Back to blog

Compliance

CMMC 2.0 Requirements: The Complete 2026 Guide for DoD Contractors (Levels 1, 2 & 3)

The CMMC 2.0 final rule (32 CFR Part 170) is live and DFARS clause 252.204-7021 is now flowing into DoD contracts. This guide breaks down all three CMMC 2.0 levels, the 110 NIST 800-171 controls, C3PAO assessments, POA&M rules, affirmations, timelines, and what Miami-area defense contractors need to do in 2026 to stay contract-eligible.

Cybrvault TeamJuly 2, 202622 min readUpdated July 2, 2026
CMMC 2.0 Requirements: The Complete 2026 Guide for DoD Contractors (Levels 1, 2 & 3)

If your company sells to the Department of Defense — or subcontracts to anyone who does — CMMC 2.0 is no longer a proposal on the horizon. It's federal regulation. The final rule was codified as 32 CFR Part 170 in October 2024, and the companion DFARS contract clause **252.204-7021** began appearing in solicitations in 2025 under a phased rollout. By 2026, most new DoD contracts touching **Federal Contract Information (FCI)** or **Controlled Unclassified Information (CUI)** carry a CMMC requirement. No certificate, no award.

This guide walks through everything a defense contractor — from a 3-person machine shop in Hialeah to a 500-person systems integrator in Doral — needs to understand about CMMC 2.0 in 2026: the three levels, the underlying NIST controls, how assessments actually work, what a POA&M can and can't cover, timelines, cost ranges, and the practical steps to get compliant. If you only need the entry-level ruleset, start with our CMMC Level 1 requirements guide. If you're already scoping controls, pair this with our NIST 800-171 compliance checklist.

What is CMMC 2.0?

The **Cybersecurity Maturity Model Certification (CMMC)** is the DoD's program for verifying that contractors and subcontractors in the Defense Industrial Base (DIB) actually implement the cybersecurity controls their contracts require. CMMC 1.0 (2020) had five levels and required third-party assessment for almost everyone. CMMC 2.0 collapses that to three levels, permits self-assessment at Level 1 and a narrow slice of Level 2, and aligns fully with existing NIST standards instead of introducing bespoke practices.

The rule lives in two places: **32 CFR Part 170** (the program itself — who assesses whom, how scores are calculated, how affirmations work) and **48 CFR / DFARS 252.204-7021** (the contract clause that obligates a contractor to hold the required level at the time of award). Both are in force. The phased rollout means CMMC requirements appear in new solicitations gradually — Phase 1 began in December 2024, and Phase 3 (broad Level 2 assessment requirements) is expected by late 2026.

FCI vs CUI: what triggers each level

Which CMMC level applies to you depends entirely on the type of DoD information you handle:

  • **Federal Contract Information (FCI)** — non-public information provided by or generated for the government under a contract. Examples: statements of work, delivery schedules, non-public correspondence. Triggers **Level 1**.
  • **Controlled Unclassified Information (CUI)** — technical data, drawings, specs, source selection info, export-controlled material (ITAR/EAR), CDI (Covered Defense Information). Triggers **Level 2**.
  • **High-value CUI on priority programs** — CUI associated with the DoD's most critical programs and technologies. Triggers **Level 3**.

If you're not sure which category applies, look at your contract's **DD Form 254**, any CUI marking guidance, and whether DFARS 252.204-7012 flows into your award. If 7012 is present, you almost certainly handle CUI and need Level 2.

CMMC 2.0 Level 1 — Foundational (self-assessed)

Level 1 protects FCI only. It maps 1:1 to the 15 basic safeguarding requirements in **FAR 52.204-21**, expressed as 17 CMMC practices across six domains (Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity).

  • **Assessment type:** annual self-assessment.
  • **Affirmation:** a senior company official (typically the CEO or CISO) affirms the results annually in SPRS.
  • **Validity:** 1 year.
  • **Cost:** minimal — internal time plus baseline security tools most businesses already own.

For a control-by-control walkthrough tailored to small contractors, see our CMMC Level 1 requirements guide.

CMMC 2.0 Level 2 — Advanced (mostly C3PAO assessed)

Level 2 is where most DoD suppliers live. It requires implementation of **all 110 controls in NIST SP 800-171 Revision 2** across 14 control families — from Access Control and Audit & Accountability to System & Communications Protection and System & Information Integrity. Every control is scored, and the maximum possible SPRS score is 110.

Assessment path

  • **C3PAO assessment (default):** an accredited CMMC Third-Party Assessment Organization (C3PAO) conducts an on-site or hybrid assessment on a 3-year cycle. Required for the vast majority of contracts involving CUI.
  • **Self-assessment (narrow):** the DoD may allow annual self-assessment for a limited set of Level 2 contracts that don't involve prioritized CUI. The contracting officer specifies this in the solicitation — do not assume you qualify.
  • **Annual affirmation:** required every year in SPRS regardless of assessment path.

