CMMC 2.0 Level 2: What DoD Contractors Need to Know

Do I Actually Need to Achieve CMMC Compliance?

CMMC Level 2 applies to organizations that handle Controlled Unclassified Information, often referred to as CUI. If you're a DoD prime contractor or subcontractor, you most likely need to meet CMMC Level 2 compliance if any part of your contract involves creating, receiving, storing, transmitting, or processing CUI.

The Department of Defense requires at least Level 2 certification in these cases, and typically requires you to get certified by a C3PAO, also known as a Certified Third Party Assessor Organization.

A practical first step is reviewing your active contracts for specific DFARS clauses, particularly DFARS 252.204-7012 and DFARS 252.204-7021. These clauses specifically note the implementation of NIST SP 800-171 requirements, which is the foundation for CMMC Level 2 compliance.

If you're not a DoD prime or subcontractor, your contract doesn't reference those DFARS clauses, and you don't receive or generate CUI, you likely don't need to be CMMC Level 2 compliant. However, you definitely want to check your contract to make sure that's the case.
 

What's the Difference Between Level 1 and Level 2?

One of the most common misconceptions for people new to CMMC is that they have to achieve Level 1 compliance before moving on to Level 2. This is simply untrue.

CMMC levels are not sequential stages of maturity, as you may see with frameworks such as CIS and their implementation groups. Instead, they differ based on the types of information your organization handles.

Level 1 applies if you process, store, or handle Federal Contract Information (FCI). It covers 17 basic cybersecurity practices focusing on basic cyber hygiene, and a self-assessment must be performed on an annual basis. If you only manage FCI, Level 1 is all you need.

Level 2 kicks in as soon as your organization deals with Controlled Unclassified Information (CUI). It requires meeting all 110 NIST SP 800-171 controls and typically requires certification by a C3PAO, a Certified Third Party Assessor Organization.

The determining factor is not how mature your security program is. It's what kind of information you handle.
 

Can I Self-Assess, or Do I Need a Third Party Assessment?

This is dependent on what your contract states. The criticality of the CUI that you store, process, or transmit is determined by the Department of Defense.

CUI that is considered critical to national security will require an assessment from a Certified Third Party Assessor (C3PAO), while non-critical CUI may only require a self-assessment. To find out which applies to you, review your contract for DFARS clause 252.204-7021, it should specify whether a self-assessment is sufficient or whether third-party certification is required.

One important caveat: many new solicitations are starting to require certification by a C3PAO organization. So even if certification is not required for your current contracts, it may be in your best interest to obtain certification now in order to pursue future opportunities.
 

Why Do Most CMMC Efforts Stall After the Initial Gap Assessment?

CMMC readiness can be daunting. You've just evaluated, or had an assessor evaluate, your organization against 110 NIST SP 800-171 controls. You may have realized you're further from compliance than you had hoped, and now things feel overwhelming. What do I do next? Where do I even begin, and who can help me?

There are a lot of factors at play, but there are two things worth focusing on first.

The most important is executive buy-in. Achieving CMMC compliance is resource-heavy, requiring both personnel and financial resources. You need a leader who understands the entire CMMC journey, can weigh the costs and benefits of compliance, and who can serve as a project sponsor.

The second is a clear roadmap. Once you've decided to pursue Level 2 compliance, start with tasks that may take longer amounts of time and effort, like standing up an enclave or obtaining a SIEM solution. As you work to implement each control, make sure you're documenting it both in your System Security Plan (SSP) and in any related policies or standards.

Momentum is built through structure. Without both executive commitment and a sequenced plan, most efforts stall before they get traction.
 

What Are the Most Common, and Costly, Mistakes When Pursuing CMMC Compliance?

The number one most common mistake involves scoping.

Misunderstanding data flows, or not knowing the locations where CUI is received, stored, or transmitted, can be a hugely costly error. You can't protect what you don't know. Misidentifying the boundary of your environment at the beginning of the process can leave critical areas unprotected, resulting in much higher remediation efforts and costs than initially planned for.

Follow the data flows. Make sure you understand exactly how CUI enters, is stored in, and exits your environment, and that you have controls in place at each of those locations.

The second common mistake is gaps between policy and actual processes. Your SSP and relevant documentation shouldn't just state that you're meeting all 110 NIST 800-171 controls, your controls need to be implemented as intended and provable during an audit. There must be alignment between your actual ongoing processes, your documented policies and procedures, and your SSP.

Finally, don't treat compliance as a one-time project. Continuous monitoring and resolution of any identified issues is critical to maintaining CMMC Level 2 compliance. The audit is not the finish line.