What is CMMC 2.0 and who needs it?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is a U.S. Department of Defense framework required for all contractors and subcontractors handling Controlled Unclassified Information (CUI). As of 2024, CMMC Level 2 certification is required for DoD contracts involving CUI, affecting thousands of defense contractors and their supply chains.

What are the CMMC 2.0 levels?

CMMC 2.0 has three levels: Level 1 (Foundational) covers 17 basic cybersecurity practices and requires annual self-assessment. Level 2 (Advanced) covers all 110 NIST SP 800-171 practices and requires third-party C3PAO assessment for most contracts. Level 3 (Expert) covers 110+ practices from NIST SP 800-172 and requires government-led assessment.

What is the difference between CMMC and NIST 800-171?

NIST SP 800-171 is the underlying standard that defines 110 security requirements for protecting CUI. CMMC 2.0 Level 2 is the certification framework that verifies implementation of those 110 practices. CMMC adds formal assessment and certification requirements — you must prove compliance to a C3PAO assessor, not just self-attest.

How long does CMMC Level 2 certification take?

CMMC Level 2 certification typically takes 6–18 months from gap assessment to final certification, depending on your current security posture. The process involves gap assessment, remediation of findings, System Security Plan (SSP) development, POA&M management, and a formal assessment by a C3PAO. Securafy guides clients through every phase.

What is a System Security Plan (SSP) for CMMC?

A System Security Plan (SSP) is a mandatory CMMC document that describes your IT environment, identifies all systems that process CUI, and documents how each of the 110 NIST 800-171 practices is implemented or planned. Securafy develops and maintains SSPs as part of Comply-CARE for defense contractors.

What is a POA&M and why does CMMC require it?

A Plan of Action & Milestones (POA&M) documents every open security finding, assigns a remediation owner, sets a target completion date, and tracks progress. CMMC requires a maintained POA&M to demonstrate good-faith remediation effort. It reduces audit finding severity and is required for DFARS compliance.

🏭 Defense Contractor Compliance

CMMC 2.0
Compliance

CMMC 2.0 is now enforced in DoD contracts. Ohio defense contractors and manufacturers who handle CUI must achieve certified compliance — or lose their contracts. Securafy delivers CMMC Level 1 and Level 2 readiness programs built for Ohio's defense industrial base.

Free CMMC Gap Assessment Manufacturing Services

What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD's framework for ensuring that defense contractors adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It became enforceable in DoD contracts beginning in late 2024.

CMMC 2.0 streamlined the original five levels into three: Level 1 (Foundational — 17 practices), Level 2 (Advanced — 110 practices aligned to NIST SP 800-171), and Level 3 (Expert — 110+ practices aligned to NIST SP 800-172). Most Ohio defense contractors and manufacturers need Level 1 or Level 2.

The critical change: CMMC 2.0 requires third-party certification (C3PAO assessment) for most Level 2 contracts. Self-attestation alone is no longer sufficient for contracts involving CUI. Organizations that prematurely claim compliance without proper controls face False Claims Act liability.

"CMMC isn't a checkbox — it's a certification. Ohio defense contractors need to start their readiness program 12–18 months before their next contract renewal."

110

NIST 800-171 practices required for Level 2

$14B

Annual DoD prime contract value at risk for non-compliance

Level 2

Required for most CUI-handling defense contractors

18mo

Typical time to achieve Level 2 readiness from scratch

The Three Levels

CMMC 2.0 Level Requirements

1️⃣

Level 1 — Foundational

17 practices from FAR 52.204-21. Protects Federal Contract Information (FCI). Annual self-attestation allowed. Covers basic cyber hygiene: access control, identification, media protection, physical protection, system communications, and system integrity.

2️⃣

Level 2 — Advanced

110 practices aligned to NIST SP 800-171. Required for contracts involving Controlled Unclassified Information (CUI). Tri-annual third-party assessment (C3PAO) required for most contracts. Covers 14 security domains including access control, audit, configuration management, incident response, and supply chain risk.

3️⃣

Level 3 — Expert

110+ practices aligned to NIST SP 800-172. Required for contracts involving the most sensitive CUI on DoD's highest-priority programs. Government-led assessments. Applies to a small subset of the defense industrial base.

📋

System Security Plan (SSP)

All levels require a documented System Security Plan describing how you meet each practice. Level 2+ also requires a Plan of Action & Milestones (POA&M) tracking unmet requirements. These documents are reviewed by assessors.

⛓️

Flow-Down Requirements

Prime contractors must flow CMMC requirements down to their subcontractors. If you receive CUI from a prime, you need the same level of certification as the prime. Subcontractor gaps can disqualify a prime's contract.

🔍

Scoping — What's In Your CUI Environment?

Defining your CMMC scope — the systems, people, and facilities that handle CUI — is one of the most critical (and misunderstood) steps. Incorrect scoping leads to either over-investment or audit failure.

The 14 Practice Domains

CMMC Level 2 Security Domains

Level 2 maps to all 14 NIST SP 800-171 domains. Each domain contains specific practices your organization must implement and document.

