CMMC Requirements: 2026 Compliance Standards

Defense contractors face mounting pressure to protect government information, and the consequences of falling short go beyond failed audits—they mean lost contracts and exclusion from the defense supply chain. 

The Cybersecurity Maturity Model Certification (CMMC) establishes the security baseline for organizations handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the Defense Industrial Base.

This guide covers CMMC's three-tier framework, assessment requirements, implementation steps, and how automation transforms compliance from a periodic scramble into continuous readiness.

Understanding the Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for protecting sensitive government information across the Defense Industrial Base (DIB). The framework uses three levels: Level 1 covers basic cyber hygiene for Federal Contract Information (FCI), Level 2 implements the full 110 controls from NIST SP 800-171 for Controlled Unclassified Information (CUI), and Level 3 adds enhanced protections for organizations facing Advanced Persistent Threats (APTs).

Here's what you're actually protecting: FCI includes any information the government provides or you generate under contract that isn't meant for public release—technical specs, pricing data, delivery schedules. CUI goes further: information requiring safeguarding per federal law or policy, like export-controlled technical data, operational security details, or personally identifiable information tied to defense work.

The big shift with CMMC is verification. Instead of simply certifying your own security posture, independent assessors validate that controls are actually working.

What CMMC 2.0 Changes for Defense Contractors

Version 2.0 streamlined what was originally a five-level framework down to three clear tiers. The change eliminates confusion around maturity processes and zeroes in on whether you've implemented controls effectively.

CMMC 1.0 vs 2.0 Key Differences

The original framework had five levels with prescriptive practices at each tier. Version 2.0 consolidates into three levels—Foundational, Advanced, and Expert—with straightforward assessment paths for each.

Assessment requirements changed significantly:

• Level 1: Annual self-assessments replace third-party audits for basic FCI protection
• Level 2: Risk-based approach using either self-assessments or Certified Third-Party Assessment Organization (C3PAO) certifications depending on program sensitivity
• Level 3: Government-led assessments conducted by organizations like the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

The new framework also clarifies Plan of Action and Milestones (POA&M) usage. You can only defer specific controls, remediation timelines are strict, and high-impact controls often can't be on a POA&M at contract award.

Federal Register Final Rule Highlights

The final rule codifies the three-level structure into federal acquisition regulations. It incorporates NIST SP 800-171's 110 security requirements for Level 2 and adds selected NIST SP 800-172 enhanced controls for Level 3.

Assessment frequency is now standardized: annual self-assessments where applicable, C3PAO certifications every three years for prioritized programs, and government assessments every three years for Level 3. You submit scores to the Supplier Performance Risk System (SPRS) so DoD acquisition officials can verify your compliance status.

The rule also addresses External Service Providers (ESPs)—managed service providers, cloud hosts, and other third parties supporting your environment. It defines flow-down requirements and clarifies how you can inherit controls from ESPs while maintaining responsibility for overall compliance.

CMMC Compliance Requirements by Certification Level

Each level builds on the previous one, matching increasing risk and data sensitivity. Which level applies to you depends on the information you handle and what your DoD contracts specify.

Level 1 Foundational Security Requirements

Organizations handling only FCI implement 15 basic cybersecurity practices from FAR clause 52.204-21. Level 1 requires annual self-assessment with senior official affirmation—a designated leader attests that you've implemented all required practices.

The practices cover fundamental cyber hygiene:

• Access control: Limit system access to authorized users, implement user identification, apply least privilege
• Authentication: Use secure password policies and multi-factor authentication where feasible
• Physical protection: Safeguard devices and facilities from unauthorized physical access
• Incident response: Detect, report, and respond to security incidents
• System maintenance: Apply security patches, maintain current malware protection, configure systems securely
• Data protection: Encrypt data in transit, implement backups, sanitize media before disposal

Even if your contracts only involve FCI, implementing controls protects your business from common cyber threats.

Level 2 Advanced Security Requirements

Organizations handling CUI implement all 110 security requirements from NIST Special Publication 800-171. This represents a significant step up—covering 14 control families from access control and incident response to risk assessment and system integrity.

Assessment pathways vary by program priority. Lower-risk programs may allow annual self-assessment with senior official affirmation. Prioritized acquisitions and higher-risk programs require C3PAO certification every three years. Even with C3PAO assessment, you typically complete annual self-assessments in interim years.

The 110 controls create a comprehensive security program. You'll implement policies and procedures, deploy technical safeguards, train personnel, monitor systems continuously, and maintain detailed documentation.

Level 3 Expert Security Requirements

Level 3 applies to organizations facing Advanced Persistent Threats—sophisticated adversaries with capability and intent to persistently target your systems. This level adds selected enhanced controls from NIST SP 800-172 on top of the full NIST SP 800-171 baseline.

Government assessors conduct evaluations every three years. The enhanced controls emphasize threat-informed defense, advanced monitoring and analytics, network segmentation, and resilience against sophisticated attack techniques.

