What CMMC 2.0 Actually Means for Small Contractors
If you're a small business doing work for the Department of Defense — or a subcontractor to someone who does — CMMC 2.0 is no longer a "watch this space" item. The final rule is in effect. Contracts are starting to include CMMC requirements. And the window to get ahead of it is closing.
This isn't written for enterprise security teams. It's written for the owner of a 20-person engineering firm who just learned their next prime contract will require CMMC Level 2 certification, or the IT manager at a subcontractor who's been handed the problem and asked to figure it out.
First: What CMMC actually is
The Cybersecurity Maturity Model Certification (CMMC) program is the DoD's framework for ensuring contractors and subcontractors protect sensitive federal information — specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC 2.0 simplified the original five-level model down to three. Level 1 (Foundational) covers 17 basic practices, requires self-assessment, and applies if you handle FCI. Level 2 (Advanced) aligns to NIST SP 800-171's 110 practices, requires third-party assessment for most contracts, and applies if you handle CUI. Level 3 (Expert) is reserved for the highest-priority DoD programs with government-led assessments. Most small contractors doing meaningful defense work land at Level 2 — that's the one to focus on.
What "110 practices" actually means in practice
NIST SP 800-171 covers 14 domains — things like access control, incident response, system integrity, and configuration management. The 110 practices within those domains are not all equally difficult. Some you're probably already doing. Others will require real investment.
The most common gaps: multi-factor authentication is inconsistent, CUI isn’t properly identified and tracked, incident response plans exist on paper but haven’t been tested, and audit logging is either absent or not reviewed.
The good news is that a lot of Level 2 compliance is process and documentation, not expensive technology. The bad news is that process and documentation done properly takes time and intentional effort.
The self-assessment trap
CMMC Level 2 contracts are split into two categories: those that allow self-assessment with annual affirmation, and those that require a Certified Third-Party Assessment Organization (C3PAO). The DoD determines which category applies based on program sensitivity. Many small contractors hope they'll land in the self-assessment bucket. Some will. But even self-assessments require accurate scoring against the SPRS (Supplier Performance Risk System) — and submitting an inflated score is a False Claims Act issue, not just a compliance gap. Get an honest assessment of where you actually stand before you submit anything.
Three things to do right now
Know what CUI you handle. You can't protect what you haven't identified. CUI categories cover design specifications, contract details, export-controlled data, and more. The National Archives CUI Registry is your reference. Map what you receive, create, and transmit.
Do a gap assessment against NIST 800-171. Before you can plan remediation, you need to know where the gaps are. A structured gap assessment — scored against each of the 110 practices — gives you your SPRS baseline and your remediation roadmap. Fix the highest-risk gaps first, not things randomly.
Build a System Security Plan. The SSP is the foundational document for CMMC. It describes your environment, the CUI you handle, and how each practice is implemented or planned. Every contractor needs one. Start building it now even if it's incomplete — it's a living document.
A note on scope: One of the highest-leverage moves for small contractors is shrinking the CMMC scope boundary — the set of systems, people, and processes that actually touch CUI. The smaller your scope, the less you need to certify. Cloud-based CUI handling (using compliant platforms like Microsoft GCC High) can dramatically reduce the on-premise burden. Get this right before you invest in remediation.
The bottom line
CMMC is not going away and it's not getting simpler. The organizations that treat it as a genuine security improvement program — not just a certification checkbox — will spend less, get there faster, and end up with something genuinely useful when they're done.
A realistic timeline for Level 2 readiness, from gap assessment to C3PAO assessment, is six to twelve months for most small organizations with focused effort. Start now.
Want a clearer picture of where you stand? Book a free 20-minute call — enough time to assess your CMMC situation and identify the highest-priority gaps.
Loading comments…