After years of rulemaking and delays, the Cybersecurity Maturity Model Certification (CMMC) 2.0 is now being enforced in Department of Defense contracts. If your business handles Controlled Unclassified Information (CUI) as a DoD contractor or subcontractor, CMMC certification is a contract requirement — not a nice-to-have.
The stakes are concrete: without the required CMMC level, you cannot bid on or perform DoD contracts that specify CMMC requirements. For many defense contractors, this represents the majority of their revenue.
CMMC 2.0: What Changed
CMMC 2.0 simplified the original five-level model into three tiers:
Level 1: Foundational (Self-Assessment)
- 17 practices based on basic cyber hygiene from FAR 52.204-21
- Self-assessment — no third-party certification required
- Annual affirmation by a senior company official
- Who needs it: Organizations that handle Federal Contract Information (FCI) but not CUI
Level 1 covers basics: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Most of these practices should already be in place for any professionally managed IT environment.
Level 2: Advanced (Third-Party Assessment)
- 110 practices from NIST SP 800-171 Rev 2
- Third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) for critical programs
- Self-assessment for select non-critical programs
- Triennial recertification with annual affirmation
- Who needs it: Organizations that handle CUI
Level 2 is where the majority of the compliance burden falls. The 110 practices span 14 control families and require significant investment in technology, processes, and documentation. This is the level most defense contractors and subcontractors must achieve.
Level 3: Expert (Government Assessment)
- 110+ practices from NIST SP 800-172 (enhanced security requirements)
- Government-led assessment by DIBCAC
- Who needs it: Organizations handling CUI for the highest-priority programs
Level 3 is relevant only for contractors working on the most sensitive DoD programs.
The 110 NIST 800-171 Controls: What They Actually Require
Understanding what's required is the first step. Here's a plain-English overview of the 14 control families:
Access Control (22 practices)
Who can access what, and how is that access controlled? This family covers user account management, role-based access, remote access security, separation of duties, least-privilege principles, and session controls. MFA is required for all remote access and privileged accounts.
Awareness and Training (3 practices)
All users must receive security awareness training. Managers and system administrators need role-specific training. Training must be documented and updated.
Audit and Accountability (9 practices)
Every system that handles CUI must generate audit logs. Logs must be protected from tampering, reviewed regularly, and retained. You need the capability to trace actions to individual users.
Configuration Management (9 practices)
Systems must be configured to security baselines. Changes must follow a documented change control process. Only essential software and services should be installed. Configuration settings must be enforced and documented.
Identification and Authentication (11 practices)
Users and devices must be uniquely identified. Passwords must meet complexity requirements. MFA is required for network and remote access. Default credentials must be changed. Replay-resistant authentication is required for network access.
Incident Response (3 practices)
You must have a documented incident response plan that's tested. You must be capable of detecting, reporting, and responding to incidents. Post-incident activity must include lessons learned.
Maintenance (6 practices)
System maintenance must be controlled and documented. Remote maintenance must be monitored and controlled. Maintenance tools must be validated. Media containing CUI must be sanitized before maintenance.
Media Protection (9 practices)
Media containing CUI must be marked, controlled, and protected. Digital media must be encrypted. Media must be sanitized or destroyed before disposal or reuse.
Personnel Security (2 practices)
Personnel with CUI access must be screened. CUI access must be revoked when personnel leave or change roles.
Physical Protection (6 practices)
Physical access to systems handling CUI must be controlled, monitored, and logged. Visitors must be escorted. Physical access devices (keys, badges) must be managed.
Risk Assessment (3 practices)
Regular risk assessments must be conducted. Vulnerabilities must be scanned and remediated. Risk assessments must be documented and updated.
Security Assessment (4 practices)
Security controls must be periodically assessed. A plan of action and milestones (POA&M) must be maintained for identified deficiencies. Controls must be monitored on an ongoing basis.
System and Communications Protection (16 practices)
Network communications must be monitored and controlled. CUI must be encrypted in transit. Network segmentation must separate CUI-handling systems. Shared system resources must be controlled. VoIP and collaboration tools must be protected.
System and Information Integrity (7 practices)
System flaws must be identified and remediated (patching). Malicious code protection must be deployed. Security alerts must be monitored. System monitoring must be in place. Spam protection is required for email.
The Assessment Process
Preparing for a C3PAO Assessment
The assessment process evaluates three dimensions for each practice:
- Is the practice implemented? (Technical evidence)
- Is it documented? (Policies, procedures, system security plan)
- Is it effective? (Demonstrated through testing and operational evidence)
You must prepare:
- System Security Plan (SSP) — A comprehensive document describing your information system, security boundaries, and how each of the 110 practices is implemented
- Plan of Action & Milestones (POA&M) — Documentation of any gaps, with remediation plans and timelines
- Evidence artifacts — Technical configurations, policies, training records, test results, audit logs, and other evidence supporting each practice
- Network diagrams and data flow diagrams — Showing the CUI boundary and all data flows
Common Assessment Pitfalls
- Underscoping — Failing to include all systems and people that handle CUI in the assessment boundary
- Documentation gaps — Technical controls are in place but not documented in policies or the SSP
- Untested controls — Incident response plans that have never been exercised, backups that have never been restored
- Shared environments — Using commercial cloud services without validating their FedRAMP status
- Personnel gaps — Lack of training documentation, missing background screenings
How Layer27 Helps You Get Certified
Layer27 has guided multiple organizations through successful CMMC assessments. Our approach combines Protect Pro managed services with dedicated Compliance support:
- Gap assessment — We evaluate your current state against all 110 NIST 800-171 practices and produce a detailed gap analysis
- SSP development — We develop your System Security Plan and all supporting documentation
- Technical remediation — We implement the technical controls needed to close gaps: MDR, access controls, encryption, network segmentation, logging, and monitoring
- Policy development — We create the policies and procedures required for each control family
- Training — Security Awareness Training satisfies the awareness and training control family
- Assessment preparation — We prepare your team for the C3PAO assessment process
- Ongoing compliance — After certification, Protect Pro maintains your security posture for triennial recertification
CMMC certification is complex, but it doesn't have to be overwhelming. Layer27 has the compliance expertise and managed services infrastructure to take you from gap assessment to certification. Contact us for a CMMC readiness assessment.