Mapping CMMC Requirements to NIST SP 800-171 Controls

NIST SP 800-171 forms the foundation of CMMC Level 2, organizing 110 security requirements across 14 control families. Each family addresses a specific aspect of information security.

The families answer fundamental questions: Who can access CUI? How are systems secured and monitored? How do you handle incidents? How do you validate that controls work?

Control families include Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

Who Needs CMMC Certification and When Do They Need it

CMMC applies to DoD contractors and subcontractors that process, store, or transmit FCI or CUI under DoD contracts. If you're part of the defense supply chain and handle government information, you'll encounter CMMC requirements.

The specific level depends on what information flows through your systems. Contracts involving only FCI typically require Level 1, while CUI handling triggers Level 2 or potentially Level 3 for high-value programs.

Required Self-Assessments vs Third-Party Certification 

The assessment pathway depends on your CMMC level and the DoD's determination of program sensitivity:

• Level 1: Always self-assessment with senior official affirmation annually
• Level 2: Self-assessment for non-prioritized programs, C3PAO certification every three years for prioritized acquisitions and higher-risk environments
• Level 3: Government-led assessment every three years

Deadlines Based on Contract Award Phases

CMMC requirements phase in through solicitations that include the CMMC contract clause. Each solicitation specifies the required level, assessment type, and timing for compliance demonstration.

You typically need a current CMMC score or certification before contract award or at specified milestones. "Current" generally means not older than three years for C3PAO certifications, with annual affirmations required in interim years.

Start your compliance journey well ahead of anticipated contract opportunities. Achieving certification often takes six to twelve months from gap analysis through assessment.

CMMC Assessment, Scoring, and POA&M Rules

Assessments verify that you've implemented required controls effectively. Assessors review documented evidence, interview personnel, and conduct technical tests to validate control implementation. Results flow to SPRS, where DoD acquisition officials verify your compliance status.

How the 110-Point Scoring Method Works

NIST SP 800-171 uses a 110-point scoring system where you start at 110 and lose points for unmet requirements. Each of the 110 controls represents one point, though some controls carry higher deductions due to security significance.

Assessors evaluate whether controls are implemented, documented, and effective. The DoD may establish minimum score thresholds for specific solicitations, but the target is always 110 out of 110 with minimal or no POA&Ms.

Plan of Action and Milestones Limits

POA&Ms allow time-limited deferral of certain control implementations, but CMMC 2.0 restricts usage significantly. Only specific controls can be on a POA&M, and high-impact controls often cannot be deferred at contract award.

Each POA&M item requires clear remediation steps, responsible owners, required resources, and completion dates within DoD-specified windows—typically 180 days or less depending on control criticality. Organizations with multiple POA&Ms or long-standing unresolved items face scoring penalties and may be deemed non-compliant for contract awards.

Timeline and Key Rulemaking Milestones

CMMC implementation follows a phased approach as the DoD incorporates requirements into solicitations. The final rule establishes the regulatory framework, and subsequent DoD guidance clarifies assessment pathways, POA&M restrictions, and implementation timelines.

Track effective dates for CMMC clauses in DFARS (Defense Federal Acquisition Regulation Supplement), monitor DoD announcements about assessment priorities, and watch for solicitations in your market segments that include CMMC requirements.

Assessment frequency creates ongoing milestones: annual self-assessments, triennial C3PAO certifications where required, and continuous monitoring between formal assessments.

Flow-Down Obligations for Subcontractors and Cloud Providers

Prime contractors carry responsibility for ensuring subcontractors handling FCI or CUI meet applicable CMMC requirements. Flow-down clauses in subcontracts extend compliance obligations throughout the supply chain.

External Service Providers—managed service providers, cloud hosting companies, and other vendors supporting your CUI environment—present a unique scenario. If ESPs process, store, or transmit CUI on your behalf, they implement relevant security controls and provide documentation you can reference during assessments.

Inheritance models allow you to leverage ESP controls rather than duplicating them. For example, if your cloud provider implements physical security controls for data centers, you inherit controls through the service relationship. However, you'll need clear scoping, shared responsibility matrices, and evidence demonstrating the ESP's control implementation.

Cost Considerations and Small-Business Relief

CMMC compliance involves costs: readiness assessments, gap remediation, tooling and technology, ongoing governance, and formal assessments. For small businesses, expenses can feel overwhelming.

However, resources exist to ease the burden. The DoD offers assistance programs through organizations like Procurement Technical Assistance Centers (PTACs) and the Manufacturing Extension Partnership (MEP). Programs provide guidance, training, and sometimes financial assistance for cybersecurity improvements.

Leveraging ESPs can reduce costs significantly. Rather than building every capability in-house, small businesses can use FedRAMP-authorized cloud services, managed security providers, and other compliant vendors to inherit controls and reduce implementation complexity.

