The Cybersecurity Maturity Model Certification (CMMC) program represents the Department of Defense's most significant effort to enforce cybersecurity requirements across the defense industrial base (DIB). After years of self-attestation under DFARS 252.204-7012, the DoD concluded that too many contractors were claiming compliance with NIST SP 800-171 without actually implementing the required controls. CMMC 2.0 — the revised framework finalized in late 2024 — establishes a tiered certification structure that, for higher-level contracts, requires third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
If your organization holds or is pursuing DoD contracts, understanding CMMC 2.0 requirements is now a business-continuity issue. Contracts at Level 2 and above will require demonstrated compliance, and the assessment process is more demanding than many contractors expect.
CMMC 2.0 Three-Level Structure
CMMC 2.0 streamlines the original five-level CMMC 1.0 framework into three tiers:
Level 1: Foundational
Level 1 applies to contractors handling Federal Contract Information (FCI) — information that is not intended for public release and is provided under a government contract. It requires implementation of the 15 basic safeguarding requirements set out in FAR clause 52.204-21 (48 CFR 52.204-21(b)(1)), as incorporated into CMMC Level 1 by the CMMC Program final rule at 32 CFR Part 170. Annual self-assessment is sufficient at this level, and no C3PAO involvement is required. Level 1 is essentially a codification of basic cyber hygiene.
Level 2: Advanced
Level 2 applies to contractors handling Controlled Unclassified Information (CUI). It requires full implementation of the 110 security requirements in NIST SP 800-171 Rev 2 (transitioning to Rev 3 requirements over time). For most CUI contracts, a triennial third-party assessment by a C3PAO is required. For select programs, annual self-assessment may be permitted. A Plan of Action and Milestones (POA&M) is permitted for a limited subset of practices, subject to specific constraints.
Level 3: Expert
Level 3 is reserved for contractors working on the DoD's most sensitive programs. It layers 24 enhanced security requirements selected from NIST SP 800-172 on top of the 110 NIST SP 800-171 requirements at Level 2 — 134 in total. Government-led assessments by DCMA DIBCAC are required. Level 3 applies to a relatively small number of highly sensitive programs and is not yet fully operationalized.
NIST SP 800-171 and the 110 Practices
For most defense contractors, the operative compliance target is NIST SP 800-171's 110 security requirements across 14 families. These requirements are the direct subject of CMMC Level 2 assessment. Understanding the structure is essential for gap assessment:
- Access Control (AC): 22 requirements covering user access management, remote access, wireless access, and mobile device policy
- Awareness and Training (AT): 3 requirements for security awareness and role-based training
- Audit and Accountability (AU): 9 requirements for log generation, protection, review, and retention
- Configuration Management (CM): 9 requirements for baseline configurations, least functionality, and change control
- Identification and Authentication (IA): 11 requirements including MFA for privileged and remote access
- Incident Response (IR): 3 requirements for incident handling capability, testing, and reporting
- Maintenance (MA): 6 requirements for controlled maintenance and media sanitization during maintenance
- Media Protection (MP): 9 requirements for media access, sanitization, and transport
- Personnel Security (PS): 2 requirements for personnel screening and termination
- Physical Protection (PE): 6 requirements for facility and equipment access controls
- Risk Assessment (RA): 3 requirements for periodic risk assessments and vulnerability scanning
- Security Assessment (CA): 4 requirements for system assessments, plan of action management, and system connections
- System and Communications Protection (SC): 16 requirements for network segmentation, boundary protection, and encryption
- System and Information Integrity (SI): 7 requirements for malware protection, security alerts, and patch management
SPRS Scoring and Self-Assessment
The Supplier Performance Risk System (SPRS) is the DoD portal where contractors submit their NIST SP 800-171 self-assessment scores. The scoring methodology starts at a maximum of 110 points. Each unimplemented practice reduces the score by a weighted value — high-value practices like MFA deduct more than lower-weight practices. A score of 110 indicates full implementation with no gaps.
Contractors must maintain an active SPRS score to be eligible for contracts. DoD contracting officers can view a contractor's SPRS score. DFARS 252.204-7019 makes posting a current score a condition of award but sets no minimum passing score; a score below 110 is not automatically disqualifying if accompanied by a credible POA&M. Individual prime contractors, however, increasingly require subcontractors to clear an informal threshold (commonly cited as 80 or higher) before awarding CUI-related work.
Common Gaps Found During Assessment
Based on assessment patterns across the DIB, the most frequently identified gaps cluster in a few families. Multi-factor authentication (IA family) is among the most common: many contractors have not yet deployed MFA for all remote access and privileged accounts. Audit and log monitoring (AU family) is another persistent gap — organizations often generate logs but lack a centralized SIEM or log review process. Incident response plans (IR family) are frequently either absent or not tested annually as required.
If your organization is preparing for a CMMC Level 2 C3PAO assessment, a gap assessment against NIST SP 800-171 conducted by an experienced security practitioner is the critical first step. A virtual CISO engagement can establish the System Security Plan (SSP), produce a credible POA&M, and prepare your organization for the formal C3PAO assessment cycle. Contact Fortress MSSP to begin your CMMC readiness assessment.