Skip to content
LEVEL 2Compliance Solutions
CMMC

CMMC 2.0, in plain English: what the final rule means now

L2CS · January 15, 2026

If you handle information for the Department of Defense, you have probably heard "CMMC is coming" for years. It is no longer coming. The program rule is final, the acquisition rule that puts it into contracts is in force, and the requirement is now phasing into solicitations. Here is what that actually means, without the acronym soup.

Three levels, two ways to prove it

CMMC sorts contractors into three levels based on the sensitivity of the information you touch.

  • Level 1 covers Federal Contract Information (FCI). You prove it with an annual self-assessment against 15 basic safeguards.
  • Level 2 covers Controlled Unclassified Information (CUI). It maps to the 110 controls in NIST SP 800-171, and most companies at this level must pass a third-party assessment by a certified assessor (a C3PAO) every three years.
  • Level 3 adds enhanced requirements for the highest-risk programs and is assessed by the government directly.

The single most important question for your business is not "what level is CMMC?" It is "what level does my contract require?" That comes from the flow-downs in your prime's agreement and the solicitation language — not from a guess.

What changed from the early versions

The headline shift is predictability. The framework dropped the maturity "processes" that confused everyone, aligned Level 2 cleanly to 800-171, and formalized two things that matter operationally:

  1. A score in SPRS. You calculate your assessment score and post it. Buyers can see it. A stale or low score is now a visible liability, not a private one.
  2. Conditional certification with a POA&M. A limited set of gaps can be carried on a Plan of Action & Milestones and closed within a fixed window — but the highest-weighted controls must be met outright. You cannot POA&M your way past the things that matter most.

What to do before it shows up in a solicitation

The teams that struggle are the ones that wait for the requirement to appear in a bid they want. The teams that don't have already done three things:

  • Scoped the environment. They know exactly where CUI lives and have drawn a boundary around it. Scope is the decision that drives everything downstream — and the one most often gotten wrong (more on that next month).
  • Scored themselves honestly. A real 800-171 self-assessment, not a checklist someone filled in optimistically, so the SPRS number reflects reality.
  • Written the SSP and POA&M as living documents. Not a binder for the auditor — the operating plan for the program.

None of this requires knowing the exact date the clause hits your contract vehicle. It requires knowing where you stand and closing the distance on your own schedule, before someone else's clock starts.

If you are not sure where you stand, that is the entire purpose of a discovery call — we will tell you plainly, and tell you what it takes to get ready.

Related

Case StudyCMMC·May 21, 2026

Many programs, one posture: CMMC at an enterprise plastics supplier

Plastics injection molding supplier · ~$400M revenue · ~1,500 employees

A ~$400M injection-molding supplier with multiple programs and a mature IT org didn't lack security — it lacked an audit-ready, repeatable way to prove it. How a GRC operating model tied it together.

Read →
CMMC·May 14, 2026

GCC High, on-prem enclave, or hybrid? Choosing your CUI boundary

Where your CUI lives shapes cost, effort, and how many controls you inherit. A plain-English guide to the three common boundary models — and how to choose.

Read →

Want this for your program?

Start with a discovery call. We'll tell you where you actually stand on CMMC — and what it takes to get audit-ready.

Book a Discovery Call