SPRS score, and prioritized remediation roadmap with effort estimates.
We draft your System Security Plan (SSP) describing how each practice is implemented, the environment in scope, and CUI boundary. The SSP is a required artifact for C3PAO assessment and must be kept current.
We implement missing controls: MFA, endpoint encryption, audit logging, access control policies, vulnerability management, incident response procedures, and configuration baselines. Controls are validated as we go.
We finalize POA&Ms for any remaining items, update your SSP, and conduct an internal pre-assessment using the same methodology C3PAOs use. We identify and close any last gaps before your official assessment.
We help you select and schedule a qualified C3PAO, prepare your assessment package, and serve as technical liaison during the assessment. We answer assessor questions and remediate any findings in real time.
Post-certification, we maintain your SSP, manage POA&Ms, monitor for configuration drift, and provide annual self-assessment support to keep your SPRS score current between C3PAO assessment cycles.
NIST SP 800-171 organizes its 110 practices into 14 control families. We have implementation playbooks for every family.
Understanding how CMMC relates to other frameworks helps you avoid duplicate effort. If you have invested in NIST or SOC 2, much of that work carries over.
| Attribute | CMMC 2.0 L2 | NIST SP 800-171 | SOC 2 Type II |
|---|---|---|---|
| Who requires it | DoD contracts | DoD contracts (self) | Enterprise customers |
| Assessment type | Third-party C3PAO | Self-assessment | CPA firm audit |
| Practice count | 110 (NIST 800-171) | 110 | Trust Service Criteria |
| Data type focus | CUI / FCI | CUI | Customer data broadly |
| Overlap with CMMC | Baseline | ~100% at L2 | ~40-60% |
| Mandatory for DoD | Yes (Oct 2026) | Yes (contractual) | No |
Already have NIST 800-171 in place? You are well ahead of most companies. CMMC Level 2 is a direct overlay of NIST 800-171. We use your existing SSP as the foundation and focus remediation effort on the gaps between your documented controls and C3PAO evidence requirements. Also see our NIST compliance services and SOC 2 compliance services.
CMMC 2.0 is being phased into DoD contracts starting in 2025, with full enforcement across all new contracts expected by October 2026. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), you need to begin your compliance roadmap now to meet contract deadlines. C3PAO assessment slots are already becoming scarce.
Level 1 (Foundational) covers 17 basic cyber hygiene practices for companies handling FCI and requires annual self-assessment. Level 2 (Advanced) covers all 110 NIST SP 800-171 practices for companies handling CUI and requires triennial third-party C3PAO assessment for most contracts. Level 3 (Expert) adds 24 additional practices from NIST SP 800-172 for the most sensitive DoD programs and requires a government-led DIBCAC assessment.
Most Level 2 implementations take 60-120 days depending on your starting gap score. Our 90-day roadmap begins with a gap assessment in weeks 1-2, moves through remediation in weeks 3-10, and finishes with documentation, SSP finalization, and pre-audit review in weeks 11-12. Companies with mature security programs or existing NIST 800-171 SSPs may move faster. Companies starting from scratch may need 6 months.
Not necessarily. Level 1 and some Level 2 contracts allow annual self-assessment with executive affirmation submitted to the Supplier Performance Risk System (SPRS). However, most contracts requiring Level 2 for CUI handling mandate a triennial assessment by a C3PAO. Level 3 always requires a government-led assessment. We help you determine which path applies to your specific contract language and DFARS clauses.
A POA&M documents known security gaps that have not yet been fully remediated, along with planned milestones for addressing them. Under CMMC 2.0, certain unmet practices may be deferred via a POA&M at the time of assessment, subject to DoD approval, but all practices must eventually be met within defined timelines. We create and actively manage your POA&M throughout the remediation process and beyond.
CMMC Level 2 is directly mapped to the 110 security practices in NIST SP 800-171 Revision 2. If your organization has already implemented NIST 800-171 controls and documented them in a System Security Plan, you are well positioned for CMMC Level 2 certification. We conduct a gap analysis against all 110 practices and all 14 control families to identify what remains. See our NIST compliance page for more detail.
Free 30-minute consultation to determine your required CMMC level, estimate your current SPRS score, and outline a realistic timeline to certification. No obligation.