With the introduction of v2.0, the Department of Defense (DoD) finalized the Cybersecurity Maturity Model Certification (CMMC). The program is officially in effect, which calls for swift compliance from all in-scope organizations.

After the initial introduction of CMMC 1.0 in 2020, the DoD made considerable changes to the program, which resulted in the development and enforcement of CMMC 2.0. If you’re not yet familiar with all the notable changes, this guide will help by covering the CMMC final rule. You’ll learn about:

  • CMMC’s scope and certification levels
  • Key practices
  • The CMMC scoring model
  • The phased implementation timeline

CMMC scope and applicability

The first major change from CMMC 1.0 to 2.0 relates to the program’s scope. Initially, only DoD contractors were obligated to comply with the CMMC to obtain and maintain government contracts. The final rule expands the scope to subcontractors to ensure more comprehensive protection of critical data.

According to this change, all contractors and subcontractors within the DoD supply chain and the Defense Industrial Base (DIB) must comply with CMMC. This goes for organizations regardless of their:

  • Size
  • Location
  • Industry

CMMC practices apply regardless of these factors—as long as an organization works with the DoD and manages Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI), it must ensure full compliance.

The only exception to this rule is the providers of commercial off-the-shelf (COTS) items as defined in FAR 2.101. An item is considered COTS if it meets these three criteria:

  1. It’s a commercial product used by the general public
  2. It’s sold on a commercial market in considerable quantities
  3. It’s offered to the government in the same form it’s sold on the commercial market, without any modifications

Note that bulk cargo doesn’t fall under COTS as per 46 U.S.C. 40102(4), even though it technically meets these criteria. This means that providers of items like agricultural or petroleum products might still need CMMC compliance under the final rule.

CMMC final rule assessment levels

The CMMC final rule streamlines the certification process by consolidating the number of available certification levels from five to three. The CMMC 2.0 levels are outlined in the following table:

Certification level Number of practices Assessment type Assessment frequency Compliance affirmation frequency
Level 1: Foundational 15 practices Self-assessment Annually Annually
Level 2: Advanced 110 NIST SP 800-171 R2 practices Self-assessment or a Certified Third-Party Assessor Organization (C3PAO) assessment Triennially Annually
Level 3: Expert 110 NIST SP 800-171 R2 practices + 24 practices based on NIST SP 800-172 Government-led assessment performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Triennially Annually (for both Level 2 and Level 3)

To determine the necessary certification level for your organization, start by looking into the information you manage:

  • Level 1 is mainly aimed at organizations handling FCI
  • Levels 2 and 3 are required for organizations with access to CUI

To remove guesswork from the certification process, the DoD will specify the required certification level in future contracts and solicitations. If you’re not already working with the DoD, you should be able to see all CMMC practices before bidding on tenders.

Organizations already working with the DoD might receive notifications of the required CMMC level. If this doesn’t happen, and you can’t determine the necessary level, contact your DoD Contracting Officer (or the primary contractor if you’re a subcontractor).

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC scoring model at a glance

Besides outlining the certification levels, the CMMC introduces a clear scoring system for assessing compliance, which varies depending on the certification level.

Regardless of the assessment type, CMMC assessment findings can be classified into three outcomes:

  1. MET
  2. NOT MET
  3. N/A

For Level 1, the scoring is straightforward—each practice is either MET or NOT MET. To achieve certification, an organization must meet all Level 1 practices.

For Level 2 and Level 3 assessments performed by C3PAOs, the minimum threshold for certification is meeting 80 percent of the in-scope practices. If you reach it but still have compliance gaps, you will be required to complete a Plan of Action and Milestones (POA&M). These documents outline how you plan to address the gaps to obtain a Conditional Certificate. You have 180 days to remediate the gaps, after which you can get the Final Certificate.

