CMMC 2.0 explained: levels, timeline, and who assesses you

A DoD prime forwards you a flow-down clause asking for your CMMC Level 2 status. You google "cmmc 2.0," land on six consultant pages telling you they will "get you certified," and close the tab less sure of the next year than when you started.

This is the primer we wish existed when a defense-industrial client first hits that moment. It covers what CMMC is, who must comply, the three levels, what a C3PAO does, the rollout timeline, and how CMMC relates to the SOC 2 or ISO 27001 work you may already have underway.

What does CMMC stand for, and what is it

CMMC stands for Cybersecurity Maturity Model Certification. It is a Department of Defense program that verifies whether contractors and subcontractors in the defense industrial base are protecting two specific categories of government information:

• Federal Contract Information (FCI). Non-public information provided by or generated for the government under a contract, not intended for public release.
• Controlled Unclassified Information (CUI). Unclassified information that law, regulation, or government-wide policy requires to be safeguarded. Think technical drawings, export-controlled data, and operational documentation.

CMMC 2.0 is the current version, finalized in the DoD rule published in October 2024 (32 CFR Part 170) with the DFARS contract clause following in 2025. It simplified the original five-level model into three levels and allows self-assessment at the lowest tier.

The security requirements are not new. CMMC builds directly on NIST SP 800-171 for Levels 1 and 2 and adds a subset of NIST SP 800-172 at Level 3. What changed is the verification: DoD no longer trusts contractor self-attestation alone for CUI. A third party, or the government itself, now has to assess you.

Who must comply

If your company handles FCI or CUI on behalf of the DoD, at any tier of the supply chain, you are in scope. DoD's own estimates put the population at roughly 220,000 companies across the defense industrial base, from prime contractors down to two-person machine shops fabricating parts for a subassembly three tiers removed from the Pentagon.

A few scoping rules that catch people out:

• Primes flow CMMC down to subs. If your customer is a prime, not DoD directly, you are still in scope. The DFARS clause travels down the contract chain.
• Commercial-item carve-outs are narrow. The moment you customize or handle CUI in the delivery, you are in.
• Foreign subsidiaries of US primes are in scope if they touch the information.

If your only federal work is selling to civilian agencies, CMMC is not your program. FedRAMP is.

Level 1: Foundational

Level 1 covers companies that handle FCI only, no CUI. The requirement is the 17 basic safeguarding practices from FAR 52.204-21, the same clause that has been in commercial DoD contracts since 2016. Nothing new conceptually, just now verified.

Verification is by annual self-assessment in the Supplier Performance Risk System (SPRS), signed by a senior company official. No third party, no government auditor. But the attestation is legally meaningful: a false certification is a False Claims Act exposure.

Level 1 is where a large chunk of the DIB tail sits: small manufacturers, logistics vendors, and professional services firms that touch government contract data but not CUI.

Level 2: Advanced

Level 2 is the workhorse level. It applies to any contractor handling CUI: subassembly shops, software vendors, engineering firms, and the managed service providers supporting them.

The requirement is the 110 security practices in NIST SP 800-171 Rev 2, organized into 14 control families. Again, not new. DFARS 252.204-7012 has required 800-171 compliance since 2017. What is new is how it is verified.

Most Level 2 contracts require a triennial third-party assessment by a C3PAO. A minority will allow annual self-assessment; DoD has indicated this will be the exception, restricted to lower-criticality CUI programs. If you are a SaaS company selling a CUI-handling product to DoD, plan for a C3PAO assessment.

Level 3: Expert

Level 3 applies to companies working on DoD's highest-priority programs where the adversary threat model includes advanced persistent threats. The requirement is the full Level 2 baseline plus 24 enhanced practices selected from NIST SP 800-172.

Level 3 is not assessed by a C3PAO. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performs Level 3 assessments directly. The sample is small by design: Level 3 is reserved for a narrow set of the most sensitive programs, not a general uplift path.

If you are not already on a Level 3 program, you almost certainly do not need Level 3.

What a C3PAO is, and what SecurancePro is not

A C3PAO is a CMMC Third-Party Assessor Organization: an independent assessor accredited by the Cyber AB against the requirements in 32 CFR Part 170. C3PAOs employ Certified CMMC Assessors and Certified CMMC Professionals, and they perform the Level 2 assessments that produce your certification. Access, audit, and incident controls will look familiar if you have already worked through SOC 2 compliance requirements — the overlap with 800-171 is real.

