The Wait-and-See Window Is Closed
For the better part of three years, CMMC felt like the compliance requirement that kept getting delayed. Rulemaking revisions, shifting timelines, and program restructuring gave many contractors a reason to hold off. That window is closed.
CMMC 2.0 has been finalized through the federal rulemaking process, and the DoW is actively phasing certification requirements into contracts. If your organization touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a DoW contract, CMMC compliance is no longer optional. It is a condition of doing business.
The Three-Level Structure
CMMC 2.0 simplified the original five-level model into three levels, each with distinct requirements and assessment methods.
Level 1: Foundational
17 practices aligned with FAR 52.204-21. Annual self-assessment with senior official affirmation. Applies to organizations handling basic Federal Contract Information.
Level 2: Advanced
110 practices drawn directly from NIST SP 800-171. Third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is required for contracts involving prioritized acquisitions. Self-assessment is permitted for a subset of non-critical programs. This is where the majority of DIB contractors will land.
Level 3: Expert
110-plus practices with additional requirements from NIST SP 800-172. Government-led assessments conducted by DIBCAC. Reserved for the highest-priority programs involving the most sensitive CUI.
What Level 2 Actually Means in Practice
For most contractors, Level 2 is the target. That means:
- Full implementation of all 110 practices in NIST SP 800-171
- A complete, accurate System Security Plan (SSP) describing your environment and control implementations
- A formal third-party assessment conducted by an accredited C3PAO
- Affirmation of your compliance status submitted to the Supplier Performance Risk System (SPRS)
- Scoring occurs at the objective level. 320 objectives sit beneath the 110 controls, and one missed objective fails the whole control.
These are not light-touch requirements. The 110 controls span 14 domains including access control, incident response, configuration management, media protection, and system and communications protection. Many organizations discover significant gaps when they first measure themselves against the full control set.
The Business Consequences of Delay
The DoW has been explicit: CMMC certification will be a go/no-go requirement in covered contracts. Without it, you cannot bid, you cannot renew, and you cannot perform work that involves CUI. That is not a compliance risk. It is a revenue risk.
Primes are also accelerating flow-down requirements to their subcontractor supply chains. Even if you are a tier-two or tier-three contractor, your prime’s certification posture is increasingly dependent on yours. Waiting to act is not a neutral decision.
Where to Start
The most important first step is understanding where you stand today. A formal gap assessment against NIST SP 800-171 gives you a prioritized picture of what is implemented, what is partial, and what is missing. From there, you can build a realistic remediation roadmap and timeline to assessment.
Fortreum is an accredited C3PAO with deep experience guiding DIB contractors through every phase of CMMC readiness. We help organizations scope their environment, build their SSP, close control gaps, and prepare for and pass their third-party assessment.
What can Fortreum do for you?
Let us know how Fortreum can help you navigate the changing currents of cybersecurity. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, CMMC, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
