What is CMMC 2.0?

Key takeaways

• CMMC 2.0 has three levels. Level 1 covers federal contract information (FCI) with self-attestation. Level 2 covers controlled unclassified information (CUI) with third-party or self-assessment depending on program criticality. Level 3 adds enhanced protection requirements for the highest-criticality programs.
• The CMMC final rule took effect in December 2024; flow-down through DoD contracts is phasing in across 2025 to 2028.
• For mid-market defense-supplier manufacturers, the practical question is which CMMC level applies and what state the security program needs to reach to satisfy it.
• CMMC adoption is usually a multi-quarter project. Manufacturers waiting until the contract clause appears in their next award are routinely too late.
• ARG prepares manufacturers for CMMC assessment as part of the engagement, with findings mapped to specific 800-171 controls and the SSP/POA&M documentation produced as a byproduct.

What are the three levels of CMMC 2.0?

CMMC 2.0 streamlined the original five-level structure into three levels, each with progressively more stringent requirements and assessment expectations.

Level 1: Foundational. Required for contractors handling federal contract information (FCI). Implements 17 basic safeguarding requirements derived from FAR 52.204-21. Assessment is annual self-attestation by an officer of the company. Roughly equivalent to "basic cyber hygiene".

Level 2: Advanced. Required for contractors handling controlled unclassified information (CUI). Implements the 110 requirements of NIST SP 800-171 Revision 2 (transitioning toward Revision 3 as it becomes the referenced standard). Assessment is either:

• Third-party assessment by a Certified Third-Party Assessor Organization (C3PAO) every three years for critical programs, OR
• Annual self-assessment for less-critical programs, with executive officer affirmation.

The third-party-versus-self-assessment determination is made by the program office that owns the contract.

Level 3: Expert. Required for the highest-criticality programs. Implements the Level 2 controls plus a subset of NIST SP 800-172 enhanced security requirements. Assessment is conducted by the government (DCMA DIBCAC), not by a C3PAO. Level 3 is rare for mid-market suppliers; it applies to suppliers handling the most sensitive CUI.

The level that applies to a specific contract is determined by the contract clause and the type of information being handled. A single manufacturer with multiple contracts can be subject to Level 1 for some work and Level 2 for other work.

The CMMC 2.0 enforcement timeline

The CMMC Program final rule (32 CFR Part 170) took effect on December 16, 2024. The DFARS clause (48 CFR § 252.204-7021) that flows CMMC requirements into contracts is being phased in across three years.

Phase 1 (began late 2024 / 2025). Initial inclusion of CMMC requirements in select solicitations and contracts. Level 1 self-assessment and Level 2 self-assessment requirements appearing in new contracts. Limited Level 2 C3PAO third-party assessment activity.

Phase 2 (2025-2026). Expanded inclusion of Level 2 third-party assessment requirements in new contracts. Many mid-market suppliers receiving their first CMMC contract clauses. Phase 2 is the operational pressure point for most mid-market defense suppliers; this is when the contract-side requirement starts showing up routinely in awards.

Phase 3 (2026-2027). Level 2 third-party assessment becomes the default for new solicitations involving CUI. Existing contracts with options begin including CMMC requirements at exercise. Level 3 assessments expand for the highest-criticality programs.

Phase 4 (2027-2028). CMMC requirements expected to appear in all applicable DoD solicitations and contracts. Suppliers without certification are operationally excluded from new awards for affected programs.

The practical implication for a mid-market manufacturer: if you are a defense supplier handling CUI today, the moment when CMMC Level 2 third-party assessment becomes a contract requirement on your next renewal is in the 2026 to 2028 window. The preparation lead time is twelve to twenty-four months for a manufacturer starting from minimal NIST SP 800-171 maturity.

Why small defense-supplier manufacturers are unprepared

Federal News Network and DoD assessment data consistently shows that small defense-supplier manufacturers are materially behind on CMMC readiness. Three structural reasons.