Phased remediation helps spread costs over time. Prioritize high-impact controls first, address critical gaps before assessment, and plan longer-term improvements for continuous enhancement.

Five Steps to Achieve and Maintain CMMC Compliance

A structured approach transforms CMMC from an overwhelming mandate into a manageable program.

1. Conduct a Readiness Gap Analysis

Start by understanding where you stand today. Assess your current environment against required controls, define the boundaries of your CUI environment (what systems, networks, and facilities are in scope), and prioritize gaps based on risk and remediation complexity.

2. Remediate High-Priority Gaps

Address critical controls first. Multi-factor authentication, configuration baselines, logging and monitoring, vulnerability management, and incident response capabilities often represent high-impact controls that assessors scrutinize closely.

Implementation includes both technical safeguards and operational processes. Deploy the technology, document your policies and procedures, train personnel on new requirements, and test that controls work as intended.

3. Automate Continuous Control Monitoring

Manual compliance creates ongoing burden and increases error risk. Deploy tools for asset inventory, vulnerability scanning, security information and event management (SIEM), configuration compliance checking, and automated evidence collection.

Automation provides continuous visibility into your security posture. Rather than scrambling before assessments to gather evidence, you maintain real-time compliance data that simplifies audits and accelerates issue detection.

4. Complete the Self-Assessment or Engage a C3PAO

Assemble your evidence artifacts, map them to required controls, validate implementation through testing, and submit scores to SPRS. For self-assessments, a senior official reviews your work and affirms compliance.

For C3PAO assessments, schedule the evaluation well in advance, perform pre-assessment readiness checks, and address any findings promptly. Assessors will review documentation, interview staff, and test technical controls.

5. Maintain Ongoing Compliance and Annual Affirmation

CMMC isn't a one-time achievement. Track changes to your environment, reassess after major system updates or business changes, refresh training regularly, test incident response procedures, and review POA&M progress monthly.

Complete required annual attestations and prepare for triennial certifications as applicable. This ongoing rhythm keeps you audit-ready and ensures your security posture remains effective as threats evolve.

How Automation Accelerates Continuous CMMC Cybersecurity

Manual compliance creates friction: spreadsheets tracking controls, emails requesting evidence, periodic snapshots that grow stale immediately after assessment. This approach is error-prone, resource-intensive, and provides limited visibility between formal audits.

Automated control monitoring changes the equation. By connecting to your technology stack—cloud infrastructure, identity providers, security tools, and business applications—compliance platforms continuously validate control implementation and collect evidence automatically.

Automation delivers multiple benefits. Time-to-certification shrinks as evidence collection happens in real-time rather than through manual gathering. Audit preparation becomes simpler when you maintain organized, timestamped evidence throughout the year. Risk visibility improves as you detect control failures immediately rather than months later during assessment.

Perhaps most importantly, automation transforms point-in-time compliance into continuous assurance. Your security posture becomes a living, monitored reality rather than a periodic certification exercise.

Drata's platform brings continuous monitoring to CMMC compliance. With automated evidence collection, control monitoring across your technology ecosystem, and streamlined assessment preparation, you can maintain CMMC compliance without overwhelming your team. Book a demo to see continuous CMMC compliance in action.

Frequently Asked Questions About CMMC Requirements

Can a FedRAMP Moderate authorization satisfy CMMC Level 2 controls?

FedRAMP Moderate implements security controls equivalent to NIST SP 800-171, making it highly relevant for CMMC Level 2. However, FedRAMP authorization alone doesn't satisfy CMMC requirements—you still need proper CMMC assessment and certification through approved processes.

If you use FedRAMP-authorized cloud services, you can inherit many controls from your cloud provider. You'll document this inheritance through shared responsibility matrices, system security plans, and evidence showing how the provider's controls protect your CUI environment.

Do overseas subsidiaries of US defense contractors need separate CMMC certification?

Foreign subsidiaries handling CUI or FCI fall under CMMC requirements. The framework applies wherever DoD information flows, regardless of geographic location.

International operations introduce additional complexity around data residency laws, cross-border data transfers, and local regulations. However, the core compliance and evidence expectations remain consistent—you'll implement required controls and demonstrate effectiveness through assessment.

How can managed service providers demonstrate inherited controls for CMMC assessments?

External Service Providers demonstrate controls through several mechanisms. First, they implement security controls within their own environments—physical security, network protection, access management, or incident response capabilities.

Next, they document controls in customer-facing artifacts: system security plans describing the control environment, shared responsibility matrices clarifying which controls the provider implements versus customer responsibilities, and attestations or certifications like FedRAMP, SOC 2, or ISO 27001 that validate control effectiveness through independent assessment.

Customers reference artifacts during their own CMMC assessments. Assessors verify that the ESP has implemented controls appropriately and that the customer understands remaining responsibilities in the shared model.