If your business holds federal contracts or subcontracts that involve Controlled Unclassified Information (CUI), the Cybersecurity Maturity Model Certification (CMMC) is not optional, and it is not something you can self-certify your way through at the higher levels. Here's what it actually requires in plain language.
What CMMC Is and Why It Exists
CMMC is the Department of Defense's framework for verifying that contractors handling sensitive defense information have the cybersecurity controls in place to protect it. It replaces the previous self-attestation model - where contractors declared compliance without independent verification - with a third-party assessment requirement for higher-risk work.
The current framework, CMMC 2.0, has three levels:
- Level 1 (Foundational): 17 practices drawn from FAR 52.204-21. Covers basic safeguarding of Federal Contract Information (FCI). Annual self-assessment and affirmation by a senior company official.
- Level 2 (Advanced): 110 practices aligned to NIST SP 800-171. Required for contracts involving CUI. Triennial third-party assessment by a C3PAO for most contracts.
- Level 3 (Expert): 110+ practices including a subset of NIST SP 800-172 requirements. Required for the most sensitive programs. Government-led assessment.
What NIST SP 800-171 Actually Requires
Level 2 is where most defense contractors need to focus. The 110 practices in NIST 800-171 are organized across 14 control families:
- Access Control, Awareness and Training, Audit and Accountability
- Configuration Management, Identification and Authentication
- Incident Response, Maintenance, Media Protection
- Personnel Security, Physical Protection, Risk Assessment
- Security Assessment, System and Communications Protection, System and Information Integrity
In practical terms, this means enforcing MFA on all accounts, encrypting data at rest and in transit, maintaining detailed audit logs, implementing vulnerability management, controlling which users can access what systems, and having a documented incident response plan - among many other controls.
Where Most Organizations Fall Short
The most common gaps we see during CMMC readiness assessments:
- No CUI inventory: You cannot protect data you haven't identified. Most organizations have CUI scattered across file shares, email, and personal devices without any formal classification or boundary.
- Inadequate access control: Overly permissive user permissions, shared accounts, no principle of least privilege enforcement.
- Missing audit logging: Many environments have logging partially enabled or logs stored in locations that aren't monitored or retained long enough.
- No System Security Plan (SSP): CMMC requires a documented SSP that describes how each of the 110 practices is implemented in your environment.
- Unaddressed Plan of Action & Milestones (POA&M): Gaps must be documented with a remediation timeline. An unacknowledged gap is worse than an acknowledged one with a plan.
The timeline reality: Organizations that start CMMC preparation 60 days before a contract requirement are not going to make it. A meaningful Level 2 readiness effort for an organization that hasn't started takes 6-12 months minimum, depending on the current state of the environment. Start earlier than you think you need to.
What to Do First
The most valuable first step is a gap assessment against NIST 800-171. This documents your current posture across all 110 controls, scores your environment using the DoD's assessment methodology, and produces a prioritized remediation roadmap. Without this baseline, you're making compliance investments without knowing which ones matter most.
SummitCore conducts CMMC readiness assessments and helps defense contractors build the technical and documentation foundation required for Level 2 certification. Contact us to understand where your environment stands today.