In Level 2 assessments, practices can have differing values (1, 3, or 5) depending on their security impact. For example:

  • AU.L2-3.3.2 – User Accountability is considered a basic security practice under CMMC. Failure to implement it results in a three-point deduction from the maximum possible score
  • Any practice that directly protects from significant network exploitation and CUI exfiltration (e.g., AC.L2-3.1.1 – Authorized Access Control) carries five points, meaning failure to implement it results in a five-point deduction

Level 3 assessment scoring doesn’t use varying values—all practices are worth one point and must be implemented in full to ensure compliance.

You can still submit a POA&M if the initial assessment findings identify gaps (under 20%). Regardless of the level, the POA&M must include:

  • Practice reference for the identified gap
  • Gap description
  • Plan of action and required resources
  • Remediation start and end dates
  • Milestones
  • Responsible parties
  • Status

CMMC implementation timeline

CMMC implementation timeline with due dates

Due to the complexity of CMMC and the need for thorough implementation, the DoD will release the program gradually in four phases outlined in the following table:

CMMC implementation phase Milestone
Phase 1 (mid-2025) Organizations must complete self-assessments for Level 1 and 2 solicitations (though formal certificates aren’t necessary). At this point, contractors should focus primarily on basic cybersecurity hygiene and supply chain security.
Phase 2 (mid-2026) Organizations must obtain formal certifications for certain Level 2 contracts (e.g., contracts involving CUI or critical cybersecurity practices). Contractors will need to adopt all the NIST SP 800-171 R2 controls regardless of the assessment type. This includes external service providers (ESPs) that manage CUI but excludes those that only manage security protection data (SPD).
Phase 3 (mid-2027) The DoD will include and start enforcing the practices for Level 3 certifications in select contracts. By this time, all Level 2 contracts will also include the necessary certification practices.
Phase 4 (mid-2028) All solicitations and contracts will include applicable CMMC Level practices as a condition of contract award.

As the first milestones are drawing near as of this writing, you must determine your applicable CMMC certification level as soon as possible to understand your obligations. You should then map out your CMMC certification process to proactively avoid compliance issues and make the process as streamlined as possible.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

How to prepare for CMMC compliance

You can take the following steps to make your organization CMMC-ready:

  1. Understand the applicable certification level: Examine your data practices and your position in the DoD supply chain to determine your certification level, unless it’s highlighted in the solicitation.
  2. Define the certification scope: Review your assets to identify those that collect, store, or transfer FCI/CUI and meet other conditions for being scoped by the CMMC. This will help determine which parts of your IT infrastructure need to be assessed. You can work with an MSP to make sure your scope encompasses all the necessary elements.
  3. Conduct a gap analysis: Perform an extensive security review and other tests to assess your existing practices against the CMMC requirements and identify any gaps. If your organization needs to create a System Security Plan (SSP) for CMMC, this step can act as an input into creating, or updating, the SSP.
  4. Create a gap remediation plan: Remediate gaps proactively to ensure a smoother certification process.
  5. Document control implementation: Gather comprehensive documentation that demonstrates the implementation and effectiveness of the relevant practices. This will serve as evidence of CMMC compliance for regulatory bodies or third-party assessors.

Common CMMC implementation challenges you might encounter

You might run into several roadblocks while pursuing CMMC compliance, most notably:

  • Meeting Federal Information Processing Standard (FIPS) cryptography requirements: Organizations sometimes struggle to find readily available, FIPS-validated solutions to meet CMMC practices, which can cause delays in achieving compliance.
  • Lack of C3PAOs and certified government personnel: Only C3PAOs and government bodies can perform Level 2 and Level 3 audits, respectively—and there aren’t many of them at this point. Luckily, there’s still time (as of this writing) to increase the number of available personnel before compliance is necessary.
  • Differentiating between FCI and CUI: While there are definitions of FCI and CUI online, the decision of whether something is FCI or CUI ultimately rests with the DoD. This can hinder an organization’s scoping efforts and slow down the certification process.

