CMMC 2.0 is the current version of the Cybersecurity Maturity Model Certification program — the Department of Defense’s framework for verifying that defense contractors and subcontractors have implemented the cybersecurity controls required to protect sensitive defense information.
It replaced the original CMMC 1.0 framework and reduced the program from five levels to three, aligning requirements directly with established NIST standards rather than maintaining a separate requirements structure. The CMMC 2.0 program rule (32 CFR Part 170) took effect December 16, 2024, establishing the framework.
The companion DFARS acquisition rule took effect November 10, 2025, starting the phased rollout of CMMC requirements into DoD contracts.
Related Topic: CMMC Level 3 Checklist: Requirements Every Contractor Must Meet
What CMMC 2.0 Replaced?
The original CMMC program — commonly called CMMC 1.0 — was introduced in 2020 and organized contractor cybersecurity requirements into five maturity levels. Each level combined specific security practices with maturity processes, creating a framework that many defense contractors found complex and difficult to map to existing standards. CMMC 1.0 also created uncertainty because it introduced requirements beyond what NIST SP 800-171 specified, meaning contractors working toward NIST compliance were still unsure exactly what CMMC would require.
The DoD responded to those concerns by redesigning the program. CMMC 2.0 was announced in November 2021. The program rule (32 CFR Part 170) took effect December 16, 2024, establishing the three-level framework. The companion DFARS acquisition rule took effect November 10, 2025, beginning the phased rollout of CMMC requirements into DoD contracts. The redesign simplified the framework in three meaningful ways.
First, it reduced the number of levels from five to three. The intermediate levels that created confusion in the 1.0 structure were eliminated.
Second, it aligned requirements directly with NIST standards. CMMC 2.0 Level 2 requires exactly the 110 security requirements in NIST SP 800-171 Revision 2 — no more and no less. CMMC 2.0 Level 3 adds the 24 enhanced requirements from NIST SP 800-172. Contractors who had already been working toward NIST SP 800-171 compliance were no longer facing a moving target.
Third, it allowed for self-assessment at Levels 1 and 2 for certain contract categories, reducing the burden on smaller contractors whose programs did not warrant third-party verification.
Related Topic: Why DoD Cybersecurity Compliance Is Important?
The Three Levels of CMMC 2.0
CMMC 2.0 has three levels. The applicable level for any contractor is determined by the type of information that flows through their environment under DoD contracts.
CMMC Level 1: Foundational
CMMC Level 1 applies to contractors that handle Federal Contract Information — the basic documentation, purchase order data, and contract-related information that flows through defense procurement. It covers 15 foundational cybersecurity requirements from FAR 52.204-21.
Level 1 requires annual self-assessment. There is no third-party certification requirement. Contractors submit their assessment score and a senior official’s affirmation through the Supplier Performance Risk System.
CMMC Level 2: Advanced
CMMC Level 2 applies to contractors that handle Controlled Unclassified Information. It requires full implementation of the 110 security requirements in NIST SP 800-171 Revision 2 to protect CUI, covering 14 control families including access control, incident response, configuration management, audit and accountability, and system and communications protection.
Level 2 has two tracks. For contracts involving critical programs, a triennial third-party assessment by a C3PAO is required. For non-critical programs, a triennial self-assessment with annual affirmation by a senior company official is permitted. The DoD determines which track applies based on program sensitivity. Achieving CMMC Level 2 certification typically takes six to eighteen months from initial gap assessment to assessment readiness.
Level 2 is the most relevant level for the majority of defense subcontractors, including most small manufacturers working on DoD-adjacent programs.
CMMC Level 3: Expert
CMMC Level 3 applies to contractors handling the most sensitive CUI associated with critical defense programs. It requires the 110 Level 2 controls plus 24 enhanced requirements from NIST SP 800-172, for a total of 134 security controls. Level 3 is assessed by the Defense Industrial Base Cybersecurity Assessment Center — a government body — rather than commercial C3PAOs.
The DoD has estimated approximately 1,487 organizations — roughly 1% of the defense industrial base — will require Level 3 certification. For most defense subcontractors, Level 3 does not apply. A detailed breakdown of what CMMC Level 3 requires is available for contractors who need to understand the full scope.
Related Topic: How to Achieve DFARS Cybersecurity Compliance Successfully?
