Cyber Horizon
Back to Blog
CMMCDefenseUS

CMMC 2.0: A Defense Contractor’s Roadmap

15 June 2026·9 min read·Cyber Horizon Team

The Cybersecurity Maturity Model Certification (CMMC) 2.0 turns the US Department of Defense’s security expectations into a hard contractual gate. If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), your ability to win and keep DoD work now depends on it.

Three levels, scaled to sensitivity

CMMC 2.0 streamlined the original five levels down to three, each tied to the kind of information you handle and how it’s assessed.

LevelApplies toAssessment
Level 1 — FoundationalFCI onlyAnnual self-assessment
Level 2 — AdvancedCUI (NIST 800-171)Third-party (C3PAO) every 3 years
Level 3 — ExpertHigh-priority CUIGovernment-led assessment

CMMC is NIST 800-171, enforced

Level 2 maps directly to the 110 controls of NIST SP 800-171. The difference from the old days is enforcement: instead of self-attesting compliance you didn’t have, a certified third-party assessor (C3PAO) verifies it. The honour system is over.

What trips contractors up

Scoping CUI

Most teams overscope or underscope. Map exactly where CUI lives, flows and is stored before anything else.

The SSP and POA&M

A System Security Plan is mandatory. Plans of Action & Milestones are allowed only for limited, lower-weighted gaps.

Inherited controls

If you rely on a cloud provider, you need FedRAMP-aligned services and a clear shared-responsibility split.

Evidence, not intentions

Assessors want artefacts — logs, configs, policies with dates — not a description of how things ought to work.

A path to certification

  • Determine your required level from your contracts and the data you handle.
  • Scope your CUI environment and, where possible, shrink it (enclaves help).
  • Assess against NIST 800-171 and calculate your SPRS score.
  • Remediate gaps; document an SSP and any permitted POA&Ms.
  • Engage a C3PAO for the Level 2 assessment.
  • Maintain continuously — certification lapses if controls drift.

The bottom line

CMMC 2.0 makes cybersecurity a precondition for doing business with the DoD. The contractors who win are the ones treating it as an ongoing programme — with scoped CUI, a living SSP, and evidence collected continuously rather than scrambled together before an assessment.

Get CMMC-ready with continuous evidence

Cyber Horizon tracks NIST 800-171 / CMMC controls, automates evidence collection, and keeps your SSP and SPRS posture current between assessments.

Book a Demo