Complete Guide to Understanding CMMC Compliance
February 18, 2026
•
1 min
Cybersecurity requirements for companies in the defense supply chain have entered a decisive enforcement phase. The Department of Defense has moved beyond self-attestation and toward verifiable, contract-bound cybersecurity standards. The Cybersecurity Maturity Model Certification (CMMC), now plays a central role in determining which organizations are eligible to work with the DoD.
CMMC establishes three compliance levels, each tied directly to the sensitivity of the data an organization handles. Whether a company works with Federal Contract Information or Controlled Unclassified Information determines not only which level applies, but also when compliance is required as CMMC clauses are phased into DoD contracts.
For security leaders, this shift has practical consequences. CMMC is shaping procurement decisions, audit expectations, and how the DoD evaluates risk across an increasingly complex supply chain. Organizations that prepare early gain more than certification readiness. They gain clarity into their data environments, stronger operational controls, and a defensible security posture that holds up under assessment.
This guide explains how CMMC works today, how the model evolved into CMMC 2.0, what the three levels require, how timelines factor into compliance, and what organizations must do to prepare for assessment, with particular focus on CMMC Level 2.
What Is CMMC and How Did It Evolve into CMMC 2.0
The Cybersecurity Maturity Model Certification is a framework created by the Department of Defense to assess and improve the cybersecurity posture of organizations within the Defense Industrial Base.
CMMC verifies that contractors and subcontractors are protecting sensitive government data, including:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
Prior to CMMC, the DoD relied largely on self-attestation under DFARS requirements. In practice, this led to inconsistent implementation of controls and limited visibility into whether protections were actually effective.
CMMC introduced standardized security requirements and tied them directly to contract eligibility. Certification is based on demonstrated implementation, documented processes, and evidence that controls are operating as intended.
CMMC 2.0 represents an evolution of the original model. The DoD refined the framework to reduce unnecessary complexity while maintaining strong alignment with established standards, particularly NIST SP 800-171.
Key characteristics of CMMC 2.0 include:
- A reduction from five maturity levels to three
- Clear alignment with NIST standards
- Explicit separation of requirements for FCI and CUI
- Defined assessment paths based on data sensitivity and contract risk
The result is a framework that is easier to assess, more consistent to enforce, and more closely tied to real-world data security risk.
The Three CMMC 2.0 Levels
CMMC consists of three levels. The level your organization must achieve depends on the type of data associated with your DoD contracts, not on organizational size or preference.
CMMC Level 1
CMMC Level 1 applies to organizations that handle Federal Contract Information only. It includes 17 foundational cybersecurity practices aligned with FAR 52.204-21.
Examples include:
- Limiting system access to authorized users
- Protecting physical access to systems
- Using basic authentication mechanisms
- Preventing public exposure of FCI
Compliance at Level 1 is validated through an annual self-assessment.
CMMC Level 2
CMMC Level 2 is the most common and most critical level for defense contractors. It applies to organizations that store, process, or transmit Controlled Unclassified Information.
Level 2 requires full implementation of the 110 security controls defined in NIST SP 800-171. These controls must be documented, consistently applied, and operational across the environment.
Key requirement areas include:
- Access control and least privilege
- Incident response planning
- Continuous monitoring and audit logging
- Risk management processes
- Data protection and encryption
- Identity and authentication controls
Depending on the contract, Level 2 compliance may be validated through a self-assessment or a third-party assessment conducted by a Certified Third-Party Assessment Organization.
CMMC Level 3
CMMC Level 3 applies to organizations supporting the most sensitive DoD programs. It builds on Level 2 requirements and introduces additional controls derived from NIST SP 800-172.
Assessments at this level are conducted by the government through the Defense Industrial Base Cybersecurity Assessment Center.
When CMMC 2.0 Compliance Is Required
CMMC 2.0 is being implemented through a phased rollout tied to contract clauses rather than a single universal deadline. Requirements will appear in solicitations and contracts based on program risk and data sensitivity.
Key timing considerations include:
- CMMC requirements are contract-specific
- Different contracts may require different levels
- Certification must be achieved before contract award when required
Initial enforcement begins as CMMC clauses are included in new solicitations, with broader adoption expanding over the following years. By the end of the rollout period, all applicable DoD contracts are expected to include CMMC requirements appropriate to the data involved.