Who CMMC 2.0 Applies To
CMMC 2.0 applies to any contractor or subcontractor in the DoD supply chain whose contracts require handling of FCI or CUI. This includes prime contractors with direct DoD contracts and subcontractors at every tier — from major defense integrators down to small manufacturers receiving purchase orders that include defense-related technical data.
The applicable CMMC level is not a choice. It is determined by the type of information flowing through the contractor’s environment and the requirements specified in the contract. When a prime contractor’s contract includes CMMC requirements, those requirements flow down to subcontractors through purchase orders and contract clauses.
Small manufacturers often underestimate their exposure. If a customer sends drawings, specifications, or technical data under a defense contract, the contractor is likely handling CUI that triggers Level 2 requirements — regardless of whether they have a direct relationship with the DoD.
How CMMC 2.0 Is Implemented: The Two-Rule Structure
The CMMC 2.0 framework is implemented through two rules working together. The 32 CFR Part 170 program rule established the framework, defined the three levels, and created the assessment and certification structure. The DFARS acquisition rule adds CMMC requirements to DoD contracts as agencies award new agreements and renew existing ones.
The result is a phased rollout. Phase 1 began November 10, 2025, with requirements entering contracts on a rolling basis rather than all at once. The CMMC compliance timeline explains the phase structure and what contractors should expect as the rollout progresses toward full implementation.
Right Hand Technology Group’s CMMC compliance services help defense subcontractors understand which level applies to their work, where their current environment stands against those requirements, and what it will take to achieve and maintain compliance as the rollout reaches their contracts.
Related Topic: How to Get CMMC Level 2 Certification: What Businesses Must Do First
What CMMC 2.0 Means for Small Manufacturers
The practical implication of CMMC 2.0 for most small defense subcontractors is straightforward: if your work involves CUI, you need Level 2. If you handle only FCI, you need Level 1. And if a customer has not asked yet, the question is coming.
CMMC 2.0 does not create new security requirements that did not exist before. It creates a verification and certification layer on top of requirements — DFARS 252.204-7012 and NIST SP 800-171 — that have been in defense contracts for years. What CMMC 2.0 adds is accountability. Contractors can no longer self-report their cybersecurity posture with limited verification on certain contracts. The program requires them to demonstrate compliance through assessment and affirm it to achieve CMMC 2.0 compliance annually or triennially depending on the track.
The cost of CMMC compliance varies significantly based on how far a contractor’s current environment is from the requirements. Organizations that have already been working toward NIST SP 800-171 compliance will find the gap smaller. Those starting from scratch face a longer and more expensive path to maintain CMMC 2.0 compliance continuously.
Related Topic: How Much Does CMMC Certification Cost for Small Businesses?
The Practical Bottom Line
CMMC 2.0 is the operative cybersecurity certification framework for the defense supply chain. CMMC 2.0 uses three certification levels, aligns with NIST standards, and gradually enters DoD contracts through phased implementation. For most defense subcontractors, the relevant question is whether their environment meets Level 2 requirements — and whether they know the answer before a contract renewal or customer questionnaire makes it urgent.
Start with the RightSentry Snapshot to understand where your environment stands against CMMC 2.0 requirements — what level applies, what gaps exist, and what it will realistically take to achieve and maintain compliance.
Related Topic:
Frequently Asked Questions
Is CMMC 2.0 Required?
Yes. CMMC 2.0 is required for defense contractors whose DoD contracts include CMMC requirements. As CMMC expands, more contractors and subcontractors must prove compliance to qualify for and maintain defense contracts.
What Is the Difference Between CMMC Level 1 and Level 2?
Level 1 applies to organizations handling Federal Contract Information (FCI) and requires 15 basic cybersecurity controls. Level 2 applies to companies handling Controlled Unclassified Information (CUI) and requires compliance with 110 NIST SP 800-171 security controls.
Can You Self-Assess CMMC Level 2?
In some cases, yes. Certain Level 2 contractors can complete a self-assessment and annual affirmation. Others supporting sensitive programs must undergo an assessment by an accredited third-party assessor (C3PAO).
Which Companies Need CMMC Certification?
Companies that handle FCI or CUI within the defense supply chain must obtain CMMC certification to meet contract requirements. This includes both prime contractors and subcontractors.
What Happens If You Don’t Get CMMC Certified?
If you lack the required CMMC certification, you cannot win, renew, or maintain contracts that mandate compliance. Delaying compliance can also increase remediation costs and business risk.