1. Compliance work is unfunded overhead. Mid-market manufacturers do not have dedicated security or compliance staff. The work falls on the IT lead, the quality lead, or the owner, on top of existing responsibilities. Compliance projects that compete with operational work lose.
2. Cost ambiguity. Estimates for CMMC Level 2 readiness range from $50,000 to $400,000+ depending on starting state, environment complexity, and scope. The wide range produces decision paralysis; many suppliers defer the project waiting for clearer numbers.
3. Hope-the-contract-changes thinking. Some manufacturers hope their contracts will not include CMMC, or that flow-down will not reach their tier, or that the program will be delayed. As Phase 2 enforcement begins, this hope becomes harder to sustain.

The realistic answer is to start CMMC readiness work twelve to twenty-four months before the expected contract clause arrives. Manufacturers who wait until the clause appears in a specific award lose the contract or lose the assessment timeline.

Examples of common CMMC readiness gaps

Patterns ARG sees at mid-market defense-supplier manufacturers preparing for CMMC Level 2:

• CUI is not isolated. CUI emails, CAD files, and engineering documents are stored in the same email tenant, file shares, and SharePoint sites as non-CUI content. The CUI boundary is not defined, which means the entire environment becomes in-scope for assessment.
• Identity and access lacks MFA on all required systems. Phishing-resistant MFA is recommended; push-based MFA is the actual deployment; some systems have no MFA at all. 800-171 control 3.5.3 requires multi-factor authentication; the implementation gap is common.
• System Security Plan (SSP) does not exist or is generic. The SSP is a CMMC Level 2 deliverable; many manufacturers do not have one, or have a generic template that does not reflect actual implementation.
• Plan of Action and Milestones (POA&M) is informal. Known gaps exist; the formal POA&M tracking remediation does not. CMMC requires the POA&M with specific structure.
• Audit logs are not retained. 800-171 controls 3.3.1 through 3.3.9 require event logging, retention, and review. Many manufacturers retain logs for days when months are required.
• Incident response plan is missing OT and CUI-specific scenarios. A generic IR plan exists; CMMC-relevant scenarios (CUI compromise, defense-prime notification, DC3 reporting) are not addressed. See What is an incident response plan (IRP)?.
• Supplier flow-down is incomplete. The manufacturer's own suppliers are not required to flow down CMMC-equivalent requirements. The cascading effect is not addressed.
• Physical security controls undocumented. Physical security audit findings show real protection but no documentation. CMMC requires evidence, not just practice.

Each gap maps to specific 800-171 controls. The remediation backlog can be sized once the gaps are inventoried.

How to scope an environment for CMMC assessment

Scoping is the single highest-leverage decision in CMMC preparation. The scope determines which systems are in the assessment boundary and therefore which controls apply where.

Two main approaches:

1. Enterprise-wide scope. All systems in the environment are in CMMC scope. Every control applies everywhere. Simpler to document but more expensive to remediate; the smallest legacy system becomes a Level 2 compliance burden.

2. Enclave scope. A defined subset of the environment (the CUI enclave) is in scope. Systems and people outside the enclave are out of scope. The enclave is segmented from the rest of the environment, with controlled flow of CUI across the boundary.

For most mid-market manufacturers, enclave scope is the right answer. It contains the cost and complexity of remediation to the systems that actually handle CUI. The enclave is typically:

• A defined set of users (engineering, program management, executive sponsors of the contract).
• A defined set of systems (engineering workstations, file shares, email accounts handling CUI).
• A defined set of physical spaces (engineering offices, secured rooms).
• A defined set of network segments.
• A defined data-flow path for CUI from prime to manufacturer to sub-supplier.

The enclave's boundary is documented in the SSP. Every CUI interaction with the rest of the environment is documented and controlled.

Scoping decisions made early save substantial cost downstream. A manufacturer that scopes broadly out of caution often regrets it when remediation budget arrives; a manufacturer that scopes too narrowly risks the assessor expanding scope during the assessment.

