The Clock Is Ticking
The CMMC 2.0 final rule has been published, and the Department of Defense is moving forward with phased implementation. For defense contractors who handle Controlled Unclassified Information (CUI), this means one thing: the time to prepare is now.
Unlike the original CMMC framework, version 2.0 streamlines the model into three levels and aligns directly with existing NIST standards. For the vast majority of contractors in the Defense Industrial Base, CMMC Level 2 — which maps to all 110 controls in NIST SP 800-171 — is the target.
What's Changed in CMMC 2.0
The key changes from the original framework include:
- Reduced from 5 levels to 3 — Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert)
- Direct alignment with NIST standards — Level 2 maps 1:1 to NIST SP 800-171 Rev 2
- Third-party assessments required for Level 2 — Certified Third-Party Assessment Organizations (C3PAOs) will conduct evaluations
- Plan of Action & Milestones (POA&M) — Limited use of POA&Ms allowed for some controls, with strict timelines
What You Need to Do Now
1. Determine Your Required Level
Review your existing contracts and anticipate future solicitations. If your contracts involve CUI (most do if you're in the DIB), you'll need Level 2.
2. Conduct a Gap Assessment
Compare your current security posture against all 110 NIST 800-171 controls. Identify gaps and prioritize remediation based on risk and assessment readiness.
3. Build Your System Security Plan (SSP)
Your SSP documents how your organization implements each security control. This is the first thing a C3PAO assessor will ask for. It needs to be thorough, accurate, and current.
4. Calculate Your SPRS Score
The Supplier Performance Risk System (SPRS) score quantifies your compliance posture. A perfect score is 110; anything below indicates gaps. Submit your score to the DoD SPRS portal.
5. Implement Technical Controls
This is where many organizations struggle. Controls around access management, network segmentation, encryption, monitoring, and incident response require real technical infrastructure — not just policies on paper.
The On-Premise Advantage
Many contractors are being told they need to migrate to GCC High or similar cloud enclaves. While that's one path, it's not the only one — and for manufacturers and organizations with legacy OT equipment, it's often impractical.
An on-premise approach using purpose-built security appliances can deliver the same compliance outcomes without:
- Cloud migration costs and complexity
- Disruption to existing operations
- Dependency on third-party cloud infrastructure
- Monthly per-user subscription fees
Don't Wait for the Assessment
The biggest mistake contractors make is waiting until assessments are required in their contracts. By that point, the queue for C3PAO assessments will be long, and remediation timelines will be tight.
Start now. Conduct your gap assessment, build your SSP, and deploy the technical controls you need. When assessment day comes, you'll be ready — not scrambling.