Are You CMMC 2.0 Ready? A Mid-Market Compliance Checklist for Defense Contractors

If you hold DoD contracts or sit anywhere in the defense supply chain, CMMC 2.0 is no longer something you can plan for later. It’s here.

Phase 1 went into effect on November 10, 2025, requiring CMMC Level 1 and Level 2 self-assessments as a condition of contract award. Phase 2 begins November 10, 2026 — and that’s the one every mid-market defense contractor should be preparing for now. Phase 2 requires third-party certification assessments conducted by an accredited C3PAO for most contractors handling Controlled Unclassified Information (CUI).

If you handle CUI and can’t demonstrate compliance with all 110 NIST SP 800-171 Rev 2 security requirements by the time your contract comes up for award, renewal, or option exercise, you won’t be eligible. There is no grace period for new bidders.

This article breaks down what CMMC 2.0 actually requires at Level 2, where mid-market contractors most often fall short, and how to prioritize your readiness in the months ahead.

What is CMMC 2.0 and why does it matter now?

CMMC 2.0 — the Cybersecurity Maturity Model Certification — is the DoD’s framework for verifying that defense contractors actually implement the cybersecurity controls they’ve been required to follow since 2017. The difference from previous requirements: CMMC adds verified assessments and formal certification rather than relying on self-attestation alone.

The framework has three levels. Level 1 covers 17 basic safeguards for Federal Contract Information (FCI). Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 control families — this is where most mid-market defense contractors land. Level 3 adds 24 enhanced requirements from NIST SP 800-172 for the most sensitive programs.

The reason it matters now: the DFARS CMMC Final Rule, published September 10, 2025, created the contractual mechanism to enforce CMMC through a four-phase rollout. Phase 1 is already active. Phase 2 — which introduces mandatory third-party C3PAO assessments for Level 2 — starts November 10, 2026. By November 2028, all DoD contracts handling FCI or CUI must include CMMC certification as a condition of award.

Contracting officers will verify your CMMC status in the Supplier Performance Risk System (SPRS) before awarding contracts, exercising options, or extending periods of performance. If your status isn’t current, you’re ineligible.

What is required for CMMC Level 2 certification?

CMMC Level 2 requires full implementation of all 110 security requirements from NIST SP 800-171 Rev 2. These are organized into 14 control families:

• Access Control (AC) 22 reqs

  The largest domain. Covers least privilege, remote access, wireless access, session controls, and CUI access restrictions.

• Awareness and Training (AT) 3 reqs

  Security awareness training, role-based training for privileged users, and insider threat awareness.

• Audit and Accountability (AU) 9 reqs

  Audit logging, log review, protection of audit information, and correlation of audit records.

• Configuration Management (CM) 9 reqs

  Baseline configurations, change control, least functionality, and software usage restrictions.

• Identification and Authentication (IA) 11 reqs

  Multi-factor authentication, password management, device identification, and replay-resistant authentication.

• Incident Response (IR) 3 reqs

  Incident handling capability, reporting, and testing of response plans.

• Maintenance (MA) 6 reqs

  Controlled maintenance, equipment sanitization, and remote maintenance oversight.

• Media Protection (MP) 9 reqs

  Media access control, CUI marking, sanitization, and transport protection.

• Personnel Security (PS) 2 reqs

  Screening individuals before access and protecting CUI during personnel actions.

• Physical Protection (PE) 6 reqs

  Physical access controls, monitoring, visitor management, and alternative work site controls.

• Risk Assessment (RA) 3 reqs

  Risk assessments, vulnerability scanning, and remediation of vulnerabilities.

• Security Assessment (CA) 4 reqs

  Assessment of security controls, system of records plans, and plan of action management.

• System and Communications Protection (SC) 16 reqs

  The second-largest domain. Boundary protection, CUI encryption in transit and at rest, session authenticity, and mobile code controls.

• System and Information Integrity (SI) 7 reqs

  Flaw remediation, malicious code protection, security alerts, and system monitoring.

The critical detail: for most contracts involving CUI, Phase 2 will require a third-party C3PAO assessment — not just a self-assessment. Assessors verify actual implementation, not just policies on paper. They’ll pull sample logs, review network diagrams, examine configurations, and test whether controls work as documented.

How long does it take to prepare for CMMC Level 2?

Most organizations need 6 to 12 months to fully prepare for a C3PAO assessment, depending on their current security posture. If you’re starting from a low baseline — limited documentation, no formal change control, inconsistent access management — plan for the longer end of that range.

The preparation timeline typically breaks down into three phases:

For mid-market contractors with 100–500 employees, the biggest time sinks are usually CUI boundary scoping (most organizations underestimate where CUI lives), SSP documentation (assessors treat this as the primary assessment artifact), and audit log configuration (logging must be enabled on every system within the CUI boundary with required data elements).

Where do mid-market contractors fail CMMC assessments?

