The Wait-and-See Window Is Closed
For the better part of three years, CMMC felt like the compliance requirement that kept getting delayed. Rulemaking revisions, shifting timelines, and program restructuring gave many contractors a reason to hold off. That window is closed.
CMMC 2.0 has been finalized through the federal rulemaking process, and the DoW is actively phasing certification requirements into contracts. If your organization touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a DoW contract, CMMC compliance is no longer optional. It is a condition of doing business.
The Three-Level Structure
CMMC 2.0 streamlined the original five-level model into three certification levels, each aligned to the type of information an organization handles and the risk associated with the contract.
Level 1: Federal Contract Information (FCI) Protection
17 practices aligned with FAR 52.204-21. Requires annual self-assessment with senior official affirmation. Applies to organizations handling Federal Contract Information but not Controlled Unclassified Information (CUI).
Level 2: Controlled Unclassified Information (CUI) Protection
110 practices aligned with NIST SP 800-171. Third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required for prioritized acquisitions, while some programs permit self-assessment. This level applies to most Defense Industrial Base contractors handling CUI.
Level 3: Enhanced Protection for High-Priority Programs
Builds upon Level 2 with additional requirements derived from NIST SP 800-172. Assessments are conducted by the government (DIBCAC) and apply to the most sensitive defense programs.
Where to Start
The most important first step is understanding where you stand today. A formal gap assessment against NIST SP 800-171 gives you a prioritized picture of what is implemented, what is partial, and what is missing. From there, you can build a realistic remediation roadmap and timeline to assessment.
Fortreum is an accredited C3PAO with deep experience guiding DIB contractors through every phase of CMMC readiness. We help organizations scope their environment, build their SSP, close control gaps, and prepare for and pass their third-party assessment.
What can Fortreum do for you?
Let us know how Fortreum can help you navigate the changing currents of cybersecurity. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, CMMC, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/