DoD CMMC 2.0 readiness for federal contractors

CMMC 2.0 — Cybersecurity Maturity Model Certification, version 2 — is the cybersecurity certification DoD now requires for any contractor handling controlled unclassified information (CUI) on DoD systems. The phased rollout is in effect: as of October 2025, every DoD solicitation that requires CUI handling references a CMMC level (1, 2, or 3) in the SOW.

If you bid into DoD work and you don’t have a current CMMC posture, you’re effectively exiting the market. Here’s how to assess where you stand.

The three levels

• Level 1 (Foundational): 17 practices. Self-assessment, annual attestation. Required for any contract handling FCI (Federal Contract Information) — basically any DoD contract with non-public information sharing.
• Level 2 (Advanced): 110 practices. Third-party assessment for most CUI handling. Annual attestation in some cases. Required for the majority of DoD task orders involving CUI.
• Level 3 (Expert): 110 + ~24 additional practices. Government-led assessment. Required only for the highest-sensitivity programs.

The 110-practice list (Level 2) maps closely to NIST SP 800-171, which most DoD-facing firms have already implemented as part of FAR 52.204-21. CMMC adds the third-party-assessor requirement that 800-171 historically lacked.

Your readiness assessment

A practical 4-step:

1. Identify which level applies to you. Pull your most recent DoD contract and read the SOW. The CMMC requirement is now spelled out explicitly in the contract clauses (DFARS 252.204-7012 plus the CMMC level reference). If you have multiple contracts, the highest required level determines your overall posture.
2. Self-assess against the practice catalog. SPRS (Supplier Performance Risk System) hosts the practice list at sprs.csd.disa.mil. The self-assessment yields a 0-110 numeric score; DoD considers ≥88 the threshold for “compliant” at Level 2.
3. Identify the gaps. The most common Level 2 gaps for mid-size firms: SC.L2-3.13.11 (cryptographic standards), AC.L2-3.1.20 (limit external connections), and CA.L2-3.12.4 (security assessment plan with milestones).
4. Hire a C3PAO if you need Level 2 certification. The certified third-party assessment organization (C3PAO) does the formal assessment. There are ~120 C3PAOs registered with the CyberAB. Costs run $20K-$80K depending on firm size.

What gets contractors caught off guard

Three issues:

1. Subcontractor flowdown. If you’re a sub on a CMMC-required prime contract, your prime will require you to attest to the same level. Many subs don’t realize this until the prime’s compliance team asks for documentation 30 days before award.
2. Self-assessment vs. third-party assessment. Level 1 is self-attest. Level 2 — the level most DoD task orders require — requires a C3PAO assessment for the majority of CUI-handling contracts. Self-attestation is allowed only in narrow cases.
3. Scope of assessment. CMMC scopes the assessment to systems handling CUI. If you’ve architecturally separated CUI-handling workloads (a CUI enclave), assessment is faster and cheaper. If you haven’t, every employee laptop becomes in-scope.

VectorBrief’s DoD opportunity feed surfaces the CMMC level required on every solicitation where it’s stated. /pricing.