Based on early assessment data and years of NIST 800-171 evaluations, mid-market contractors most commonly fail in five areas:

Incomplete System Security Plans

The SSP is the foundation of your assessment. If it doesn’t accurately reflect your environment — every system, every data flow, every interconnection — assessors will flag discrepancies immediately. A vague statement like “our network handles CUI” is insufficient. Assessors expect network diagrams, data flow diagrams, and system inventories.

Missing or incomplete audit logs

Logging must be enabled on every system within the CUI boundary. Assessors will pull sample logs and verify they contain required data elements: user ID, timestamp, action type, and success/failure. Many mid-market environments have logging enabled on servers but miss endpoints, cloud services, or network devices.

Inadequate CUI boundary documentation

You must document exactly which systems, networks, and data flows handle CUI and which don’t. This is where organizations lose the most time — because CUI often flows through more systems than anyone initially realizes.

Weak access control enforcement

Access Control is the largest domain (22 requirements) and the one most likely to surface gaps. Common failures include shared accounts, missing role-based access, absent session timeout configurations, and uncontrolled remote access.

No incident response testing

Having an incident response plan is not enough. You need evidence that you’ve tested it — tabletop exercises, documented results, and remediation of identified gaps.

Can you get CMMC certification with some gaps?

Yes — conditionally. CMMC 2.0 allows a Plan of Action and Milestones (POA&M) for certain incomplete requirements. If you meet most controls but have gaps in non-critical areas, you can receive conditional CMMC status for up to 180 days while you close out deficiencies.

However, there are limits. You cannot defer critical controls. Six security requirements — including external connections control and system security plan documentation — must be fully implemented before assessment. The DoD specifies which controls are non-deferrable, and assessors will not grant conditional status if those are missing.

The POA&M is not a workaround for lack of preparation. It’s a remediation mechanism for organizations that are substantially compliant but have a manageable number of remaining gaps. If your assessment reveals widespread deficiencies, you’ll fail — and you’ll need to remediate and reassess, which costs additional time and money.

What happens if you fail CMMC certification?

Failure means you cannot receive contract awards that require CMMC certification at the specified level. The consequences cascade:

Contract ineligibility

You won’t be able to bid on or receive new DoD contracts that require your CMMC level. Existing contracts may be affected at option exercise or renewal.

Supply chain impact

Prime contractors are required to ensure all subcontractors handling FCI or CUI are CMMC compliant. If you’re a subcontractor who can’t certify, primes will find alternatives.

Revenue loss

For mid-market contractors where defense work is a significant revenue stream, loss of contract eligibility is an existential business risk.

Remediation costs

You’ll need to fix the deficiencies and schedule a reassessment — and with C3PAO capacity already constrained, rebooking could add months of delay.

False Claims Act exposure

Misrepresenting your cybersecurity compliance status in connection with government contracts can trigger False Claims Act liability, which carries significant financial penalties.

The business case for preparation is straightforward: the cost of achieving compliance is substantially less than the cost of losing eligibility.

Do subcontractors need CMMC certification?

Yes. CMMC requirements flow down to subcontractors at every tier who process, store, or transmit FCI or CUI. Prime contractors are responsible for ensuring subcontractor compliance before sharing covered information or awarding subcontracts.

The required level depends on the type of information the subcontractor handles. If a subcontractor only handles FCI, Level 1 is sufficient. If CUI is involved, Level 2 is required. There is no automated compliance tool — primes must actively verify subcontractor CMMC status.

This creates both a compliance burden and a competitive advantage. Subcontractors who achieve certification early become preferred partners for primes who need compliant supply chain participants. In a market where an estimated 33,000 to 44,000 companies may exit the defense market by 2028 due to compliance costs, certified small businesses will have fewer competitors and stronger positioning.

How does CMMC readiness connect to broader cybersecurity governance?

CMMC doesn’t exist in isolation. The 110 NIST 800-171 controls overlap significantly with other compliance frameworks your organization may already follow — or will need to follow:

SOC 2

SOC 2 shares controls around access management, logging, change control, and incident response. Organizations already SOC 2 compliant will find significant overlap with CMMC Level 2.

ISO 27001

ISO 27001 covers similar ground in asset management, access control, cryptography, and operational security. The mapping between ISO 27001 and NIST 800-171 is well established.

HIPAA Security Rule

HIPAA Security Rule applies if you’re in healthcare-adjacent defense work. Many HIPAA technical safeguards map to NIST 800-171 requirements.

AI governance

AI governance — and this is where last month’s conversation continues — if your organization uses AI tools in any workflow that touches CUI, those AI systems fall within your CMMC boundary. Shadow AI that processes CUI without oversight creates exactly the kind of uncontrolled data flow that CMMC assessors will flag. The AI inventory and governance controls we discussed in previous articles aren’t separate from CMMC — they’re part of it.

The organizations that approach CMMC as part of a unified governance posture — rather than a standalone checkbox — build frameworks that satisfy multiple requirements simultaneously and reduce total compliance cost.

CMMC 2.0 enforcement timeline

CMMC Readiness FAQs

This article is provided by Idril Cybersecurity Services for educational purposes. It does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific compliance requirements.