Domain	Practices (Level 2)	Common Gaps
Access Control (AC)	22 practices	Least privilege enforcement, CUI access logging, remote access controls
Audit & Accountability (AU)	9 practices	Centralized log collection, retention policies, review processes
Configuration Management (CM)	9 practices	Baseline configurations, change control, unauthorized software blocking
Identification & Authentication (IA)	11 practices	MFA enforcement, password complexity, privileged account management
Incident Response (IR)	3 practices	Documented IRP, reporting to DoD DCSA, post-incident lessons learned
Maintenance (MA)	6 practices	Controlled remote maintenance, sanitization before maintenance
Media Protection (MP)	9 practices	CUI marking, portable media controls, sanitization procedures
Personnel Security (PS)	2 practices	Screening procedures, termination procedures
Physical Protection (PE)	6 practices	Facility access controls, visitor management, CUI workspace controls
Risk Assessment (RA)	3 practices	Periodic risk assessments, vulnerability scanning cadence
Security Assessment (CA)	4 practices	System security plans, POA&M management, control testing
System & Communications Protection (SC)	16 practices	Network segmentation, encryption, boundary protection
System & Information Integrity (SI)	7 practices	Malicious code protection, security alerting, software patching
Supply Chain Risk Management	Varies	Vendor vetting, software provenance, hardware integrity

How Securafy Helps

CMMC Readiness for Ohio Manufacturers

Securafy is a CMMC-AB registered Registered Practitioner Organization (RPO), meaning our consultants are trained and authorized to assist with CMMC readiness — though we do not perform the final C3PAO certification assessment.

CMMC Scoping & Gap Assessment

We define your CUI environment, identify in-scope systems and assets, map your current practices against all 110 NIST 800-171 requirements, and produce a scored gap analysis with remediation priorities.

System Security Plan (SSP) Development

We write your complete SSP — the primary document reviewed by C3PAO assessors — documenting how each practice is implemented, partially implemented, or planned in your environment.

POA&M Management

We track all practice gaps in a Plan of Action & Milestones, with remediation timelines and responsible owners. We manage the POA&M actively through to closure — not just document it.

Technical Control Implementation

We implement the technical controls required by Level 2 — MFA, network segmentation, endpoint protection, SIEM, patch management, encryption, and access control — all maintained ongoing.

C3PAO Assessment Preparation

Before your certification assessment, we conduct a mock assessment against all 110 practices, identify remaining gaps, and prepare your team for assessor interviews and documentation reviews.

Ongoing CMMC Maintenance

Certification must be maintained. We provide continuous monitoring, quarterly control testing, policy updates, and annual reassessment readiness to keep your certification valid through your 3-year cycle.

Common Questions

CMMC 2.0 FAQ

When does CMMC 2.0 become mandatory?

CMMC requirements began appearing in select DoD contracts in 2024 and are being phased into all applicable contracts through 2025–2026. DFARS 252.204-7021 is the clause that triggers CMMC requirements. If your current contract has this clause, compliance is required today. All new DoD contracts will require CMMC by 2026.

Can I self-attest for CMMC Level 2?

Only for contracts that specifically permit self-attestation (a declining subset). Most CUI contracts require a C3PAO third-party assessment. Self-attestation carries significant False Claims Act risk — if you certify compliance but lack proper controls, your organization (and executives) face criminal liability.

What happens if my subcontractors aren't CMMC certified?

As a prime contractor, you are responsible for ensuring that any subcontractor who receives or generates CUI has the appropriate CMMC level. If a subcontractor isn't certified, you cannot flow CUI to them — which may disqualify certain contract work. This is why CMMC supply chain risk is a critical planning consideration.

How much does CMMC Level 2 certification cost?

C3PAO assessment fees typically range from $30,000–$100,000+ depending on organizational size and scope. But the larger cost is remediation — getting to 110/110 practices before the assessment. Most Ohio SMB manufacturers spend $150K–$400K total on readiness + assessment. The cost of losing DoD contracts is typically far greater.

Watch the Full CMMC Briefing

Securafy for CMMC-Subject Manufacturers
Protect Your DoD Contract Eligibility

A complete briefing for manufacturers handling Controlled Unclassified Information (CUI) or subject to CMMC 2.0 / NIST SP 800-171. Understand exactly what Level 2 certification requires, what Securafy delivers, and how we protect the contracts your business depends on.

★ CMMC 2.0 / NIST 800-171 Specialist Stop anytime · No obligation

What This Briefing Covers

CMMC 2.0 Level 1, 2 & 3 requirements explained
All 110 NIST 800-171 practices — what they mean
How Securafy implements and documents every control
SSP development and POA&M management
C3PAO assessment readiness process
DoD contract protection and audit defense

Who Needs This

★ DoD prime contractors & subcontractors

★ Manufacturers handling CUI data

★ Defense supply chain participants

★ Firms facing DFARS clause requirements

Start Your CMMC Readiness Assessment →

★ Soteria Award — Most Trusted MSP in North America 2024

CMMC 2.0Compliance