CMMC Compliance Guide for Defense Contractors in 2026: Level 2 IT Requirements

Q: What is the difference between CMMC Level 1, Level 2, and Level 3?

CMMC Level 1 covers 17 basic cybersecurity practices protecting Federal Contract Information (FCI) — it can be self-attested annually by a senior company official. CMMC Level 2 covers 110 practices from NIST SP 800-171 protecting Controlled Unclassified Information (CUI) — most companies at Level 2 require third-party assessment by a C3PAO (Certified Third-Party Assessment Organization), though some lower-priority programs may allow self-attestation. CMMC Level 3 covers more than 110 practices (additional requirements from NIST SP 800-172) for the most critical defense programs — requires government-led assessment by DCSA.

Q: When does CMMC become a contract requirement?

CMMC requirements are being phased into DoD contracts through 2026 and beyond. The DoD CMMC rule became final in December 2024. Contracts with CMMC requirements are being awarded with CMMC clauses, and existing contracts are expected to be modified as they come up for renewal. Contractors should not wait for a contract to demand certification — the assessment process takes 6–18 months, and waiting until a contract requires it leaves no time to achieve it.

Q: What is a System Security Plan (SSP) and why does it matter for CMMC?

The System Security Plan (SSP) is the master document describing how your organization implements each of the 110 NIST 800-171 controls. For CMMC Level 2, the SSP is what the C3PAO assessors review to verify your claims. An SSP that doesn't accurately reflect your actual environment — or that was written as a template without actual implementation behind it — will fail the assessment. The SSP must describe not just what you have, but how it works, who maintains it, and what evidence exists that it's operating as described.

CMMC Framework Overview: What You Need to Know First

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's framework for verifying that defense contractors and subcontractors have implemented adequate cybersecurity practices to protect sensitive defense information. It was finalized as a rule in December 2024 and is being phased into contracts.

Level	Practices	Information Type	Assessment Type	Who Needs It
Level 1	17 practices	Federal Contract Information (FCI)	Annual self-attestation	Contractors with FCI but no CUI
Level 2	110 practices (NIST 800-171)	Controlled Unclassified Information (CUI)	Third-party C3PAO (most); self-attestation for some	Most DoD contractors handling CUI
Level 3	110+ practices (NIST 800-172)	CUI in critical programs	DCSA government-led	Highest-priority defense programs

Most defense contractors and subcontractors fall under Level 2. If your contract includes DFARS clause 252.204-7012, you are required to implement NIST SP 800-171 and are on the path to CMMC Level 2 certification.

The 14 Domains of NIST SP 800-171

CMMC Level 2 maps to all 110 controls across NIST 800-171's 14 domains. The domains most commonly associated with significant IT implementation work:

Domain	Key IT Controls	Commonly Failed
Access Control (3.1)	Least privilege, unique accounts, remote access controls, privileged account management	Yes — shared accounts, excessive access
Audit and Accountability (3.3)	Event logging, log review, log protection, audit failure alerting	Yes — logging enabled but not reviewed
Configuration Management (3.4)	Baseline configurations, change control, least functionality principle	Sometimes
Identification and Authentication (3.5)	Unique identification, MFA (required for privileged access and remote access)	Yes — MFA gaps
Incident Response (3.6)	Incident response capability, incident reporting to DoD	Yes — untested procedures
Maintenance (3.7)	Controlled maintenance, sanitization of media used in maintenance	Sometimes
Media Protection (3.8)	Media access, media transport protection, media sanitization	Sometimes
Personnel Security (3.9)	Screening of individuals with CUI access, personnel actions	Rarely (HR domain)
Physical Protection (3.10)	Physical access authorization, visitor control, physical monitoring	Sometimes
Risk Assessment (3.11)	Periodic risk assessments, vulnerability scanning	Yes — missing documentation
Security Assessment (3.12)	Periodic security assessments, POA&M maintenance	Yes — SSP not current
System and Communications Protection (3.13)	Network segmentation, boundary protection, encryption in transit, key management	Yes — segmentation gaps
System and Information Integrity (3.14)	Malware protection (EDR), security alerts, patching, spam protection	Sometimes — patch management gaps

The System Security Plan (SSP): Your Most Important Document

The SSP is the document that describes how your organization implements each of the 110 NIST 800-171 controls. It is what C3PAO assessors review. A compliant SSP includes:

System boundary definition — exactly what systems, users, and data are in scope for CUI
Network diagram — showing the architecture including CUI boundaries
Control descriptions — for each of the 110 controls, how it is implemented, what specific tools or configurations are used, and who is responsible
Inherited controls — controls provided by your cloud service providers (Microsoft, AWS, etc.) that are inherited vs. implemented by you
Interconnections — other systems that connect to your CUI environment
Review date and change history — the SSP must reflect your current environment

What assessors actually check

A DCSA assessor told one contractor that their documentation was better than 80% of companies reviewed. That's because their IT provider had done 30+ CMMC assessments and knew exactly what assessors want to see: not just that a control exists, but evidence it's operating. For audit logging: not just "logging is enabled" but a screenshot of the log configuration, a sample log export, and documentation of who reviews logs and how often.