Obtaining a CMMC certificate can also be more or less resource-intensive, depending on your organization's current security posture and compliance with overlapping frameworks like SOC 2 and ISO 27001. Still, SMBs and otherwise resource-constrained organizations face particular challenges, most notably:

  • Lack of bandwidth or personnel necessary to meet the CMMC practices
  • Manual security and compliance workflows
  • Disparate documentation systems that make evidence collection challenging

You can mitigate many CMMC certification implementation challenges with automated compliance. The right solution can streamline various CMMC workflows and help make the entire certification process more efficient and manageable.

Become CMMC-compliant faster with Vanta

Vanta is a trust management platform that automates up to 50% of the CMMC compliance process. You also get clear guidance and resources across controls, policies, and documents to help you get certified faster.

Vanta eliminates confusion and manual work from the certification process through a dedicated CMMC product. Within one platform, you’ll get access to several capabilities, including:

  • Out-of-the-box support for all certification levels
  • Automated evidence collection supported by 375+ integrations
  • Automated gap assessments on a real-time dashboard
  • Control cross-mapping to remove duplicative workflows
  • Centralized tracking and continuous monitoring of CMMC practices
  • Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

These features considerably reduce the time and effort required for CMMC preparation, freeing up your resources for more impactful work. You can rely on Vanta’s experts for support at any step of the certification process.

Vanta also partners with various Cyber AB-accredited C3PAOs, which you’ll need for Level 2 assessment (and Level 3 as it requires Level 2). You can browse through Vanta’s partner network to find a C3PAO that will support you throughout the certification process.

Schedule a custom demo to learn more about Vanta’s CMMC solution.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

The CMMC final rule: Scope, practices, and implementation timeline

Written by
Vanta
Written by
Vanta
Reviewed by
Crystal Jackson
GRC Product SME

Looking to automate up to 50% of the work for CMMC?

With the introduction of v2.0, the Department of Defense (DoD) finalized the Cybersecurity Maturity Model Certification (CMMC). The program is officially in effect, which calls for swift compliance from all in-scope organizations.

After the initial introduction of CMMC 1.0 in 2020, the DoD made considerable changes to the program, which resulted in the development and enforcement of CMMC 2.0. If you’re not yet familiar with all the notable changes, this guide will help by covering the CMMC final rule. You’ll learn about:

  • CMMC’s scope and certification levels
  • Key practices
  • The CMMC scoring model
  • The phased implementation timeline

CMMC scope and applicability

The first major change from CMMC 1.0 to 2.0 relates to the program’s scope. Initially, only DoD contractors were obligated to comply with the CMMC to obtain and maintain government contracts. The final rule expands the scope to subcontractors to ensure more comprehensive protection of critical data.

According to this change, all contractors and subcontractors within the DoD supply chain and the Defense Industrial Base (DIB) must comply with CMMC. This goes for organizations regardless of their:

  • Size
  • Location
  • Industry

CMMC practices apply regardless of these factors—as long as an organization works with the DoD and manages Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI), it must ensure full compliance.

The only exception to this rule is the providers of commercial off-the-shelf (COTS) items as defined in FAR 2.101. An item is considered COTS if it meets these three criteria:

  1. It’s a commercial product used by the general public
  2. It’s sold on a commercial market in considerable quantities
  3. It’s offered to the government in the same form it’s sold on the commercial market, without any modifications

Note that bulk cargo doesn’t fall under COTS as per 46 U.S.C. 40102(4), even though it technically meets these criteria. This means that providers of items like agricultural or petroleum products might still need CMMC compliance under the final rule.

