For any organization in the Defense Industrial Base (DIB), cyber compliance is no longer a "nice-to-have"—it is a barrier to entry. If you cannot certify, you cannot compete.
CMMC 2.0 represents a significant overhaul of the original framework, designed to simplify compliance while maintaining rigorous security standards for Controlled Unclassified Information (CUI).
The 3 Levels of CMMC 2.0
The most visible change is the reduction from five levels to three. This aligns the framework more closely with established NIST standards.
| Level | Focus | Requirements | Assessment |
|---|---|---|---|
| 1: Foundational | Federal Contract Information (FCI) | 17 Practices (FAR 52.204-21) | Annual Self-Assessment |
| 2: Advanced | Controlled Unclassified Info (CUI) | 110 Practices (NIST 800-171) | Self-Assessment OR C3PAO (Triennial) |
| 3: Expert | Highest Priority CUI | 110 + NIST 800-172 subsets | Government-Led (Triennial) |
Key Requirements Breakdown
Level 1: The Basics (FCI)
If you hold a contract with the federal government but do not handle sensitive defense information (CUI), Level 1 applies to you. It asks for basic cyber hygiene:
- Using strong passwords and changing them regularly.
- Ensuring antivirus software is installed and updated.
- Identifying who is reporting to your network.
- Sanitizing media before disposal.
Level 2: The Core (CUI & NIST 800-171)
This is where most defense contractors and subcontractors will fall. Level 2 completely adopts NIST SP 800-171. If you process, store, or transmit CUI, you must hit all 110 controls across 14 families, including:
- Access Control: Limiting system access to authorized users.
- Incident Response: Establishing capabilities to detect and report incidents.
- System and Information Integrity: Identifying and managing flaws (patching) and malicious code protection.
"Under CMMC 2.0, Plans of Action and Milestones (POA&Ms) are temporarily allowed for certain non-critical controls, giving contractors a grace period to remediate gaps."
Assessment vs. Self-Attestation
A major shift in 2.0 is the reintroduction of self-assessments for lower-risk organizations.
- Self-Assessment: permitted for Level 1 and a subset of Level 2 contractors handling non-critical data. This must be signed by a senior company official.
- Third-Party Assessment (C3PAO): Required for Level 2 contractors handling critical CUI. You must hire an accredited C3PAO Organization.
How to Prepare
1. Identify Your Data (FCI vs CUI)
You cannot protect what you don't track. Map the flow of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through your network. Isolating this data into a secure enclave can significantly reduce your compliance scope (and cost).
2. Conduct a Gap Analysis
Compare your current posture against NIST 800-171. Be honest. Document every gap. This becomes your initial Plan of Action and Milestones (POA&M).
3. Secure Your Supply Chain (SBOM)
The DoD is increasingly focused on software supply chain security. Maintaining a Software Bill of Materials (SBOM) is becoming standard practice to demonstrate you aren't introducing vulnerabilities into the DIB.
4. Implement Technical Controls
Policy is not enough. You need technical enforcement:
- MFA: Enforce multi-factor authentication everywhere.
- FIPS Validated Encryption: Ensure all cryptography used for CUI is FIPS 140-2/3 validated.
- Log Monitoring: Centralize logs and monitor for anomalies (SIEM).
Alterra's Role
Alterra Solutions builds software designed for compliance from line one of code. Our air-gapped systems and secure SaaS platforms are architected to meet NIST 800-171 and DISA STIG requirements out of the box, simplifying your path to CMMC certification.
Need a realistic CMMC remediation path?
We help defense contractors turn control pressure into clear technical scope, remediation priorities, and evidence-ready delivery.