CMMC 2.0: What It Is, Who Needs It, and How to Get Started

Most companies first hear about CMMC when a solicitation lands with a clause they have never seen before, or when a prime contractor asks a question they cannot answer. By that point, the timeline is already tight.

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that contractors actually protect the sensitive information they handle. It replaced the old trust-based model where contractors self-attested to security practices with no verification. The DoD concluded that self-attestation without verification was not working, and CMMC is the result.

The program is live. Phase 1 started in November 2025, and contracting officers are now including CMMC clauses in new solicitations. This is not a future consideration. It is a current contract requirement.

The Three CMMC Levels

CMMC 2.0 simplified the original five-level model down to three, each aligned with a specific data type and assessment method:

The Rollout Timeline

CMMC is deploying in four phases:

The phased approach gives the ecosystem time to build assessment capacity, but it does not give contractors time to delay. Companies responding to solicitations in Phase 1 need Level 1 or Level 2 self-assessment capability now.

Who Needs CMMC

The short answer: any company that handles FCI or CUI as part of a DoD contract or subcontract.

This includes prime contractors, subcontractors, and suppliers at any tier of the defense supply chain. CMMC requirements flow down contractually. If a prime contractor's solicitation includes a CMMC clause, every subcontractor handling the relevant information must meet the specified level.

The practical impact is that thousands of small and mid-sized companies that have been operating on informal security practices now face a binary choice: achieve and maintain CMMC compliance, or become ineligible for defense work.

How CMMC Relates to SOC 2 and ISO 27001

Companies that already hold SOC 2 or ISO 27001 certifications have a significant head start on CMMC compliance:

GRC Platforms and CMMC

Both Vanta and Secureframe now offer CMMC modules that map practices to automated evidence collection and track readiness across levels. For companies that also need SOC 2 or ISO 27001, these platforms serve as a single system of record across frameworks.

For Level 1, a platform is helpful but not strictly necessary given the small number of controls. For Level 2's 110 practices, a platform becomes significantly more valuable for managing the volume of evidence, tracking control ownership, and maintaining continuous readiness between assessment cycles.

Getting Started: What Matters First

Companies approaching CMMC for the first time consistently overestimate the technical complexity and underestimate the documentation and process work.

Frequently Asked Questions

What is CMMC 2.0?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that contractors protect sensitive information. It replaced the previous self-attestation model with a structured three-level certification program. Level 1 covers basic cyber hygiene for Federal Contract Information. Level 2 aligns with NIST SP 800-171 for Controlled Unclassified Information. Level 3 adds enhanced controls for the most sensitive CUI. The program became active in November 2025.

Who needs CMMC certification?

Any company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a DoD contract or subcontract needs CMMC certification at the appropriate level. This applies to prime contractors, subcontractors, and suppliers at every tier of the defense supply chain. The required level flows down through contract clauses.

How does CMMC relate to SOC 2?

CMMC and SOC 2 share significant control overlap in access management, system integrity, and configuration management. Companies with existing SOC 2 compliance will find many CMMC practices already in place. The key differences are the assessment methodology (CMMC uses NIST SP 800-171A), the reporting mechanism (SPRS submission), and CUI-specific handling requirements that SOC 2 does not address.

How does CMMC relate to ISO 27001?

ISO 27001 Annex A controls cover access management, physical security, communications security, and operations security in ways that align closely with CMMC practices. ISO 27001's risk-based ISMS approach also provides the systematic management framework that CMMC Level 2 expects. Companies with ISO 27001 certification have a strong foundation but still need CMMC-specific assessment preparation and SPRS submission.

Can I use Vanta or Secureframe for CMMC compliance?

Yes. Both platforms offer CMMC modules that map practices to evidence collection and track readiness. They are most valuable for Level 2, where 110 practices create significant evidence management complexity. For Level 1's 15 practices, a platform is helpful but not essential. The platform manages evidence and status tracking but does not replace the need for program design, policy development, and operational processes.

How long does CMMC certification take?

Timeline depends on existing security maturity. Companies with established security programs and existing SOC 2 or ISO 27001 compliance may need 3 to 6 months to address CMMC-specific gaps. Companies without a formal security program should plan for 9 to 18 months, covering program design, gap remediation, policy development, staff training, and assessment preparation.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is contract-related information not intended for public release, such as contract terms, project timelines, and performance reports. Controlled Unclassified Information (CUI) is government information that requires safeguarding because its unauthorized disclosure could cause harm. All CUI is also FCI, but not all FCI rises to the level of CUI. Level 1 protects FCI; Levels 2 and 3 protect CUI.