Organizations that wait until requirements appear in solicitations often face compressed timelines, limited assessor availability, and increased risk of contract delays.
Who Needs CMMC Certification
Organizations that hold Department of Defense contracts or subcontracts containing CMMC requirements must achieve the level specified in those contracts.
This typically includes:
- Prime contractors awarded DoD contracts with CMMC clauses
- Subcontractors at any tier when contract flow requires certification
External service providers (ESPs), managed service providers (MSPs), SaaS vendors, and cloud providers are not automatically required to obtain CMMC certification. However, when they store, process, or transmit Controlled Unclassified Information (CUI) on behalf of an organization seeking certification (OSC), they may be included within the OSC's assessment scope.
In those cases, the OSC remains responsible for demonstrating that the service provider meets required security equivalency standards (such as FedRAMP Moderate authorization, FedRAMP Moderate equivalency, or CMMC L2 certification, where applicable)
Certification obligations are determined by contract requirements and data sensitivity, not by company type alone.
What Is a CMMC Audit and How It Ties to Compliance
A CMMC audit, formally referred to as an assessment, evaluates whether an organization has implemented and is sustaining the required security controls for its assigned level.
Assessments focus on more than the presence of tools. Auditors evaluate whether controls are:
- Defined through formal policies and procedures
- Implemented consistently across systems and users
- Supported by evidence of ongoing enforcement
- Integrated into day-to-day operations
For CMMC Level 2, assessments may be conducted through self-assessment or by a Certified Third-Party Assessment Organization, depending on contract requirements. Level 3 assessments are conducted by the government.
Audit readiness and compliance are closely linked. Evidence collected during an assessment reflects normal operating conditions, not temporary configurations. Organizations that treat audits as one-time events often struggle with remediation and re-assessment cycles.
Sustained compliance requires continuous monitoring, regular evidence collection, and executive accountability. This approach reduces audit friction and strengthens overall security resilience.
How to Achieve CMMC Certification
Step 1: Determine Your Required CMMC Level
Review contract requirements and identify whether your organization handles FCI, CUI, or both.
Step 2: Conduct a Formal Gap Assessment
Perform a structured gap assessment against applicable CMMC requirements. For Level 2, this includes mapping your environment to the 110 controls in NIST SP 800-171 and evaluating implementation against the corresponding objectives.
This step identifies deficiencies in technical controls, documentation, processes, and operational enforcement before engaging in formal assessment activities.
Step 3: Close Gaps and Implement Controls
Address technical, procedural, and documentation gaps identified during assessment.
Step 4: Prepare for Assessment
Collect evidence, validate control effectiveness, and prepare for either self-assessment or third-party assessment as required.
Step 5: Maintain Continuous Compliance
Controls must remain effective over time through monitoring, policy enforcement, and regular review.
CMMC Compliance Checklist
- Identify FCI and CUI across all environments
- Map data flows and access paths
- Implement required NIST controls
- Document policies and procedures
- Establish continuous monitoring
- Prepare audit evidence
- Train employees on security responsibilities
This checklist supports readiness but does not replace a formal assessment.
How CMMC Readiness Improves Data Security
Preparing for CMMC forces organizations to address foundational weaknesses in how sensitive data is identified, accessed, and protected.
Readiness requires visibility into where CUI resides, how it moves between systems, and who can access it. This clarity reduces exposure, limits lateral movement during incidents, and improves response effectiveness.
Stronger access controls reduce over-permissioning and limit the impact of credential compromise. Continuous monitoring shifts security programs toward early detection and measurable control effectiveness.
CMMC readiness also aligns security, IT, compliance, and leadership around the data that matters most. Organizations emerge with clearer ownership, enforceable processes, and a durable security foundation that extends well beyond certification.
Cyberhaven supports organizations pursuing CMMC certification by strengthening their ability to identify, monitor, and protect sensitive DoD data across cloud and on-prem environments. Cyberhaven enables continuous visibility into FCI and CUI, enforces data protection policies, and generates operational evidence aligned with NIST SP 800-171 requirements. With Cyberhaven, CMMC readiness becomes an ongoing capability rather than a one-time effort.
Learn more about the Cyberhaven AI & Data Security Platform.
.avif)
.avif)