The Cyber AB maintains the authoritative marketplace of authorized C3PAOs. As of early 2026, the population is still small, well under a hundred, which is part of why timelines are tight if you wait.

SecurancePro is not a C3PAO. We are a CPA firm. We perform SOC 1, SOC 2, and SOC 3 attestations. We do not hold Cyber AB authorization, we do not staff Certified CMMC Assessors, and we cannot issue a CMMC Level 2 certification. What we do for clients heading toward CMMC is run the SOC 2 or SOC 1 engagement that sits alongside it. Control activities overlap heavily with NIST 800-171, and the evidence library built for a SOC 2 Type II becomes reusable input for the C3PAO.

The C3PAO assesses. A consultant or an internal team gets you ready. The CPA firm attests to your SOC 2. Three different roles, three different organizations, for the same reason ISO 27001 keeps its certification body separate from its consultants.

Timeline: the phased rollout

The DoD rule establishes a four-phase rollout into DoD contracts, starting with the DFARS clause effective date in 2025.

• Phase 1 (year one). Level 1 and Level 2 self-assessment requirements appear in applicable solicitations; DoD has discretion to require C3PAO-assessed Level 2.
• Phase 2 (year two). Level 2 C3PAO assessment becomes standard.
• Phase 3 (year three). Level 3 DIBCAC assessment appears in applicable solicitations.
• Phase 4 (year four onward). All CMMC requirements apply to all applicable DoD contracts and exercised options.

Conditional certifications exist. If your C3PAO finds you meet most practices but has open items covered by an accepted Plan of Action and Milestones (POA&M), you can receive a conditional certification for 180 days while you close it. The rule specifies which practices must be fully met at assessment time and cannot sit on a POA&M.

The practical read: if you have DoD pipeline and you have not started, start now. A first-time Level 2 program realistically takes 12 to 18 months from decision to certification, and the C3PAO bench is thin.

How CMMC overlaps with FedRAMP, ISO 27001, and SOC 2

CMMC does not exist in isolation. If you already run a mature security program, you will find meaningful reuse:

• FedRAMP Moderate uses NIST SP 800-53 Rev 5. NIST 800-171 is a derived subset of 800-53 tailored for non-federal systems. If you have a FedRAMP Moderate package, you already meet the vast majority of Level 2 practices. The gap is mostly documentation framing.
• ISO 27001 Annex A 2022 maps to 800-171 at roughly 70% coverage. Access control, cryptography, incident response, and supplier management carry over cleanly. What does not map is the federal-specific framing around CUI handling and media protection. Our ISO 27001 certification guide covers the Annex A structure.
• SOC 2 Trust Services Criteria overlap with 800-171 in the Security category at 60 to 70%, depending on scope. A Type II evidence library tested over a year is exactly what a C3PAO wants to sample. What a SOC 2 report actually tells your buyer walks through how that evidence is structured. If you have not scoped SOC 2 yet, start here before you add CMMC on top.

The control mapping is real but not automatic. A C3PAO will not accept a SOC 2 report in lieu of assessment. The overlap saves you evidence work, not assessment work.

What to do if a DoD prime asks you about CMMC

1. Confirm in writing what information the prime will flow down: FCI only, or CUI. That decides whether you are Level 1 or Level 2, and it decides almost everything else.
2. Pull your current SPRS score for NIST 800-171, or generate one. Primes will ask for this number before they ask about certification, and the gap between your SPRS score and the 110 practices is your project plan.
3. Scope the enclave, not the whole company. Most SaaS companies handle CUI in a defined environment (a GovCloud tenant, a segmented production account), not across every laptop.
4. Map your existing SOC 2 or ISO 27001 evidence to 800-171 and flag the controls with no existing evidence.
5. Then shortlist three authorized C3PAOs from the Cyber AB marketplace and request quotes. Availability is the real constraint, not price.

The order matters. Companies that sign a C3PAO engagement letter before they have scoped the CUI enclave almost always renegotiate that engagement, at cost.

---

If you are heading toward CMMC Level 2 and need the SOC 2 or SOC 1 attestation that sits alongside it, one evidence library mapped to two frameworks, no C3PAO work on our end, get in touch. Our services overview covers exactly where we fit and where we do not.