CMMC is no longer a future requirement. As of 2026 it is a live condition of winning DoD work, written into new solicitations and enforced through a phased rollout that is already underway. The original five-level framework announced in 2020 was paused in 2021 and never implemented. The three-level program that replaced it, commonly called CMMC 2.0, is what governs defense cybersecurity today, and now that the rule is finalized it is increasingly referred to simply as CMMC.
Here is where things stand. Phase 1 of the rollout began in November 2025, so self-assessment requirements are appearing in contracts now. Phase 2 begins in November 2026, when Level 2 third-party certification becomes a standard requirement on contracts involving Controlled Unclassified Information. For most contractors, that is the deadline that matters, and it is months away, not years.
This guide explains the current CMMC structure, what each level requires, where the rollout stands, and the practical steps to get ready before certification is a condition of your next award.
The Current CMMC Structure
CMMC was revised after industry feedback that the original framework was too complex and costly. The program in effect today reflects that revision.
Three Levels, Mapped to Information Sensitivity
The original five levels were condensed to three:
- Level 1 (Foundational): Protects Federal Contract Information (FCI) through basic safeguarding practices.
- Level 2 (Advanced): Protects Controlled Unclassified Information (CUI) using the NIST SP 800-171 controls.
- Level 3 (Expert): Protects CUI on the most sensitive programs, adding a subset of enhanced controls from NIST SP 800-172.
This removed the intermediate levels that created confusion in the original model. Your required level now maps cleanly to the sensitivity of the information you handle.
A Risk-Based Assessment Model
CMMC distinguishes between self-assessments and third-party certifications based on risk. Organizations that handle only FCI can meet Level 1 through an annual self-assessment rather than a third-party evaluation, which removes a significant cost for a large share of the defense industrial base. For work involving CUI, the contract determines whether a Level 2 self-assessment or a third-party certification applies, a distinction covered below. As of early 2026, NIST SP 800-171 self-assessment and score reporting run through the CMMC framework in the Supplier Performance Risk System (SPRS), rather than through the separate DFARS process that existed before.
Level 1 Self-Assessment for Federal Contract Information
Level 1 applies to contracts involving Federal Contract Information, meaning unclassified information provided by or generated for the government that is not intended for public release. Organizations complete an annual self-assessment against 17 basic safeguarding practices and submit an annual affirmation, with no external assessor required.
The self-assessment requires documented evidence of how each of the 17 practices is implemented. Key documentation includes:
- System security policies covering all required practices
- Network diagrams showing information boundaries
- Access control records identifying authorized users
- Incident response procedures and contact information
- Media sanitization and disposal records
Executive leadership affirms the accuracy of the self-assessment annually in SPRS. That affirmation carries legal weight, so it should sit on top of a real internal review rather than a rushed sign-off. The most common failures are incomplete documentation, weak evidence, and assessments that are never updated after a system change. Level 1 is a program you maintain, not a once-a-year checkbox.
Level 2 Certification Requirements
Level 2 is the most common requirement, since it covers organizations that handle CUI.
Self-Assessment and Third-Party Paths
Level 2 has two assessment types. Some contracts allow a Level 2 self-assessment, while others require certification by a Certified Third-Party Assessment Organization (C3PAO). The contract specifies which, and as Phase 2 arrives in November 2026, third-party certification becomes the standard for most CUI work. C3PAOs are DoD-accredited and staffed by trained assessors, and their availability is limited, so scheduling early matters.
Both paths assess the same 110 security controls across 14 domains derived from NIST SP 800-171: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
A Level 2 certification is valid for three years and is maintained through an annual affirmation of continuous compliance in SPRS, not a full reassessment each year. Plan on roughly three to six months of preparation before an assessment, depending on your current posture.
Documentation Standards
CMMC emphasizes documentation that demonstrates control effectiveness. The cornerstone is the System Security Plan (SSP), which describes how each control is implemented, the system boundary, and the responsible personnel. You can start from our free System Security Plan template. The SSP is the primary assessment artifact and must reflect your actual practices.
Plans of Action and Milestones (POA&Ms) document any control gaps, with specific remediation steps, owners, and timelines. Under CMMC, only certain lower-weight controls can be placed on a POA&M, and they must be closed within 180 days, so a POA&M is a short bridge, not a parking lot.
Evidence requirements extend beyond policies to configuration files, log samples, training records, and policy acknowledgments. A systematic evidence repository is what makes both the assessment and the ongoing affirmations manageable.
