720-891-1663
The DoD has been working to improve cybersecurity over the last several years as news of nation-state sponsored theft of defense secrets makes the news on a regular basis. The biggest source of leaks of sensitive intellectual property is the hundreds of thousands of contractors that have access to sensitive but unclassified information called CONTROLLED UNCLASSIFIED INFORMATION or CUI.
In 2013 the DoD created a security requirement in the Defense Federal Acquisition Regulations called DFARS 252.204-7012 and then a few years later, NIST released a security requirement named SP 800-171. While both of these were a start to improving security for the defense industrial base, they didn't solve the problem.
Controlled Unclassified Information or CUI was created after 9/11 via a presidential memorandum signed by President Bush. It was updated in 2011 by President Obama under Executive Order 13556. The Pentagon and other parts of the government are still working on implementing this 20 years later.
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract. It is information that we do not want to fall into our adversary’s hands. An example of this is the design of the F-35 fighter, which China stole and then built their own.
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters.
The problem was that people were claiming that they were compliant with these regulations but they were not compliant and no one was checking to verify it.
In early 2019 DoD upped the ante by releasing the Cybersecurity Maturity Model Certification (CMMC). This was the first time DoD required contractors, sub-contractors and suppliers to be CERTIFIED to participate in the DoD supply chain.
The DoD released version 1 of CMMC as an emergency requirement. While it allowed rapid deployment, it was costly and difficult for small businesses. After a mandated review, the DoD released CMMC 2.0 in November 2021. The final rule was published on December 26, 2024, and is now in effect.
Here are the confirmed key elements of CMMC 2.0:
1. The five levels of CMMC are now three.
2. Contractors that only need Level 1 may self-certify annually.
3. Level 2 is based entirely on NIST SP 800-171 and split into self-assessed and certified tiers. About 85–90% will need third-party assessments by a C3PAO.
4. Level 3 will require a DoD-led assessment in addition to Level 2 certification.
5. The 20 extra CMMC 1.0 controls are gone for now, but may return via a future update to NIST SP 800-171 (Rev. 3 is in draft).
6. Process maturity is no longer scored.
7. The DoJ is actively pursuing contractors for false claims related to 800-171 compliance.
8. The CMMC-AB is now the Cyber AB and third-party certifications are live in 2025.
9. Incentives for early certification are still under discussion.
10. Self-certifications must be signed by a company executive and are subject to annual renewal.
At higher levels, certifications are valid for three years.
NOTE: This web page is updated as more information is released by the Department of Defense.
For more info, see our FAQ page HERE.
The CMMC will encompass three maturity levels that range from "Foundational" to "Expert". The intent is to identify the required CMMC level in RFP sections L and M and use it as a "go / no go decision."
In its final form, the CMMC intended to combine various cybersecurity control standards such as NIST SP 800-171 (Rev 1 and Rev 2) (Rev. 1 & Rev. 2), NIST SP 800-53, and AIA NAS9933s into one unified standard for cybersecurity. After a lot of pushback from the contractor community, they limited CMMC to just controls in 800-171.
They say they plan to enhance NIST SP 800-171 to bring back some of the controls that were in CMMC 1.0 and are not currently in CMMC 2.0. They are doing this by creating a version 3 of 800-171, which will likely be released in 2023.
To be clear, the DoD does not control what is in 800-171. That is the responsibility of the Department of Commerce. If you don’t like what is in 800-171, talk to Commerce; DoD can’t change it.
CMMC is a program to make sure that contractors who say they are complying with 800-171 really are complying. That is ALL CMMC is. CMMC does not have any of its own requirements any longer.
The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a "verification component" with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance and (with continued pressure) to ensure 100% adoption of cybersecurity controls--as the DoD is updating its policies. This is a "trust but verify" process.
The DoD is putting a lot of pressure on the big primes to get their subs in line. Of course, the primes don’t have their own houses in order yet. The prime contractors are required to flow down the appropriate CMMC requirement to sub-contractors and the subs must flow down these requirements to their subs.
If you have a vendor that has access to your systems such as an IT services provider or you have a vendor that you give either system access or data, any of those third parties may need to be certified at the same level as you are or above. The current DFARS -7012 and -7019 are MANDATORY flow down clauses with no changes other than you can insert your company’s name. Since almost all companies use vendors or service providers, this is going to be a big one. When CMMC is fully rolled out, any subs or vendors used on the contract will need to be certified at the appropriate level before the contract can be awarded.
The DoD still plans on maintaining a database that contracting officers will review prior to awarding contracts. What this looks like is still undefined. It will probably look something like SPRS plus other systems.
DoD contractors will no longer be allowed to bid on contracts that include CMMC clauses unless they are certified (or self-attested for Level 1 or limited Level 2). This is a major change from past policy, where compliance was expected after award. Now, certification or attestation must happen in advance.
The final rule is in effect. As of mid-2025, the DoD is gradually inserting CMMC requirements into contracts. The rollout is staged, but real — and contractors must demonstrate their CMMC posture prior to award through SPRS scoring or C3PAO certification, depending on level.
The DoD has acknowledged the challenges in rollout speed, especially for small businesses, and is balancing enforcement with flexibility. But the clock is ticking. If your company handles CUI, a full CMMC Level 2 certification will eventually be required.
As of 2025, DoD contractors must either submit an annual self-attestation (for CMMC Level 1 or limited Level 2) or coordinate with a CMMC Third-Party Assessment Organization (C3PAO) to undergo a formal assessment. For companies required to meet Level 3, additional review by the Department of Defense will follow after successful Level 2 certification.
Contractors with a skilled internal IT/security team can implement CMMC requirements internally. The Self-Assessment Handbook - NIST Handbook 162 remains a useful guide for NIST SP 800-171 Rev. 1. However, as of now, there is no handbook for Rev. 2 or 3 (draft), which makes full DIY preparation more difficult.
While internal preparation can support self-attestation, a third-party certification still requires coordination with a certified C3PAO — and all documentation (SSP, POA&M, policy set) must be complete and accurate.
For many small and mid-sized contractors, the fastest and most cost-effective path to compliance is working with an experienced CMMC consultant. Consultants like CyberCecurity, LLC and Turnkey Cybersecurity and Privacy Solutions, LLC offer hands-on assistance with system preparation, documentation, and readiness assessments.
Keep in mind: even if a consultant prepares you, you are still responsible for your organization’s compliance. For Level 2 certification, a C3PAO must independently verify your readiness through a full audit.
The first step toward compliance is to assess your environment: identify what CUI you handle, where it resides, and who can access it. Then conduct a gap analysis to determine how far you are from meeting NIST SP 800-171 controls and CMMC expectations.
This process reveals risks such as:
The result of a good gap assessment is a prioritized POA&M — your roadmap to full compliance.
Compliance isn’t a one-time event. DFARS and CMMC require ongoing vigilance, including near-immediate breach reporting (within 72 hours) to DoD or your prime. To remain compliant, contractors must continuously monitor, maintain logs, update configurations, and document incidents.
DoD contracts are increasingly gated by CMMC requirements. Failure to pass a Level 2 assessment — or falsely attesting to 800-171 compliance — can lead to loss of award eligibility, false claims liability, and even debarment.
Turnkey Cybersecurity and CyberCecurity provide tailored services to help you prepare for CMMC audits and ongoing DFARS/NIST obligations.
Our offerings include:
We focus on smaller DoD contractors — helping them reach compliance quickly, without building a massive IT program from scratch.
Have more questions?
Please call me for more information: Mitch Tanenbaum, CISO, CyberCecurity, LLC