Best practices for closing the CMMC readiness gap

A practical sequence for a mid-market manufacturer with twelve to twenty-four months to a Level 2 assessment:

1. Determine applicable level. Confirm with prime contractors which contracts flow which CMMC level. Plan for the highest level required across active and likely-future contracts.
2. Scope the enclave. Define which users, systems, spaces, and network segments are in scope. Document the CUI flow path.
3. Gap analysis. Map current state to all 110 800-171 controls (for Level 2) or the 17 FAR controls (for Level 1). Identify specific gaps with severity and remediation effort.
4. Build the SSP. System Security Plan documents the in-scope systems and how each control is implemented. The SSP is the foundational document the assessor reads.
5. Build the POA&M. Plan of Action and Milestones tracks gaps not yet closed, with target dates and ownership. The POA&M is acceptable at assessment time for non-critical gaps; critical gaps must be closed.
6. Remediate the high-priority gaps. Phishing-resistant MFA, audit logging, encryption, incident response plan, security awareness training, vendor flow-down. The list is finite; the work is finite; the timeline is the constraint.
7. Practice the assessment. A pre-assessment by a qualified consultant (or a Registered Practitioner) catches gaps the internal team missed. The pre-assessment is cheaper than a failed third-party assessment.
8. Engage a C3PAO. Schedule the third-party assessment with sufficient lead time for any pre-assessment findings to be closed.

The full project for a mid-market manufacturer starting from a baseline IT-security program (no formal 800-171 work yet) typically runs twelve to twenty-four months. Manufacturers further along can compress; manufacturers starting from nothing should plan for the longer end.

CMMC 2.0 FAQs

Do I need CMMC if I am a sub-tier supplier?

Often yes. If your contract or your prime's contract handles federal contract information (FCI) or controlled unclassified information (CUI), the CMMC requirement flows down to your tier. The applicable level depends on what kind of information you handle. Confirm with your prime contractor what flow-down applies; do not assume sub-tier status exempts you.

Is self-attestation enough for Level 1?

Yes. CMMC Level 1 (basic safeguarding of FCI) is satisfied through annual self-attestation, with the requirement that the executive officer signs the attestation. Higher levels require third-party or government assessment. Level 1 self-attestation is not casual; the attestation is a contract requirement and false attestation has legal consequences.

How does CMMC relate to NIST 800-171?

CMMC Level 2 is essentially the assessment program for NIST SP 800-171 controls. Where 800-171 specifies the controls and the System Security Plan (SSP) approach, CMMC Level 2 specifies the assessment requirements and the certification process. Level 3 adds additional NIST SP 800-172 controls for higher-sensitivity programs. See What is NIST SP 800-171?.

What is the cost of a Level 2 third-party assessment?

Varies widely with the scope and size of the environment. For mid-market manufacturers with a focused CUI enclave, third-party assessment fees typically run in the low five figures to low six figures. The larger cost is usually preparation: the System Security Plan, the Plan of Action and Milestones, and the remediation work needed to actually satisfy 800-171 controls before the assessor arrives.

How ARG prepares manufacturers for CMMC assessment

ARG approaches CMMC readiness as one output of the broader security engagement, not as a standalone compliance project. The same on-site audit that produces physical security findings and OT security findings also produces CMMC-relevant evidence.

The CMMC preparation work is led by David Ashby, with digital-side support from James Wall on the technical controls. The work runs in four phases.

Phase 1: Scoping. Determine the applicable CMMC level (or levels) across the client's contract portfolio. Define the CUI enclave: users, systems, spaces, data-flow paths. Document the enclave boundary.

Phase 2: Gap analysis. Current state mapped against all 110 800-171 controls for Level 2 (or 17 FAR controls for Level 1). Each gap documented with location, severity, remediation effort, and target date. Findings cross-referenced to the broader NIST CSF 2.0 profile.

Phase 3: SSP and POA&M. ARG produces the System Security Plan draft and the initial Plan of Action and Milestones. The client team validates and owns the documents going forward; ARG's role is template, content, and review, not perpetual ownership.

Phase 4: Remediation and pre-assessment. The remediation backlog runs through the standard ARG engagement: continuous testing, monthly findings, quarterly review. Specific controls are exercised through adversarial simulation to validate that the documented implementation actually works. A pre-assessment walkthrough confirms readiness before the C3PAO engagement.

For founding clients, CMMC preparation is included in the standard engagement at no additional fee when the client's portfolio includes defense work. ARG does not perform the C3PAO assessment itself (that work is reserved for accredited assessors) but produces the evidence and documentation that makes the assessment efficient.

Apply as a founding client or see how the engagement works for the full delivery cycle.