Social Icon
X

CMMC 2.0 Is Here: What Contractors Need to Do Right Now

Tego Secure IT Solutions | Cloud, Cybersecurity & IT Services > Blog > Blog > CMMC 2.0 Is Here: What Contractors Need to Do Right Now

CMMC 2.0 Is Here: What Contractors Need to Do Right Now

The Cybersecurity Maturity Model Certification has moved from policy debate to contractual reality. The CMMC 2.0 final rule under 32 CFR Part 170 took effect, and the acquisition implementation rule under 48 CFR (DFARS) is rolling CMMC requirements into Department of Defense contracts on a defined schedule. For any organization in the defense industrial base, the question is no longer whether CMMC applies. It is how quickly your organization can prove it meets the standard.

Contractors who treat this as another future compliance project will be excluded from awards. Contractors who act now can turn CMMC readiness into a competitive advantage.

Here is what changed, what is required, and what to do this quarter.

1. What CMMC 2.0 Actually Requires

CMMC 2.0 streamlined the original five-level model into three levels, tied directly to the sensitivity of the information a contractor handles.

  • Level 1 (Foundational): 15 basic safeguarding requirements from FAR 52.204-21. Applies to contractors handling Federal Contract Information (FCI). Annual self-assessment.
  • Level 2 (Advanced): All 110 controls from NIST SP 800-171 Rev 2. Applies to contractors handling Controlled Unclassified Information (CUI). The vast majority will require a third-party assessment by a C3PAO every three years, with annual affirmation.
  • Level 3 (Expert): Level 2 controls plus a subset of NIST SP 800-172. Applies to contractors supporting the highest-priority DoD programs. Government-led assessment.

Two changes are particularly important.

First, the options for self-attestation at Level 2 have narrowed significantly. Most CUI-handling contractors will need a third-party assessment rather than a checkbox affirmation.

Second, affirmation by a senior official is now required annually. A named executive personally affirms compliance. False affirmations carry False Claims Act exposure. This is not paperwork. It is personal accountability.

2. The Rollout Is Phased, but the Clock Has Started

CMMC requirements are being phased into new DoD solicitations, with full implementation across all applicable contracts within three years of the acquisition rule taking effect. Phase 1 is already introducing Level 1 and Level 2 self-assessment requirements into select solicitations. Phase 2 expands Level 2 third-party assessments. By Phase 3, requirements appear in option periods of existing contracts.

For most contractors, the practical timeline is shorter than the official one. C3PAO assessor capacity is constrained. Assessment readiness work typically takes 9 to 18 months for organizations starting from a partial NIST SP 800-171 baseline. Waiting for a contract clause to appear before starting is a strategy for losing the contract.

3. Five Actions Contractors Should Take Right Now

These actions pay off whether your assessment is 6 months out or 18.

1. Confirm your CUI scope

Identify exactly where CUI is created, received, stored, processed, or transmitted in your environment. Most organizations underestimate this. CUI often lives in shared drives, email attachments, engineering workstations, and SaaS tools that no one inventoried. A clear scope boundary is the single most important input to a successful assessment, and the single most common source of failure.

2. Conduct an honest NIST SP 800-171 gap assessment

Map your current controls against all 110 requirements. Follow the official CMMC Assessment Guide for the level that applies to your organization to ensure you evaluate your organization against all 320 assessment objectives and use the DoD Assessment Methodology scoring model. If your Supplier Performance Risk System (SPRS) score is not where it needs to be, you need to know now, not during an audit. Commonly, there is a significant gap between what organizations self-report as their score and what an experienced third-party assessment team identifies. Be candid in the assessment. Optimistic scoring fools no one and creates legal exposure when the affirmation is signed. This is also where DFARS 252.204-7012 compliance gets validated, since CMMC builds directly on its safeguarding requirements.

3. Decide on your environment strategy

For many contractors, applying CMMC controls to the entire enterprise is neither necessary nor affordable. A purpose-built secure cloud enclave isolates CUI workflows into a smaller, fully controlled environment. Smaller scope, lower cost, faster path to assessment. This is one of the highest-impact architectural decisions a contractor can make.

4. Build the documentation auditors will ask for

A System Security Plan (SSP), a Plan of Action and Milestones (POA&Ms), and supporting policies and procedures are not optional. Assessors evaluate evidence, not intent. If a control exists in practice but is not documented, it does not count.

5. Address the controls that fail most often

Patterns from joint surveillance and pre-assessment work show the same controls failing repeatedly: gaps in multifactor authentication coverage, incomplete audit logging, weak configuration management, insufficient incident response testing, and untested backups. Fix these early. They are the difference between a clean assessment and a remediation cycle.

4. Common Readiness Gaps We See in the Field

Patterns repeat across organizations preparing for CMMC. The most consistent gaps:

  • Improperly scoped environments that do not include all relevant systems or divisions
  • CUI marking and handling policies that exist in HR’s drive, not in engineering practice
  • Shared mailboxes and personal cloud accounts touching CUI
  • Mobile device management not extended to BYOD endpoints that access CUI
  • Logs collected but never reviewed, with retention below the required threshold
  • Vulnerability management performed on a schedule, not against a defined risk threshold
  • Third-party suppliers handling CUI without flow-down clauses or oversight
  • Incident response plans that have never been exercised

Each of these is fixable. None of them are fixable in the 30 days before an assessment.

5. The Cost of Waiting

Contractors who delay face three compounding costs. First, lost contract eligibility as clauses appear in solicitations. Organizations are already being excluded from the contract bidding process due to a lack of certification. Second, rising C3PAO costs as demand outpaces assessor supply. Third, rushed remediation, which is always more expensive and lower quality than planned remediation.

The contractors moving fastest right now are not the largest. They are the ones who started early, scoped CUI narrowly, and treated CMMC as an architectural exercise rather than a paperwork drill.

Getting to a Defensible CMMC Posture

CMMC 2.0 is not a one-time project. It is a long-term operating standard for any organization that wants to do business with the Department of Defense. Achieving certification is the milestone. Maintaining it, through annual affirmations and continuous control operations, is the discipline.

Tego helps defense contractors take a structured path to CMMC readiness. Our Advisory Services team conducts scope and gap assessments aligned to NIST SP 800-171 and the DoD methodology. Our engineering teams design and deploy CMMC-ready secure cloud enclaves that shrink assessment scope and reduce cost. Our Enterprise Managed Services keep the controls running after certification, so the next annual affirmation is straightforward, not stressful.

If your organization is in the defense supply chain and has not yet validated its CMMC posture, now is the time to start. Engage Tego for a CMMC readiness assessment and a realistic, contract-aligned roadmap to certification.