The 14 NIST 800-171 control families

  1. 1Access Control (AC) — 22 controls
  2. 2Awareness & Training (AT) — 3 controls
  3. 3Audit & Accountability (AU) — 9 controls
  4. 4Configuration Management (CM) — 9 controls
  5. 5Identification & Authentication (IA) — 11 controls
  6. 6Incident Response (IR) — 3 controls
  7. 7Maintenance (MA) — 6 controls
  8. 8Media Protection (MP) — 9 controls
  9. 9Personnel Security (PS) — 2 controls
  10. 10Physical Protection (PE) — 6 controls
  11. 11Risk Assessment (RA) — 3 controls
  12. 12Security Assessment (CA) — 4 controls
  13. 13System & Communications Protection (SC) — 16 controls
  14. 14System & Information Integrity (SI) — 7 controls

For the full checklist, see our NIST 800-171 compliance checklist.

CMMC 2.0 Level 3 — Expert (DIBCAC assessed)

Level 3 applies to the DoD's most sensitive programs — think advanced weapons systems, nuclear, and select intelligence-adjacent work. It requires Level 2 as a prerequisite, plus a subset of **24 controls selected from NIST SP 800-172** (the enhanced-security supplement to 800-171).

  • **Assessment type:** government-led assessment by the **Defense Contract Management Agency's DIBCAC**, not a C3PAO.
  • **Focus areas:** advanced persistent threat (APT) resilience, penetration-resistant architecture, enhanced monitoring, threat hunting, and cyber threat intelligence integration.
  • **Validity:** 3 years with annual affirmation.

Most small and mid-size Miami-area contractors will never touch Level 3 — but if you sub to a prime working on a priority program, expect flow-down clauses that require you to meet Level 2 as a minimum.

POA&Ms under CMMC 2.0 (what changed)

CMMC 1.0 did not allow **Plans of Action & Milestones (POA&Ms)** to close an assessment. CMMC 2.0 loosens that — but only slightly:

  • **Level 1:** no POA&Ms allowed. All 17 practices must be MET.
  • **Level 2:** POA&Ms allowed only for a subset of lower-weighted controls, and only if the overall SPRS score is at least **88 of 110** (80%). Certain high-value controls (multi-factor authentication, FIPS-validated cryptography, incident response, and others) cannot be on a POA&M.
  • **Level 3:** similar rules with an even smaller set of POA&M-eligible controls.
  • **All POA&Ms must be closed within 180 days** of the conditional certification — otherwise it converts to a failure and you lose eligibility.

Timelines: the phased rollout through 2028

The DoD is phasing CMMC requirements into contracts over three years starting from the December 2024 effective date of the DFARS rule. What that means in practice for 2026:

  • **Phase 1 (in effect):** Level 1 and Level 2 self-assessment requirements appearing in applicable new solicitations.
  • **Phase 2 (2026):** Level 2 C3PAO assessment requirements begin flowing into new contracts.
  • **Phase 3 (2027):** Level 3 requirements begin appearing.
  • **Phase 4 (2028):** CMMC applies to all applicable DoD contracts, including option-year exercises on existing contracts.

Translation: if you're a Level 2 target with a contract renewing in 2027, you should be in an active C3PAO engagement no later than mid-2026.

Assessment cost & duration (2026 ranges)

Based on Cybrvault's work with DIB clients across South Florida in 2025–2026, realistic ranges look like this — plan for the higher end if you haven't done a formal NIST 800-171 assessment before:

  • **Level 1 self-assessment:** $0–$5,000 internal effort, $5,000–$15,000 with consultant support.
  • **Level 2 readiness (gap assessment + remediation):** $25,000–$150,000 depending on environment size and current maturity.
  • **Level 2 C3PAO certification assessment:** $40,000–$120,000+ for the assessment itself (separate from remediation).
  • **Level 3 DIBCAC assessment:** no direct fee, but readiness typically runs $250,000+ due to the NIST 800-172 controls (advanced monitoring, threat hunting, deception, etc.).
  • **Ongoing (SSP maintenance, continuous monitoring, tooling):** $30,000–$200,000 per year.

The 10-step CMMC 2.0 roadmap for 2026

  1. 1**Determine your target level.** Review current and pipeline contracts for CUI markings and DFARS 7012 flow-down. If you handle CUI, you're a Level 2 target.
  2. 2**Scope your CUI environment.** Identify every system, share, cloud tenant, laptop, printer, and 3rd-party service that stores, processes, or transmits CUI. Aggressive scoping (enclaves, GCC High tenants) shrinks the assessment boundary and cost.
  3. 3**Choose your cloud strategy.** For CUI, you need **FedRAMP Moderate or equivalent** — practically, that means Microsoft 365 GCC High, AWS GovCloud, or a compliant private stack. Commercial M365 is not sufficient for most CUI.
  4. 4**Author your System Security Plan (SSP).** A living document describing how each of the 110 controls is implemented in your specific environment. Assessors read this first.
  5. 5**Perform a gap assessment against all 110 controls.** Score each as MET, NOT MET, or NOT APPLICABLE. Compute your SPRS score.
  6. 6**Remediate.** Prioritize the high-weighted controls (MFA, FIPS cryptography, audit logging, incident response). Track everything in a POA&M.
  7. 7**Post your SPRS score.** Contractors handling CUI have been required to post NIST 800-171 self-assessment scores in SPRS since 2020 under DFARS 252.204-7019 — do it before it costs you an award.
  8. 8**Engage a C3PAO early.** Wait times in 2026 are 6–9 months. Book your assessment before you're 100% ready and use the lead time to close gaps.
  9. 9**Pass the assessment.** Address any assessor findings within 180 days if issued a conditional certification.
  10. 10**Submit annual affirmations.** A senior company official affirms compliance in SPRS every year until re-assessment.

