What is CMMC 2.0? A Plain English Guide for DoD Contractors

What CMMC Stands For and the Problem It Solves

CMMC stands for Cybersecurity Maturity Model Certification. The DoD created it to fix a long-running problem. The defense supply chain holds a large amount of sensitive government information, and that information sits on the systems of tens of thousands of private companies. For years, those companies were expected to protect it, but there was no consistent way to confirm they actually did.


CMMC closes that gap. Instead of taking a contractor's word for it, the DoD now ties contract eligibility to proof. Before a contract is awarded, you have to show that your cybersecurity meets the level the contract requires. No proof, no award.


The information CMMC protects falls into two buckets. Federal Contract Information (FCI) is information provided by or generated for the government under a contract that is not meant for public release. Controlled Unclassified Information (CUI) is more sensitive. It includes things like technical drawings, specifications, and other data the government has specifically marked for protection. The type of information you handle drives which CMMC level applies to you. Our post on FCI vs CUI breaks down the difference.

How CMMC 2.0 Differs From the Original

The first version of CMMC, introduced in 2020, had five levels and added process and documentation requirements on top of existing federal cybersecurity standards. Contractors and trade groups pushed back. The model was complex, the cost concerns were real, and small businesses worried they would be priced out of defense work.


The DoD listened and rebuilt the program. The result, CMMC 2.0, is the version in effect today.

The Biggest Changes

Five levels became three.

Small businesses got a path to compliance through self-assessment at the lowest level, rather than a mandatory third-party audit for everyone.

The extra process requirements that did not map to an existing standard were removed.

You will still see "CMMC 2.0" in a lot of guidance, but since it is now the only version in use, most people just say "CMMC."

The Three CMMC Levels at a Glance

CMMC has three levels. The level you need depends on the sensitivity of the information you handle.

Level 1 (Foundational)

Covers companies that handle FCI but not CUI. It is built on 15 basic security requirements, the same ones already required by a standard federal contract clause. These cover basics like using strong passwords, limiting who can access your systems, and keeping antivirus current. Level 1 is the entry point for most small subcontractors and suppliers.

Level 2 (Advanced)

Covers companies that handle CUI. It is built on 110 security controls drawn from National Institute of Standards and Technology (NIST) Special Publication 800-171, the federal standard for protecting CUI. Level 2 is a significant step up from Level 1 in both effort and documentation.

Level 3 (Expert)

The highest tier. It applies to a small number of contractors working on the DoD's most sensitive programs. It builds on Level 2 with additional controls and the most rigorous assessment of the three.

If you are not sure which level your contract calls for, our guide on how to tell whether you need Level 1 or Level 2 walks through it.

Who CMMC Applies To

CMMC applies to any company in the DoD supply chain that handles FCI or CUI. That is broader than people expect. It is not just the large prime contractors. It reaches subcontractors, suppliers, and service providers at every tier below them.

Two Points Catch Businesses Off Guard

Requirements flow down. If a prime contractor wins work that involves CUI, the subcontractors who touch that information have to meet CMMC too. You can be several levels down the chain and still be on the hook.

It is the information, not the contract size, that matters. A small shop on a modest contract still needs CMMC if that contract involves FCI or CUI.

If you do any work for the DoD, or sell to a company that does, assume CMMC is in your future and confirm it rather than guess.

The Three Ways Compliance Gets Checked

How you prove compliance depends on your level.

Self-assessment. At Level 1, you assess your own environment against the 15 requirements. A senior leader at your company, called the affirming official, signs an annual affirmation, and the results are posted in a DoD system called the Supplier Performance Risk System (SPRS). If you want to see how your current controls translate into an SPRS score before your assessment, our free SPRS Score Calculator walks through the math. A limited set of Level 2 contracts also allow self-assessment.

Third-party assessment. Most Level 2 work requires an outside assessment by a Certified Third-Party Assessment Organization, known as a C3PAO. The C3PAO reviews your environment and your evidence and issues your certification, which is good for three years with annual affirmations in between.

Government-led assessment. Level 3 is assessed by the DoD itself. This is reserved for the highest-priority programs.

One thing to keep clear as you shop for help: an advisory partner like APT is not the same as a C3PAO. We help you get ready. The C3PAO is the independent body that performs the official Level 2 assessment, and the same firm cannot do both for the same client. APT works as a Registered Practitioner, which means we focus on prep, gap assessment, and remediation, then hand you off ready for the assessor.

Where the CMMC Rules Stand Today

CMMC is not a future plan. It is live.

Two separate rules had to be finalized for CMMC to take full effect. The first, known as 32 CFR Part 170, established the program itself and took effect in December 2024. The second is the rule that updates the Defense Federal Acquisition Regulation Supplement (DFARS), and it is what actually puts CMMC into contracts. It took effect on November 10, 2025.

Since that date, contracting officers have been allowed to add CMMC requirements to new DoD contracts and solicitations. The rollout is phased over several years. In the current phase, contracts mainly call for Level 1 and Level 2 self-assessments. Starting November 10, 2026, solicitations will begin requiring a full Level 2 certification from a C3PAO rather than self-assessment. Requirements continue expanding in phases, with full implementation across all applicable contracts by November 10, 2028.

The practical takeaway: CMMC language can show up in your next contract or renewal with little warning, and getting ready takes longer than most companies expect.

What to Do Next

You do not need to solve CMMC overnight, but you should start. Three steps make sense for almost any contractor.

First

Figure out your level. Confirm whether you handle FCI only or CUI as well, and check your current and upcoming contracts for CMMC language. That tells you whether you are looking at Level 1 or Level 2.

Second

Get a gap assessment. A gap assessment compares your current security against the practices your level requires and shows you exactly where you fall short. It turns a vague worry into a clear, written list of work. APT's CMMC gap assessment does exactly that.


Not sure where to start? Our free CMMC Readiness Quickcheck gives you a fast read on your biggest gaps before you book anything. No login required.

Third

Close the gaps. Some gaps are documentation. Others are technical, and closing them often means putting the right tools in place, such as endpoint protection, email security, or network controls. APT handles both the planning and the implementation, so the work the assessment identifies actually gets done.

CMMC is a real requirement with a real timeline, but it is manageable with a clear plan. APT's CMMC compliance prep supports defense contractors through every step, from first gap assessment to assessment-ready.

Frequently Asked Questions

Is CMMC 2.0 the same as CMMC?

Yes. CMMC 2.0 is the current and only active version of the program. Earlier guidance used "2.0" to set it apart from the original 2020 model, but the two terms now refer to the same thing.

Do small businesses really have to comply with CMMC?

Yes, if they handle FCI or CUI for the DoD. Company size does not exempt you. Most small subcontractors fall under Level 1, which uses self-assessment and is the lighter of the requirements.

What is the difference between CMMC Level 1 and Level 2?

Level 1 applies to companies that handle FCI and is based on 15 basic requirements verified by self-assessment. Level 2 applies to companies that handle CUI, is based on 110 controls from NIST 800-171, and usually requires a third-party assessment by a C3PAO.

Is CMMC required now?

Yes. The rule that places CMMC into DoD contracts took effect on November 10, 2025. Requirements are being phased into contracts over several years.

Can APT certify my company for CMMC?

No, and no advisory firm can. Official Level 2 certification comes from an independent C3PAO. APT is a Registered Practitioner that prepares you for that assessment through gap assessments, documentation support, and remediation.

Not Sure Where You Stand With CMMC?

Book a free 30-minute consultation. We will review your situation, help you confirm your likely CMMC level, and outline a clear path to readiness with no obligation.

Book a Free Consultation