Skip to main content
govconCyber
Compliance Guidance

What Is CMMC 2.0 and Who Does It Apply To?

CMMC 2.0 is live and phasing into DoD contracts. Here is what the program requires, the three levels, and who needs which.

Brandon Hancock, J.D., CMMC-RPPublished May 20, 2026Updated June 8, 20266 min read

If you sell to the Department of Defense, CMMC 2.0 is no longer a future problem — it is a present one. The contractual rule took effect on November 10, 2025, and CMMC requirements are now phasing into DoD solicitations. This post explains what the program is, who it covers, and what to do first.

What CMMC Actually Is

The Cybersecurity Maturity Model Certification is a verification program, not a new set of controls. It confirms that defense contractors have implemented the security requirements that already apply to them — primarily NIST SP 800-171 for Controlled Unclassified Information (CUI), and a subset of NIST SP 800-172 at the highest level. In other words, CMMC checks your homework; it doesn't assign new homework.

The Three Levels

  • Level 1 — Foundational. Covers basic safeguarding of Federal Contract Information (FCI): the 15 requirements in FAR 52.204-21. Verified by an annual self-assessment and an executive affirmation.
  • Level 2 — Advanced. Covers the full 110 controls of NIST SP 800-171. For most contracts involving CUI, Level 2 requires a third-party assessment by a C3PAO every three years; a limited subset may be met by self-assessment.
  • Level 3 — Expert. Adds selected enhanced controls from NIST SP 800-172, assessed by the government, for the most sensitive programs.

Who Needs Which Level

Your required level is set by the contract and driven by the sensitivity of the information you handle:

  • Handle only FCI? You are likely looking at Level 1.
  • Handle CUI? Expect Level 2 — and for most CUI, a C3PAO certification rather than a self-assessment.
  • Work on the most sensitive DoD programs? Level 3 may apply.

This flows down. If you are a subcontractor handling CUI, the prime's clause reaches you too.

The Rollout Timeline

DoD is phasing CMMC in over several years so the assessor ecosystem can keep up:

  • Phase 1 (began Nov 10, 2025): Level 1 and Level 2 self-assessments appear in selected solicitations.
  • Phase 2 (Nov 10, 2026): Level 2 C3PAO certification required for most CUI contracts.
  • Phase 3 (Nov 10, 2027): Level 3 assessments added.
  • Phase 4 (Nov 10, 2028): CMMC required on essentially all applicable DoD contracts.

The practical implication: if you handle CUI, you should be planning your Level 2 third-party assessment now, well ahead of Phase 2. Assessor capacity is finite, and a certification gap can make you ineligible for award.

A Note on NIST 800-171 Versions

CMMC Level 2 is built on NIST SP 800-171. As of 2026, DoD contracts remain anchored to Revision 2 (110 controls) through a class deviation, even though Revision 3 has been published. DoD has signaled it will transition to Rev 3 — so build your program to the current Rev 2 baseline while watching for the change.

Key Takeaways

  • CMMC verifies existing NIST 800-171 compliance; it doesn't replace it.
  • Your level depends on whether you handle FCI (Level 1) or CUI (Level 2+).
  • Phase 2 in November 2026 brings mandatory third-party certification for most CUI — plan ahead.
  • Honest SPRS scores and a documented POA&M are your foundation.

Not sure where you land? Run our Find My Requirements tool, or dig into the details on the Defense industry page.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceCISA's Software Acquisition Guide: A Plain-English Look for ContractorsCISA released a guide to help acquisition staff evaluate software security — and it signals the questions your government customers will start asking vendors.August 1, 2024 · 6 min readRule UpdatesTrump's AI Executive Order: What the Frontier-Model Review and Coming CISA Directives Mean for ContractorsA June 2, 2026 executive order sets up a voluntary pre-release security review of frontier AI models and puts CISA on a 30-day clock for new cyber directives. Most binding obligations reach contractors through agencies, clauses, and the supply chain.June 8, 2026 · 6 min readRule UpdatesCIRCIA Is Almost Final: The Third Cyber-Reporting Clock Contractors Can't IgnoreCISA's long-delayed cyber-incident reporting rule is back in finalization. For government contractors, it adds a third reporting clock on top of the ones you already run.June 7, 2026 · 6 min read