CMMC 2.0 Final Rule: A Practical Guide for DoD Contractors

CMMC 2.0 Is Now the Law

On December 16, 2024, the Department of Defense's final rule codifying CMMC 2.0 went into effect, formally embedding cybersecurity certification requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). For the roughly 300,000 companies in the Defense Industrial Base (DIB), this is no longer a proposal or a pilot — it is a binding requirement that will increasingly appear in contract solicitations throughout 2025 and beyond.

The rule represents the culmination of years of development since the original CMMC 1.0 framework, which was dramatically simplified and streamlined into the current three-level structure. Here's what you need to know.

Understanding the Three Levels

Level 1 — Foundational

17 Practices | Annual Self-Assessment

Level 1 applies to companies that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). It requires implementation of 17 basic cyber hygiene practices drawn from FAR 52.204-21 — things like access control, incident response basics, and system maintenance. Companies self-assess annually and affirm compliance in the Supplier Performance Risk System (SPRS).

Level 2 — Advanced

110 Practices | Third-Party Assessment (Most Contractors)

Level 2 applies to companies handling CUI and aligns directly with the 110 security requirements in NIST SP 800-171. Most defense contractors fall into this category. For contracts involving critical national security information, a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) is required every three years. For other CUI contracts, annual self-assessment with senior official affirmation may be allowed.

Level 3 — Expert

110+ Practices | Government-Led Assessment

Level 3 is reserved for companies supporting the DoD's highest-priority programs and adds requirements beyond SP 800-171 drawn from NIST SP 800-172. Assessments are conducted directly by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Only a small subset of contractors will be required to meet Level 3.

Most contractors need Level 2. If your organization handles CUI — including technical drawings, specifications, or any information marked with a CUI designation — you are likely a Level 2 candidate. Start your NIST SP 800-171 assessment now if you haven't already.

The SPRS Score: Your Compliance Baseline

Under DFARS 252.204-7019 and 7020, DoD contractors are already required to conduct a self-assessment against NIST SP 800-171 and submit a score to the Supplier Performance Risk System. Your SPRS score — which ranges from -203 to 110 — reflects the number of unimplemented practices weighted by criticality.

A score of 110 means full compliance. Most organizations score significantly lower, and that's normal — but it requires a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) documenting how you will address gaps. Under CMMC 2.0, the SSP and POA&M become formal compliance artifacts that assessors will review.

Key Timelines to Know

Now: CMMC 2.0 requirements are being phased into DoD contracts. Early solicitations already include CMMC requirements.
Phase 1 (2025): Level 1 and Level 2 self-assessment requirements apply to select contracts.
Phase 2 (2026): Level 2 C3PAO assessment requirements begin appearing in contracts.
Phase 3 (2027): Full implementation across all applicable DoD contracts, including Level 3.
Phase 4 (2028): CMMC requirements apply to all contracts and subcontracts involving FCI or CUI.

Subcontractor Flow-Down: Don't Forget Your Supply Chain

CMMC requirements flow down through the supply chain. If you are a prime contractor required to meet Level 2, your subcontractors who handle CUI must also meet Level 2. This is a frequently overlooked compliance gap — organizations need to assess not just their own posture, but also the security practices of any subcontractors who touch CUI in your program.

What to Do Now

Conduct a NIST SP 800-171 gap assessment if you haven't done so within the past year. Identify which of the 110 practices you have implemented and which require remediation.
Develop or update your System Security Plan (SSP). This document describes how you implement each of the 110 practices and is a core assessment artifact.
Submit your SPRS score. Ensure your score in SPRS accurately reflects your current implementation status.
Build a POA&M. Document all gaps, assign owners, and establish realistic remediation timelines.
Select a C3PAO early. If you anticipate needing a Level 2 third-party assessment, begin the C3PAO selection process now — qualified assessors are in high demand and scheduling lead times are growing.
Assess your subcontractors. Identify which of your subcontractors handle CUI and ensure they have active compliance programs.

Dr. Carlos A. Thomas

Managing Principal, eConsultants, Inc. · CISSP, CISA, CMMC RP, PMP

Need CMMC 2.0 readiness support?

ECI is a CMMC Registered Practitioner organization. We help DoD contractors assess their current posture, build their SSP and POA&M, and prepare for C3PAO assessment.

Talk to a CMMC Expert Back to Blog