The federal government isn’t playing around with cybersecurity anymore. For years, contractors handling sensitive government data operated under a patchwork of self-assessed security standards. That era is ending. The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now rolling into federal contracts, and thousands of companies across the defense industrial base are scrambling to figure out what it means for them.
If a company holds a Department of Defense contract, or plans to bid on one, this isn’t something that can be pushed to next quarter’s agenda. The clock is ticking, and the penalties for non-compliance go well beyond a fine.
Why CMMC 2.0 Exists in the First Place
The short version: too many contractors were saying they were secure when they weren’t. Under the previous system, companies self-attested to their compliance with NIST SP 800-171, a set of 110 security controls designed to protect Controlled Unclassified Information (CUI). The problem was that self-attestation had no teeth. A 2019 assessment by the DoD Inspector General found that contractors routinely failed to implement even basic safeguards, yet still marked themselves as compliant.
CMMC 2.0 fixes this by introducing third-party assessments for companies handling CUI. It’s a verification mechanism. Instead of trusting contractors to grade their own homework, the government now requires an independent assessor to confirm that security controls are actually in place and functioning.
The Three Levels, Simplified
CMMC 2.0 streamlined the original five-level model down to three tiers. Each level corresponds to the sensitivity of the information a contractor handles.
Level 1 (Foundational) applies to companies that handle Federal Contract Information (FCI) but not CUI. This level requires 17 basic security practices, things like using antivirus software, limiting system access, and requiring passwords. Self-assessment is still allowed here, but results must be entered into the Supplier Performance Risk System (SPRS).
Level 2 (Advanced) is where things get serious. This level maps directly to the 110 controls in NIST SP 800-171 and applies to contractors that process, store, or transmit CUI. Most companies that work with the DoD will fall into this category. For contracts involving critical national security information, a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) is mandatory. Some Level 2 contracts may still allow self-assessment, but that distinction depends on the sensitivity of the data involved.
Level 3 (Expert) targets the highest-value contracts and the most sensitive programs. It adds controls from NIST SP 800-172, and assessments are conducted by the government itself, specifically by the Defense Contract Management Agency (DCMA).
Common Misconceptions That Get Contractors in Trouble
One of the biggest mistakes small and mid-sized contractors make is assuming CMMC doesn’t apply to them. If a company is a subcontractor three tiers deep in a supply chain, and it touches CUI at any point, compliance is required. Prime contractors are increasingly flowing down CMMC requirements to their subs, and being dropped from a supply chain for non-compliance is a very real business risk.
Another misconception is that having a firewall and antivirus software is enough. Level 2 compliance requires demonstrable implementation of all 110 NIST 800-171 controls. That includes things like multi-factor authentication, encrypted communications, audit log retention, incident response planning, and security awareness training. Many of these controls require not just technology but documented policies, procedures, and evidence of consistent execution.
There’s also confusion about timelines. CMMC requirements started appearing in select DoD contracts in 2025, and the phased rollout means more contracts will include them with each passing quarter. Companies that wait until they see the requirement in a specific solicitation will almost certainly be too late. Preparing for a Level 2 assessment can take 12 to 18 months depending on a company’s starting point.
Where DFARS Fits Into the Picture
CMMC doesn’t exist in a vacuum. It builds on the existing DFARS 252.204-7012 clause, which has required contractors to implement NIST 800-171 controls since 2017. Companies that have been genuinely compliant with DFARS already have a head start on CMMC Level 2. The difference now is accountability. Where DFARS relied on the honor system, CMMC adds verification.
For contractors in the Long Island, New York metro, Connecticut, and New Jersey region, this is particularly relevant. The area has a dense concentration of defense subcontractors, aerospace suppliers, and technology firms that feed into larger DoD programs. Many of these are small businesses with 50 or fewer employees, and they often lack dedicated cybersecurity staff. That doesn’t exempt them from compliance.
Practical Steps Contractors Should Be Taking Now
Security professionals working with government contractors generally recommend starting with a gap assessment. This means comparing current security practices against all 110 NIST 800-171 controls and identifying where shortfalls exist. Each gap needs a remediation plan with a realistic timeline.
Building a System Security Plan (SSP) is non-negotiable. This document describes how each control is implemented within the organization’s environment. Assessors will review it closely, and vague or boilerplate language won’t pass muster. The SSP needs to reflect the actual systems, people, and processes in use.
A Plan of Action and Milestones (POA&M) documents any controls that aren’t fully implemented yet and outlines the steps and deadlines for closing those gaps. Under CMMC 2.0, some POA&M items may be allowed at the time of assessment, but only for a limited number of controls and only with strict timelines for remediation. Having too many open items can still result in a failed assessment.
Contractors should also evaluate whether their current IT infrastructure can support the required controls. Many small firms still run on-premises servers with inconsistent patch management, or they use consumer-grade email and cloud storage that doesn’t meet federal encryption standards. Migrating to a compliant cloud environment, such as one that meets FedRAMP Moderate baseline, is often a necessary step.
Don’t Forget the Human Element
Technology only covers part of the equation. CMMC assessors will look at whether employees receive regular security awareness training, whether the organization has a documented incident response plan that’s been tested, and whether access controls are reviewed and updated on a regular basis. A company can have every technical control in place and still fail an assessment if the policies and training aren’t there to back them up.
The Business Case Beyond Compliance
It’s tempting to view CMMC as just another regulatory burden. But contractors who invest in meeting these standards often find that their overall security posture improves in ways that benefit the entire business, not just the government side. Better access controls reduce the risk of insider threats. Encrypted communications protect proprietary information. Incident response planning means the company can recover faster from any disruption, whether it’s a ransomware attack or a natural disaster.
There’s a competitive angle too. As CMMC requirements become standard in DoD solicitations, companies that achieve certification early will have a clear advantage over competitors still working through remediation. For small and mid-sized firms competing against larger players, being able to demonstrate verified compliance can be a meaningful differentiator.
The contractors who treat cybersecurity compliance as a strategic investment rather than a checkbox exercise are the ones most likely to keep winning contracts in the years ahead. The ones who don’t may find themselves locked out of the market entirely.