Common CMMC 2.0 mistakes we see in South Florida

  • Assuming commercial Microsoft 365 is compliant for CUI. It isn't. You need GCC High or another FedRAMP Moderate-equivalent tenant.
  • Storing CUI in Dropbox, Google Drive, personal email, or generic file-share tools. All of it becomes in-scope and, in most cases, non-compliant.
  • Treating the SSP as a one-time document. It has to reflect the environment as it is today — every time you add a SaaS tool or a subcontractor, the SSP changes.
  • Ignoring flow-down. If you subcontract any CUI-handling work, the same CMMC requirements flow through to your subs. You are responsible for verifying their level.
  • Waiting for a contract award to start. C3PAO backlogs mean you can't get certified in the 30-day post-award window.

How Cybrvault helps Miami-area DoD contractors reach CMMC 2.0

Cybrvault has been supporting South Florida defense contractors — from small aerospace machine shops to mid-size systems integrators — through NIST 800-171 and CMMC readiness since the program's inception. We handle scoping, GCC High tenant setup, SSP authoring, gap assessment, remediation engineering, POA&M management, and C3PAO pre-assessment support. We are not a C3PAO ourselves, which means our incentives are aligned with getting you certified, not with billing you for the assessment. See our cybersecurity services in Miami for our full compliance offering, and our penetration testing Miami guide if you also need CA.2/CA.3 assessment support.

**Book a free CMMC 2.0 scoping call:** /contact. Bring your DD Form 254, any CUI marking guidance, and a list of the tools where CUI currently lives — we'll come back with a level determination, a scope diagram, and a realistic budget in 5 business days.

// frequently asked

Questions teams ask us

When does CMMC 2.0 become mandatory?+

The 32 CFR Part 170 final rule took effect December 16, 2024, and the DFARS 252.204-7021 clause is being phased into new DoD solicitations from 2025 through 2028. By 2026, most new contracts involving FCI or CUI carry a CMMC level requirement, and no contract is awarded without the required certification in place.

What's the difference between CMMC 2.0 Level 1 and Level 2?+

Level 1 applies to Federal Contract Information (FCI) and covers 17 basic safeguarding practices from FAR 52.204-21, assessed via annual self-assessment. Level 2 applies to Controlled Unclassified Information (CUI) and requires all 110 controls in NIST SP 800-171 Revision 2, with most contractors requiring a third-party (C3PAO) assessment on a 3-year cycle.

Can I self-assess at CMMC 2.0 Level 2?+

Only for a narrow subset of Level 2 contracts that the DoD designates as not involving prioritized CUI. The contracting officer specifies whether self-assessment is allowed in the solicitation. In practice, the vast majority of Level 2 contractors need a C3PAO assessment.

How much does a CMMC Level 2 assessment cost?+

The C3PAO assessment itself typically ranges $40,000–$120,000+ depending on scope, but that's separate from readiness work. Realistic all-in cost to go from zero to Level 2 certified for a small-to-mid-size Miami contractor is $80,000–$300,000 including tooling, GCC High licensing, SSP authoring, remediation, and the assessment fee.

Are POA&Ms allowed under CMMC 2.0?+

Yes at Levels 2 and 3, but only for a limited subset of lower-weighted controls, and only if the overall SPRS score is at least 88 of 110 (80%). Certain high-value controls (MFA, FIPS cryptography, incident response, etc.) cannot be on a POA&M. All POA&Ms must be closed within 180 days or the conditional certification converts to a failure.

How long is a CMMC certification valid?+

Three years, with an annual affirmation submitted in SPRS by a senior company official. Level 1 self-assessments are valid for one year and also require annual affirmation.

Does CMMC 2.0 apply to subcontractors?+

Yes. Prime contractors must flow down CMMC requirements to any subcontractor that will handle FCI or CUI. The required level is based on the type of information the subcontractor handles, which may be equal to or lower than the prime's level.

What cloud services are approved for CUI under CMMC 2.0?+

Any cloud service storing, processing, or transmitting CUI must be authorized at FedRAMP Moderate or equivalent. Microsoft 365 GCC High, AWS GovCloud, and Google Workspace's Assured Workloads for government are the most common choices. Commercial Microsoft 365 and standard AWS/Azure/GCP regions are not sufficient for CUI.

// need help applying this?

Book a free, confidential consultation.

Our engineers can map this to your environment in 30 minutes.

Get secured

// keep reading

Related articles