CMMC 2.0 Explained — Levels, Timeline & a Small-Manufacturer Guide

What CMMC actually is — without the jargon

The Cybersecurity Maturity Model Certification programme is the U.S. Department of Defense's answer to a long-running problem: it gives contractors sensitive information, the contractors handle it badly, the information ends up in the wrong hands. CMMC sets a minimum cybersecurity bar and — critically — requires that contractors prove they meet it before being awarded a contract.

There are two categories of sensitive information CMMC is built around:

• Federal Contract Information (FCI) — non-public information generated by, or provided for the development of, a DoD contract. Roughly "the stuff in the contract you wouldn't put on a billboard."
• Controlled Unclassified Information (CUI) — a broader category covering technical drawings, engineering specifications, ITAR / EAR controlled data, manufacturing instructions, defence test results, and dozens of other categories. Includes anything previously marked "For Official Use Only" (FOUO).

Almost any small machine shop or fabricator that has a DoD purchase order will touch FCI. If you receive technical data packages, drawings, or build instructions for a defence end-item, you almost certainly handle CUI.

The three levels

Level 1 — Foundational (15 practices, self-assessed)

Required for any contractor handling FCI but not CUI. The 15 practices map to FAR 52.204-21 — the basic safeguarding clause that has been in federal contracts for years. Includes things like limiting system access to authorised users, enforcing identification and authentication, sanitising media before disposal, controlling physical access.

Compliance is achieved via annual self-assessment and a signed senior-official affirmation. No third-party assessor required, but the affirmation is a legal attestation — see the False Claims Act section below before checking that box.

Level 2 — Advanced (110 controls, third-party assessed)

Required for any contractor handling CUI. The 110 controls map exactly to NIST Special Publication 800-171, organised into 14 control families. This is where most small-to-mid DoD subcontractors land.

Compliance is achieved via third-party assessment by a Certified Third-Party Assessor Organisation (C3PAO)for the vast majority of contracts. (A narrow band of contracts permits self-assessment at Level 2; you don't get to choose which.) Certification is valid for three years, with annual affirmations of continued compliance.

Level 3 — Expert (110 + 24 enhanced, government-assessed)

Required for contractors working on the highest-priority programmes — roughly defined as those most likely targeted by advanced persistent threats. Adds 24 controls from NIST SP 800-172 on top of the 110 at Level 2, and is assessed by the Defense Industrial Base Cybersecurity Assessment Centre (DIBCAC), not a commercial C3PAO.

Fewer than 100 companies are expected to need Level 3 in any given year. If you're reading this article, you're almost certainly not one of them.

The rollout timeline

• December 2024 — CMMC 2.0 final rule published by DoD.
• 2025 — Phase 1: CMMC clause begins appearing in select new DoD contracts. Self-assessment Level 1 / 2 paths permitted where the clause applies.
• 2026 — Phase 2: C3PAO Level 2 assessment requirements activate for many new contracts. Self-attestation pathway narrows.
• 2027 — Phase 3: Level 3 (DIBCAC) assessments activate for relevant programmes.
• 2028 — Phase 4: Full implementation across all applicable DoD contracts. Every covered contract carries the appropriate CMMC clause.

In practice, primes are already asking subcontractors for CMMC plans during supplier qualification, even ahead of the clause appearing in the downstream PO. If your prime asks and you don't have an answer, you quietly drop off their preferred-vendor list.

The relationship to DFARS 252.204-7012

The existing DFARS 252.204-7012 clause has required contractors handling CUI to implement NIST SP 800-171 since 2017. DFARS 252.204-7019 (added in 2020) requires contractors to score themselves against 800-171 and post the score in DoD's Supplier Performance Risk System (SPRS).

CMMC doesn't replace these clauses — it adds a third-party verification layer. Today: you self-score against 800-171 and post the number. After CMMC takes effect: you also need an independent C3PAO to verify the score. We unpack this further in our companion article DFARS 252.204-7012 vs CMMC — How They Relate.

The False Claims Act exposure

This is the most-underestimated risk in the small-DoD-subcontractor community, and it's why we treat the annual self-affirmation as a legal document rather than a checkbox.

The Department of Justice's Civil Cyber-Fraud Initiative, launched in 2021, prosecutes federal contractors who misrepresent their cybersecurity posture under the False Claims Act. Recent settlements:

• Aerojet Rocketdyne — $9 million (2022) for misrepresenting compliance with DFARS cyber requirements.
• Verizon Business Network Services — $4 million (2023) for false claims about IT security on federal contracts.
• Multiple defence subcontractors — undisclosed settlements throughout 2024–2025.

A disgruntled IT employee can file a qui tam (whistleblower) lawsuit on your behalf and collect a percentage of any settlement — which means the people most likely to know whether your security claims are honest are also the people with the strongest incentive to report you if they aren't. Don't sign an affirmation you can't defend.

Seven questions every small DoD subcontractor should be able to answer

1. Do we handle FCI, CUI, or both? Check every active and recent DoD-related contract for the relevant clauses.
2. What CMMC level applies? Level 1 for FCI-only; Level 2 for CUI in most cases; Level 3 only if you're on a high-priority programme.
3. Where does our CUI actually live? Email, file shares, engineering workstations, CAD/CAM, ERP, paper, backups, third-party platforms.
4. Have we scored against NIST 800-171 and posted to SPRS? Required under DFARS 252.204-7019. Honest score, not aspirational.
5. Do we have a written System Security Plan (SSP) and a Plan of Action & Milestones (POAM)? Required for Level 2 assessment.
6. Do we have a 72-hour incident reporting process? Required under DFARS 252.204-7012 — not a CMMC addition, but a frequent gap.
7. Who's named as our designated security lead? Required at every level. If the answer is "the IT guy on Tuesdays," you have a problem.

Realistic timeline and cost

From a near-zero baseline, expect 9–18 months to Level 2 readiness. Cost ranges depend on your IT estate, whether you need GCC High licensing, your CUI scope, and existing controls. As a rough budget:

• Level 1 (FCI-only): 60–120 days, $20k–$50k one-time + $1.4k–$2.5k/month ongoing managed security.
• Level 2 (small, single-site CUI): 9–12 months, $50k–$150k one-time + $3.5k–$5k/month ongoing.
• Level 2 (complex, multi-site or OT/ICS): 12–18 months, $150k–$400k one-time + scoped monthly.

Add the C3PAO assessment itself: typically $25k–$100k per assessment cycle for a small-to-mid manufacturer, varying by C3PAO and scope. We unpack this in detail in CMMC Level 2 Cost — What a Small DoD Subcontractor Actually Pays.

What to do this quarter

1. Scope your CUI environment honestly. Write it down.
2. Score yourself against NIST 800-171 and post the number to SPRS.
3. Identify whether GCC High is required or commercial M365 is enough.
4. Designate a security lead. Put it in writing.
5. Run a free CMMC readiness check to see where the biggest gaps are.
6. Get a written assessment from a partner who knows the DoD supply chain — before you sign anything.