Where the Rollout Stands in 2026
CMMC became enforceable through two rules, in sequence. The 32 CFR program rule took effect on December 16, 2024, which established the program and made assessments available but did not yet put CMMC into contracts. The 48 CFR acquisition rule did that, taking effect on November 10, 2025 and authorizing contracting officers to require CMMC as a condition of award.
From there, requirements phase in over four stages, each starting one year apart:
- Phase 1 (began November 10, 2025): Level 1 and Level 2 self-assessment requirements appear in new contracts. Contracting officers may require a Level 2 C3PAO certification for sensitive work at their discretion. This phase is active now.
- Phase 2 (November 10, 2026): Level 2 C3PAO certification becomes a standard requirement on new and renewing contracts involving CUI.
- Phase 3 (November 10, 2027): Level 3 requirements are added for the most sensitive programs.
- Phase 4 (November 10, 2028): Full implementation across all applicable contracts.
Because Phase 1 is active, CMMC language is in solicitations today, and the Phase 2 certification requirement is only months out. Review your contract language and confirm with your contracting officers which level applies to your portfolio, rather than waiting for a requirement to surprise you mid-pursuit.
Flow-Down Through the Supply Chain
Prime contractors are responsible for ensuring subcontractor CMMC compliance when CUI flows through the supply chain, which creates cascading certification requirements across the defense industrial base. Subcontractors handling CUI must reach the appropriate level before award, and primes must verify status and monitor it during performance. This raises due diligence requirements and can affect vendor qualification, so it is worth assessing your supply chain’s readiness now and lining up alternatives for any supplier that is not on track.
How the Current Program Differs from the Original Framework
If you encountered CMMC during its first iteration, the program looks different today. The original framework never reached implementation, and the changes that replaced it are the reason the current model is more workable. Here is the contrast.
| Aspect | CMMC 1.0 (paused 2021) | CMMC 2.0 (in force) |
|---|---|---|
| Certification Levels | 5 levels (1-5) | 3 levels (Foundational, Advanced, Expert) |
| Assessment Method | All third-party assessments | Self-assessment (Level 1, some Level 2) plus third-party certification (Level 2 and 3) |
| Level 1 Requirements | 17 practices, third-party assessed | 17 practices, self-assessed annually |
| Level 2 Requirements | 72 practices across 14 domains | 110 controls aligned with NIST SP 800-171 |
| Certification Maintenance | 3 years, all levels | Level 1: annual self-assessment and affirmation. Levels 2 and 3: 3-year certification with annual affirmation |
| Documentation Focus | Process maturity emphasis | Security control effectiveness emphasis |
| Status | Suspended before implementation | Phase 1 active since November 2025; full implementation by 2028 |
The shift reflects a focus on practical security implementation over administrative complexity, which is the direct reason the program finally moved from proposal to enforcement.
What to Do Now
With Phase 1 active and Level 2 certification arriving on contracts this November, preparation is time-sensitive. This checklist gives you a structured starting point.
Immediate Steps (Next 30 Days)
Conduct a gap assessment. Evaluate your current controls against the level that applies to you, document what is implemented, and identify what needs remediation. Outside help can keep that assessment complete and honest.
Review your contract portfolio. Analyze existing and anticipated contracts for CMMC requirements and the levels involved, including your prime relationships and any subcontracting you depend on.
Plan the budget. Estimate certification costs, including assessment fees, remediation, technology upgrades, and ongoing maintenance. For implementation support, some organizations use virtual CISO services rather than hiring a full-time security executive.
Medium-Term Actions (3-6 Months)
Develop your documentation. Build out the policies, procedures, and System Security Plan the assessment relies on, prioritizing the CMMC audit preparation work that supports both certification and ongoing compliance.
Select and engage a C3PAO. If your contracts require third-party certification, engage a qualified assessor early. Availability tightens as the Phase 2 deadline approaches, so booking ahead protects your timeline.
Train your team. Build cybersecurity awareness that supports the requirements, covering security policies, incident response, and each person’s role in protecting information.
It is also worth reviewing your CMMC Level 2 audit readiness checklist and considering professional DFARS compliance services to keep preparation on track.
The Bottom Line for 2026
CMMC is the established standard for defense cybersecurity, and the rollout that makes it a condition of award is already in motion. The streamlined three-level program is more workable than the original framework, but certification still takes real preparation and ongoing maintenance.
With Phase 1 active and Level 2 third-party certification arriving on contracts in November 2026, the contractors preparing now hold a clear advantage in pursuit and award. The contractors who treat CMMC as part of their overall security program, rather than a standalone compliance task, get there at lower ongoing cost.
Want to know where you stand? Download our CMMC Level 2 Audit Readiness Checklist or schedule a readiness assessment.
