317.620.3900
Get Support Now
TeknaByte Consulting
// CMMC

CMMC 2.0 Is Here: What Defense Contractors Need Before Their Next Contract

February 17, 2026 / 7 min read / TeknaByte

If your company sells to the Department of Defense, or to a prime that does, CMMC is no longer a future problem. The Cybersecurity Maturity Model Certification program finished its rulemaking, and the certification requirement is now phasing into contracts. The contractors who treated it as a paperwork exercise are the ones scrambling. The ones who treated it as an engineering project are winning awards.

Here is the practical version of what you need to know.

The three levels, in plain terms

CMMC 2.0 has three levels, and which one applies to you depends on the type of information you handle.

  • Level 1 (Foundational) covers Federal Contract Information (FCI). It maps to the 15 basic safeguarding requirements already in FAR 52.204-21. You self-assess annually and have a senior official affirm it.
  • Level 2 (Advanced) covers Controlled Unclassified Information (CUI). It maps directly to the 110 controls in NIST SP 800-171. Most companies handling CUI will need a third-party assessment by a certified C3PAO every three years. A subset of programs allow self-assessment, but plan for the assessment unless your contract says otherwise.
  • Level 3 (Expert) covers the highest-priority programs and adds a subset of NIST SP 800-172 controls on top of 800-171. Assessment is performed by the government (DIBCAC).

Most of the defense industrial base lands at Level 2. That is the level we will focus on.

What Level 2 actually demands

The number people remember is “110 controls.” The number that matters is your SPRS score. Under DFARS 252.204-7019/7020 you score your own NIST 800-171 implementation using the DoD Assessment Methodology, starting at 110 and subtracting weighted points for each control you have not fully met, and you post that score in the Supplier Performance Risk System. Primes can see it. A low or stale score is a visible signal that you are not ready.

Two documents sit underneath that score, and assessors will ask for both:

  1. The System Security Plan (SSP). This describes how each of the 110 controls is implemented in your environment. No SSP, no assessment. It is the single most common thing companies are missing.
  2. The Plan of Action and Milestones (POA&M). This tracks the controls you have not finished and when you will. CMMC allows a limited POA&M at assessment time, but only for certain lower-weighted controls, and it must be closed within 180 days.

The work that takes the longest

If you are starting now, budget your time around the items that cannot be rushed:

  • Scoping your CUI. You cannot protect what you have not mapped. Knowing exactly where CUI lives, who touches it, and which systems are in scope is the foundation, and it is where most assessments find gaps.
  • Multifactor authentication everywhere in scope. Not just email. Every system that touches CUI.
  • Logging and monitoring. Several 800-171 controls require that you collect, retain, and actually review security logs. Standing up a SOC or managed detection capability and showing 90 days of evidence takes time you cannot compress the week before an assessment.
  • Encryption that meets FIPS 140 validation. “We use encryption” is not the same as “we use FIPS-validated encryption,” and assessors know the difference.
  • A GCC High or equivalent enclave if you use Microsoft 365 for CUI. Migrations are not same-day projects.

The honest timeline

A company starting from a typical commercial IT posture should expect six to twelve months to reach a defensible Level 2 position, longer if CUI is scattered across unmanaged systems. The assessment itself is the last step, not the first. Companies that wait until a contract names a CMMC requirement, then start the SSP, are already behind their competitors.

Where to start this week

You do not need a consultant to take the first three steps. Pull your contracts and confirm which DFARS clauses already apply. Run a NIST 800-171 self-assessment and post an honest SPRS score, even if it is negative. Then map where your CUI actually lives. Those three actions turn CMMC from an abstract threat into a finite list of work.

That finite list is exactly what we build with defense contractors every week: scope the CUI, write the SSP, close the highest-weighted gaps first, and stand up the monitoring evidence assessors want to see. If you would rather walk into an assessment knowing the result in advance, start with a free assessment and we will show you where you stand against the 110.

Want this applied to your environment?

Start with a free assessment - we'll map what you just read to where you actually stand.

Get a Free Cyber Risk Assessment → Talk to an Engineer