CMMC 2.0 Compliance: What Defense Contractors Need to Know in 2026

CMMC 2.0 Is Here - And It's Mandatory

The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is no longer optional for defense contractors. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) and you want to win or maintain DoD contracts, CMMC certification is now a requirement that's showing up in solicitations.

The good news: CMMC 2.0 simplified things significantly compared to version 1.0. The bad news: it still requires real work, and organizations that haven't started preparing are running out of runway.

What Changed from CMMC 1.0 to 2.0

CMMC 1.0 had five maturity levels with a mix of practices and processes. It was complex, expensive, and slow to implement. Version 2.0 streamlined the framework in several important ways:

Three Levels Instead of Five

• Level 1 (Foundational) - 17 practices based on FAR 52.204-21. Protects FCI. Requires annual self-assessment.
• Level 2 (Advanced) - 110 practices aligned directly with NIST SP 800-171 Rev 2. Protects CUI. Requires third-party assessment (C3PAO) for critical programs, self-assessment for select programs.
• Level 3 (Expert) - Based on a subset of NIST SP 800-172. Protects CUI against advanced persistent threats. Requires government-led assessment (DIBCAC).

Key Simplifications

• Eliminated unique CMMC practices - Level 2 now maps directly to NIST 800-171, so if you've been working toward NIST compliance, you're already on the right track.
• Introduced self-assessment options - Not every contractor needs a third-party audit. Level 1 and some Level 2 programs allow self-assessment with senior official affirmation.
• Removed maturity processes - The process maturity requirements from 1.0 are gone, reducing documentation overhead.
• Plans of Action & Milestones (POA&Ms) - Limited use of POA&Ms is now allowed, giving organizations time to close specific gaps after assessment.

Which Level Do You Need?

This depends on the type of information you handle:

• FCI only - Level 1 is likely sufficient. This covers basic cyber hygiene like using antivirus, limiting access, and keeping systems patched.
• CUI - You'll need Level 2. This is where most defense contractors land. The 110 controls cover access management, incident response, system integrity, audit logging, and more.
• CUI on critical programs - Level 2 with third-party assessment from a CMMC Third-Party Assessment Organization (C3PAO).
• Highest-priority CUI - Level 3, assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

If you're unsure what category your contracts fall into, check your contract clauses for DFARS 252.204-7012, 7019, 7020, and 7021.

The NIST 800-171 Connection

This is critical to understand: CMMC Level 2 is NIST SP 800-171. The 110 security requirements are organized into 14 families:

1. Access Control - Who can access what, and how
2. Awareness and Training - Security training for personnel
3. Audit and Accountability - Logging and monitoring activities
4. Configuration Management - Baseline configurations and change control
5. Identification and Authentication - MFA, password policies, identity verification
6. Incident Response - Detection, reporting, and response procedures
7. Maintenance - System maintenance controls
8. Media Protection - Protecting CUI on digital and physical media
9. Personnel Security - Screening and access management for personnel
10. Physical Protection - Facility access controls
11. Risk Assessment - Identifying and managing security risks
12. Security Assessment - Periodic evaluation of security controls
13. System and Communications Protection - Network security and encryption
14. System and Information Integrity - Patch management and malware protection

If you've already completed a NIST 800-171 self-assessment and submitted your score to SPRS, you have a significant head start.

Common Gaps We See

After working with defense contractors on compliance readiness, these are the gaps that come up most frequently:

1. Inadequate CUI Scoping

Many organizations don't have a clear picture of where CUI lives, how it flows, and which systems are in scope. Without proper scoping, you either over-invest by protecting everything or under-invest by missing critical systems.

2. Weak Access Controls

Multi-factor authentication, least-privilege access, and session management are frequently incomplete. MFA in particular is a non-negotiable requirement that many organizations still haven't fully deployed.

3. Insufficient Audit Logging

You need comprehensive logging that captures who accessed what, when, and what they did. Many organizations have logging enabled but aren't reviewing logs or retaining them for the required period.

4. Missing or Incomplete System Security Plan (SSP)

The SSP documents how your organization meets each of the 110 requirements. Many SSPs we review are either missing, outdated, or don't accurately reflect the actual environment. Your SSP is a living document that needs to match reality.

5. Incident Response Gaps

Having an incident response plan on paper isn't enough. It needs to be tested through tabletop exercises, and your team needs to know their roles. Incident response for CUI environments also has specific reporting requirements to DIBCAC.

How to Get Started

If you haven't started your CMMC journey yet, here's a practical approach:

Step 1: Scope Your Environment

Identify all systems, networks, and processes that handle CUI or FCI. This defines what's in scope for assessment and prevents you from trying to certify your entire enterprise.

Step 2: Conduct a Gap Assessment

Compare your current security controls against NIST 800-171 requirements. Be honest about where you stand. A realistic gap assessment saves time and money compared to discovering gaps during your actual assessment.

Step 3: Develop a Remediation Plan

Prioritize gaps based on risk and assessment timeline. Some controls (like MFA deployment) take months to implement properly, so start with the long-lead items.

Step 4: Implement and Document

Close gaps and document your implementation in your System Security Plan. Remember that documentation isn't extra work - it's evidence that your controls exist and function.

Step 5: Assess and Maintain

Conduct a self-assessment (or engage a C3PAO for Level 2 third-party assessment). Then establish continuous monitoring to maintain compliance, not just achieve it.

CMMC and the Cloud

Many defense contractors are moving CUI workloads to the cloud, and for good reason - cloud environments can simplify compliance when properly configured. But "cloud" doesn't automatically mean "compliant."

Key considerations for cloud-hosted CUI:

• Use FedRAMP-authorized services - AWS GovCloud, Azure Government, and Google Cloud's FedRAMP-authorized offerings provide the baseline infrastructure controls you need.
• Shared responsibility applies - The cloud provider handles infrastructure security, but you're still responsible for access management, data classification, encryption configuration, and application-level controls.
• Encrypt CUI in transit and at rest - Use FIPS 140-2 validated encryption modules.
• Implement proper network segmentation - CUI environments should be isolated from general-purpose workloads.

How Edwards Consulting Group Helps

We help defense contractors and their subcontractors navigate CMMC compliance practically and efficiently:

• Gap assessments against NIST 800-171 and CMMC Level 2 requirements
• System Security Plan development and documentation
• Technical remediation - implementing controls in AWS and hybrid environments
• CUI scoping and data flow mapping
• Incident response planning with DoD-specific requirements
• Continuous monitoring setup to maintain compliance post-certification
• C3PAO assessment preparation so there are no surprises on assessment day

We've helped organizations across defense contracting, healthcare, and financial services meet rigorous compliance requirements. CMMC builds on the same security fundamentals we apply across every framework we support - HIPAA, PCI-DSS, HITRUST, SOC 2, ISO 27001, and NIST 800-53.

If you're a defense contractor that needs to get CMMC-ready, schedule a free consultation. We'll assess where you stand, identify your gaps, and build a realistic plan to get you to certification.