CMMC final rule assessment levels

The CMMC final rule streamlines the certification process by consolidating the number of available certification levels from five to three. The CMMC 2.0 levels are outlined in the following table:

Certification level Number of practices Assessment type Assessment frequency Compliance affirmation frequency
Level 1: Foundational 15 practices Self-assessment Annually Annually
Level 2: Advanced 110 NIST SP 800-171 R2 practices Self-assessment or a Certified Third-Party Assessor Organization (C3PAO) assessment Triennially Annually
Level 3: Expert 110 NIST SP 800-171 R2 practices + 24 practices based on NIST SP 800-172 Government-led assessment performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Triennially Annually (for both Level 2 and Level 3)

To determine the necessary certification level for your organization, start by looking into the information you manage:

  • Level 1 is mainly aimed at organizations handling FCI
  • Levels 2 and 3 are required for organizations with access to CUI

To remove guesswork from the certification process, the DoD will specify the required certification level in future contracts and solicitations. If you’re not already working with the DoD, you should be able to see all CMMC practices before bidding on tenders.

Organizations already working with the DoD might receive notifications of the required CMMC level. If this doesn’t happen, and you can’t determine the necessary level, contact your DoD Contracting Officer (or the primary contractor if you’re a subcontractor).

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

CMMC scoring model at a glance

Besides outlining the certification levels, the CMMC introduces a clear scoring system for assessing compliance, which varies depending on the certification level.

Regardless of the assessment type, CMMC assessment findings can be classified into three outcomes:

  1. MET
  2. NOT MET
  3. N/A

For Level 1, the scoring is straightforward—each practice is either MET or NOT MET. To achieve certification, an organization must meet all Level 1 practices.

For Level 2 and Level 3 assessments performed by C3PAOs, the minimum threshold for certification is meeting 80 percent of the in-scope practices. If you reach it but still have compliance gaps, you will be required to complete a Plan of Action and Milestones (POA&M). These documents outline how you plan to address the gaps to obtain a Conditional Certificate. You have 180 days to remediate the gaps, after which you can get the Final Certificate.

In Level 2 assessments, practices can have differing values (1, 3, or 5) depending on their security impact. For example:

  • AU.L2-3.3.2 – User Accountability is considered a basic security practice under CMMC. Failure to implement it results in a three-point deduction from the maximum possible score
  • Any practice that directly protects from significant network exploitation and CUI exfiltration (e.g., AC.L2-3.1.1 – Authorized Access Control) carries five points, meaning failure to implement it results in a five-point deduction

Level 3 assessment scoring doesn’t use varying values—all practices are worth one point and must be implemented in full to ensure compliance.

You can still submit a POA&M if the initial assessment findings identify gaps (under 20%). Regardless of the level, the POA&M must include:

  • Practice reference for the identified gap
  • Gap description
  • Plan of action and required resources
  • Remediation start and end dates
  • Milestones
  • Responsible parties
  • Status

CMMC implementation timeline

CMMC implementation timeline with due dates

Due to the complexity of CMMC and the need for thorough implementation, the DoD will release the program gradually in four phases outlined in the following table:

CMMC implementation phase Milestone
Phase 1 (mid-2025) Organizations must complete self-assessments for Level 1 and 2 solicitations (though formal certificates aren’t necessary). At this point, contractors should focus primarily on basic cybersecurity hygiene and supply chain security.
Phase 2 (mid-2026) Organizations must obtain formal certifications for certain Level 2 contracts (e.g., contracts involving CUI or critical cybersecurity practices). Contractors will need to adopt all the NIST SP 800-171 R2 controls regardless of the assessment type. This includes external service providers (ESPs) that manage CUI but excludes those that only manage security protection data (SPD).
Phase 3 (mid-2027) The DoD will include and start enforcing the practices for Level 3 certifications in select contracts. By this time, all Level 2 contracts will also include the necessary certification practices.
Phase 4 (mid-2028) All solicitations and contracts will include applicable CMMC Level practices as a condition of contract award.

