CMMC Compliance Is No Longer Optional: What You Need to Know About CMMC 2.0 Levels and Assessments

Compliance with the Cybersecurity Maturity Model Certification (CMMC) is no longer a “nice-to-have” for defense contractors—it’s a requirement. With the Department of Defense (DoD) ramping up enforcement of the Defense Federal Acquisition Regulation Supplement (DFARS) and finalizing the CMMC 2.0 rule, failure to comply can mean the difference between winning and losing contracts. Whether you’re a prime contractor or a subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), your eligibility to bid hinges on your ability to meet CMMC 2.0 standards.

In this blog, we’ll explore what’s required at each level of CMMC 2.0, the differences between self-assessments and third-party assessments, and how non-compliance could jeopardize your status in the defense industrial base (DIB).

Why CMMC Compliance Matters More Than Ever

The DoD has made it clear: contractors that handle sensitive federal data must prove they can protect it. While DFARS 252.204-7012 has long required adherence to NIST SP 800-171, many companies self-attest without formal verification—leaving gaps in cybersecurity readiness. CMMC 2.0 closes those gaps by enforcing verified compliance based on the type of information a contractor handles.

Once the final rule is enacted (expected in late 2025), CMMC 2.0 requirements will begin appearing in DoD solicitations. Contractors will need to meet the appropriate CMMC 2.0 Level at the time of award—and in some cases, at the time of proposal. Without it, you’ll be ineligible to compete.

What Is required for CMMC 2.0 Level 1, Level 2, and Level 3 Compliance?

Each CMMC level corresponds to the type and sensitivity of data you handle. Here’s what’s required for compliance:

CMMC 2.0 Level 1: Foundational Security for FCI

• Who it applies to: Contractors handling FCI only.
• Controls required: 15 basic cybersecurity practices based on FAR 52.204-21.17.
• Assessment type: Annual self-assessment using the CMMC 2.0 Level 1 self-assessment guide. Scores must be submitted to the Supplier Performance Risk System (SPRS).
• Key requirements include: Using antivirus software, updating software regularly, controlling physical access, and managing user accounts.
• Takeaway: While Level 1 is the most basic, it’s still a requirement. Failure to perform and document your annual self-assessment can lead to disqualification.

CMMC 2.0 Level 2: Advanced Security for CUI

• Who it applies to: Contractors handling CUI.
• Controls required: CMMC 2.0 Level 2 controls include 110 practices across 14 control families that are closely aligned with NIST SP 800-171.
• Assessment type: There are two types of CMMC Level 2 assessments. Check your contractual requirements as they relate to CMMC compliance to determine which assessment is right for you. Additionally, the CMMC 2.0 Level 2 assessment guide includes helpful information on scoping requirements, evidence documentation, and organizational responsibilities.
  • Third-party assessment by an Authorized C3PAO for critical national security programs, required every three years.
  • Annual self-assessment for select non-prioritized acquisitions.
• Takeaway: Level 2 compliance is not just about checking boxes. It’s about implementing and documenting enterprise-grade security practices—and proving it through an independent assessment.

CMMC 2.0 Level 3: Expert-Level Security for the Most Sensitive CUI

• Who it applies to: Contractors supporting highly sensitive DoD programs that handle CUI.
• Controls required: All 110 controls from NIST SP 800-171 plus an additional 24 enhanced controls from NIST SP 800-172.
• Assessment type: Government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.
• Takeaway: Level 3 compliance represents the highest bar in the model and requires advanced cybersecurity capabilities like incident response testing, penetration testing, and real-time threat monitoring.

What Happens If You Don’t Comply?

Non-compliance isn’t just a paperwork problem—it’s a business risk. The consequences include:

• Disqualification from contract awards.
• False Claims Act violations for inaccurate self-attestations.
• Loss of competitive advantage as competitors become compliant.
• Increased scrutiny during procurement evaluations.

CMMC 2.0 is more than a government requirement—it’s a baseline for doing secure business with the DoD. As enforcement ramps up, CMMC compliance is no longer optional for contractors—it’s essential. The sooner you begin aligning with CMMC 2.0 Level 1, Level 2, or Level 3 requirements, the better positioned you’ll be when the rule goes into effect.

IS Partners is your guiding light for CMMC compliance. As an Authorized Certified Third-Party Assessment Organization (C3PAO), we provide clear guidance, thorough assessments, and an unbiased, detailed audit—ensuring you’re not just meeting compliance but mastering it. Whether certifying CMMC Level 2 compliance or conducting a thorough gap assessment to identify risks, we’re here to help align your existing processes with CMMC regulations. IS Partners has more than 20 years of experience in compliance across industries, providing a tailored approach to audit preparation and certification that has led to a 95% client retention rate.

Want to learn more? Explore our CMMC compliance services today.

FAQs

About The Author

Anthony Jones

Anthony has over 30 years of experience and has worked across a spectrum of industries, including telecom, technology, insurance, financial services, manufacturing, and service companies.

He holds an impressive array of certifications, including Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Qualified Security Assessor (QSA), and Certified ISO/IEC 27001 Lead Auditor.

Anthony has extensive knowledge in IT consulting and the expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans, and cultivate longstanding client relationships.

Anthony’s area of expertise consists of Cyber Security and Cyber Risk Management, Payment Card Industry (PCI) Security, Privacy Management (PrivacyShield and GDPR), SOC for Service Organizations (SOC 1 and 2), and Sarbanes Oxley Compliance across various industries.

Before joining IS Partners, LLC, Anthony spent 10 years at PriceWaterhouseCoopers (PWC) as a Senior Manager. He provided strategic guidance to Fortune 100 financial services, manufacturing, insurance, and utility companies. Notably, he led the eastern region for the SOC for Service Organizations (SOC 1 and SOC 2) practice. Anthony holds a Bachelor’s of Science degree in Financial Management from Saint Joseph’s University.

He took his education further, earning an MBA with a Concentration in Information Systems, graduating Summa Cum Laude from SJU Haub School of Business.