Plan of Action and Milestones (POA&M)

No contractor achieves 100% of the 110 controls before their first assessment. The POA&M is the document where you document the gaps — controls not yet fully implemented — along with your plan and timeline to close them.

Key requirements for a defensible POA&M:

Each gap must have a specific remediation action
Each gap must have a responsible party and a due date
High-risk gaps should have shorter timelines (typically under 180 days)
The POA&M must be updated regularly — a static POA&M from 18 months ago tells assessors you're not actively managing it
At the time of assessment, you must demonstrate that you're actively working the POA&M, not just that one exists

CUI Scoping: The Most Misunderstood Part of CMMC

The single most important decision in CMMC preparation is defining your CUI boundary. The CUI boundary determines which systems, users, and data are in scope for the 110 controls. A smaller, well-defined boundary is significantly easier to certify than a broad, poorly-defined one.

Approaches to CUI boundary definition:

Dedicated CUI environment — A separate network segment or set of systems used exclusively for CUI handling. Other systems are out of scope. This minimizes the footprint you have to certify.
Enclave model — A physically or logically isolated environment within your network for CUI. Often uses a separate Active Directory domain or tenant.
Cloud-based CUI enclave — Use a FedRAMP Authorized cloud service (Microsoft 365 GCC High, AWS GovCloud) for CUI handling, which inherits many controls from the cloud provider.
Enterprise-wide scope — All systems in scope. This is the hardest path — every laptop, every server, every cloud app must be assessed.

CMMC Assessment Preparation: 90-Day Readiness Checklist

Complete and document a full NIST 800-171 gap assessment
Define and document the CUI boundary with a current network diagram
Write or update the System Security Plan (SSP) to reflect current environment
Create or update the POA&M for all identified gaps
Implement FIPS 140-2 validated encryption for all CUI at rest and in transit
Enable and verify MFA on all privileged accounts and remote access
Verify audit logging on all CUI-accessible systems and document log review process
Test incident response plan including DIBNet portal reporting procedure
Conduct vulnerability scan and address critical/high findings
Verify EDR is deployed on all in-scope endpoints
Review and update access control lists — remove stale accounts and excessive access
Complete security awareness training for all personnel with CUI access
Review all cloud service providers for FedRAMP Authorization status
Conduct pre-assessment readiness review (mock assessment) before the C3PAO engagement

SPRS Score: Where You Stand Before the Assessment

The Supplier Performance Risk System (SPRS) is where contractors self-report their NIST 800-171 implementation score. The scoring methodology assigns a maximum of 110 points and deducts points for unimplemented controls — with higher deductions for higher-risk controls. A perfect score is 110. Many contractors self-report without understanding the methodology and submit inaccurately high scores.

Your SPRS score is visible to DoD contracting officers and can affect contract award decisions. More importantly, submitting an inaccurate (inflated) SPRS score can expose you to False Claims Act liability — intentional misrepresentation of your cybersecurity posture to obtain government contracts has resulted in DOJ investigations and settlements.

Frequently Asked Questions

What is the difference between CMMC Level 1, Level 2, and Level 3?

Level 1 covers 17 basic practices protecting FCI — annual self-attestation. Level 2 covers 110 NIST 800-171 practices protecting CUI — typically requires C3PAO third-party assessment. Level 3 covers additional NIST 800-172 practices for the most critical programs — requires government-led DCSA assessment.

When does CMMC become a contract requirement?

CMMC requirements are being phased into DoD contracts following the December 2024 final rule. Contractors should not wait for a contract to demand certification — the assessment process takes 6–18 months, and waiting until required leaves no time to achieve it.

What is a System Security Plan (SSP) and why does it matter for CMMC?

The SSP is the master document describing how your organization implements each of the 110 NIST 800-171 controls. C3PAO assessors review the SSP to verify your claims. An SSP that doesn't accurately reflect your actual environment — or was written as a template — will fail the assessment.

CMMC Compliance Guide for Defense Contractors:
Level 2 IT Requirements and Assessment Prep

CMMC Framework Overview: What You Need to Know First

The 14 Domains of NIST SP 800-171

The System Security Plan (SSP): Your Most Important Document

Plan of Action and Milestones (POA&M)

CUI Scoping: The Most Misunderstood Part of CMMC

CMMC Assessment Preparation: 90-Day Readiness Checklist

SPRS Score: Where You Stand Before the Assessment

Frequently Asked Questions

Need an MSP That Has Done CMMC Before?

CMMC Compliance Guide for Defense Contractors:Level 2 IT Requirements and Assessment Prep

CMMC Framework Overview: What You Need to Know First

The 14 Domains of NIST SP 800-171

The System Security Plan (SSP): Your Most Important Document

Plan of Action and Milestones (POA&M)

CUI Scoping: The Most Misunderstood Part of CMMC

CMMC Assessment Preparation: 90-Day Readiness Checklist

SPRS Score: Where You Stand Before the Assessment

Frequently Asked Questions

Need an MSP That Has Done CMMC Before?

CMMC Compliance Guide for Defense Contractors:
Level 2 IT Requirements and Assessment Prep