ALCE
 All insights
COMPLIANCE FEDERAL 6 min read

CMMC 2.0 is not optional: a plain-English guide for defense contractors.

The DoD's new cybersecurity maturity model is rewriting how defense contractors qualify for contracts. What it actually requires, what it doesn't, and what you should be doing about it right now.

MT
Ernesto “Moose” Tapia
Founder, ALCE Consulting · 15+ yrs DoD & national security

For thirty years, the DoD's relationship to contractor cybersecurity could be summed up in two words: self-attestation. Defense contractors filled out a form, signed it, and shipped it. The form said the right things. Nobody checked.

That era is over. CMMC 2.0 is the end of self-attestation for any contractor that touches Controlled Unclassified Information (CUI), which is most of them. And while the rule has been talked about for years, the enforcement timeline is now real, the assessment ecosystem is now real, and the contracts that exclude non-compliant primes are already being written.

Here's what you need to know.

The three levels and which one applies to you

CMMC 2.0 collapses the original five levels down to three. The level that applies to you is determined by the type of information you handle.

Level 1, Foundational. Contractors handling only Federal Contract Information (FCI). 17 practices, all drawn from FAR 52.204-21. Annual self-assessment is still permitted at this level. If you have a federal contract but never handle CUI, this is you.

Level 2, Advanced. Contractors handling CUI. 110 practices mapped to NIST SP 800-171. Most defense contracts are landing here. Some require self-assessment, but the vast majority of CUI-bearing contracts will require a third-party assessment by a C3PAO (Certified Third-Party Assessor Organization).

Level 3, Expert. Contractors handling CUI on programs with the highest threat profile. 110 NIST 800-171 controls plus selected practices from NIST 800-172. Always assessed by DIBCAC (DoD's own assessment body). This is a small fraction of contractors but it's growing.

The right question isn't "do I need to be CMMC compliant." The right question is "at what level, and how soon does my contracting officer want proof."

The phased rollout (and why it's not a delay)

The Final Rule went into effect in late 2024. Implementation phases in over three years:

If your read of that is "OK, I have three years", you don't. Contracting officers can include CMMC requirements in any new contract starting now. And because the C3PAO assessment ecosystem is capacity-constrained, the contractors who start late are going to find themselves at the back of a long queue.

The four things every contractor should be doing today

1. Determine your scope. Where does CUI live in your environment? Most contractors discover during scoping that CUI is sitting in places they didn't expect, employee laptops, shared drives, email threads. Scope discovery alone often takes 30–60 days.

2. Get an honest self-assessment against NIST 800-171. Not a vendor checklist. An actual control-by-control walk-through. You will not pass on the first attempt. That's normal. The point is to know your gap.

3. Build the System Security Plan (SSP) and Plan of Action & Milestones (POA&M). These are not optional. A C3PAO will not assess you without them. The SSP describes how each of the 110 controls is implemented in your environment. The POA&M tracks gaps and remediation timelines.

4. Start remediation now, not after the contract requires it. The single most common reason contractors fail their first C3PAO assessment is that they started remediation 60 days before the assessment date. Most controls take longer than that to mature operationally.

A note on POA&Ms

CMMC 2.0 permits POA&Ms only on a limited subset of controls, and only for 180 days. You cannot “POA&M your way to compliance.” Critical controls have to be in place at assessment time. Don't let a vendor tell you otherwise.

The trap most contractors fall into

The trap is buying a tool. There are dozens of CMMC compliance platforms. They produce nice dashboards. The dashboards say you're 78% compliant. They do not, by themselves, make you actually compliant.

CMMC is an operational standard. The controls describe how your organization runs, how you handle access, how you patch, how you train people, how you respond when something breaks. A dashboard doesn't run any of that. People do. Process does. The dashboard is at best a tracker.

If you're serious about getting to Level 2, you need three things: someone who understands how the standard maps to your actual operations, a remediation plan tied to that mapping, and a clear path from where you are to an assessment-ready state. The tool helps with the third leg. Without the first two, the tool is a $40K screensaver.

Where we can help

ALCE's Federal Compliance track, including Compliance Search, RMF Automation, and ATO Accelerator, is in active development. The agents are built specifically to compress the gap-assessment, SSP-drafting, and POA&M-tracking work that today takes contractors months and turns into months of consultant hours.

If you're a defense contractor who knows you need to get to CMMC Level 2 and you don't know where to start, the right next step is a conversation. Email us. We'll walk you through what we'd do first if it were our company, with no pitch.

Need help mapping a CMMC path? Email us. We respond within one business day.

Email us