As the first milestones are drawing near as of this writing, you must determine your applicable CMMC certification level as soon as possible to understand your obligations. You should then map out your CMMC certification process to proactively avoid compliance issues and make the process as streamlined as possible.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

How to prepare for CMMC compliance

You can take the following steps to make your organization CMMC-ready:

  1. Understand the applicable certification level: Examine your data practices and your position in the DoD supply chain to determine your certification level, unless it’s highlighted in the solicitation.
  2. Define the certification scope: Review your assets to identify those that collect, store, or transfer FCI/CUI and meet other conditions for being scoped by the CMMC. This will help determine which parts of your IT infrastructure need to be assessed. You can work with an MSP to make sure your scope encompasses all the necessary elements.
  3. Conduct a gap analysis: Perform an extensive security review and other tests to assess your existing practices against the CMMC requirements and identify any gaps. If your organization needs to create a System Security Plan (SSP) for CMMC, this step can act as an input into creating, or updating, the SSP.
  4. Create a gap remediation plan: Remediate gaps proactively to ensure a smoother certification process.
  5. Document control implementation: Gather comprehensive documentation that demonstrates the implementation and effectiveness of the relevant practices. This will serve as evidence of CMMC compliance for regulatory bodies or third-party assessors.

Common CMMC implementation challenges you might encounter

You might run into several roadblocks while pursuing CMMC compliance, most notably:

  • Meeting Federal Information Processing Standard (FIPS) cryptography requirements: Organizations sometimes struggle to find readily available, FIPS-validated solutions to meet CMMC practices, which can cause delays in achieving compliance.
  • Lack of C3PAOs and certified government personnel: Only C3PAOs and government bodies can perform Level 2 and Level 3 audits, respectively—and there aren’t many of them at this point. Luckily, there’s still time (as of this writing) to increase the number of available personnel before compliance is necessary.
  • Differentiating between FCI and CUI: While there are definitions of FCI and CUI online, the decision of whether something is FCI or CUI ultimately rests with the DoD. This can hinder an organization’s scoping efforts and slow down the certification process.

Obtaining a CMMC certificate can also be more or less resource-intensive, depending on your organization's current security posture and compliance with overlapping frameworks like SOC 2 and ISO 27001. Still, SMBs and otherwise resource-constrained organizations face particular challenges, most notably:

  • Lack of bandwidth or personnel necessary to meet the CMMC practices
  • Manual security and compliance workflows
  • Disparate documentation systems that make evidence collection challenging

You can mitigate many CMMC certification implementation challenges with automated compliance. The right solution can streamline various CMMC workflows and help make the entire certification process more efficient and manageable.

Become CMMC-compliant faster with Vanta

Vanta is a trust management platform that automates up to 50% of the CMMC compliance process. You also get clear guidance and resources across controls, policies, and documents to help you get certified faster.

Vanta eliminates confusion and manual work from the certification process through a dedicated CMMC product. Within one platform, you’ll get access to several capabilities, including:

  • Out-of-the-box support for all certification levels
  • Automated evidence collection supported by 375+ integrations
  • Automated gap assessments on a real-time dashboard
  • Control cross-mapping to remove duplicative workflows
  • Centralized tracking and continuous monitoring of CMMC practices
  • Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

These features considerably reduce the time and effort required for CMMC preparation, freeing up your resources for more impactful work. You can rely on Vanta’s experts for support at any step of the certification process.

Vanta also partners with various Cyber AB-accredited C3PAOs, which you’ll need for Level 2 assessment (and Level 3 as it requires Level 2). You can browse through Vanta’s partner network to find a C3PAO that will support you throughout the certification process.

Schedule a custom demo to learn more about Vanta’s CMMC solution.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

Get started with CMMC

Start your CMMC journey with these related resources.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan

Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
CMMC Checklist cover image

CMMC Checklist

This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

CMMC Checklist
CMMC Checklist
The nst 800 - 1717 logo on a yellow background.

The ultimate guide to NIST 800-171

Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.

The ultimate guide to NIST 800-171
The ultimate guide to NIST 800-171