CMMC Level 2: Requirements and Solutions for DoW Contractors

Has CMMC 2.0 been published?  Yes, after a long period of waiting, the DoW published the 48 Code of Federal Regulations (CFR) Final Rule, officially making the […]

Key Takeaways:

    • Cybersecurity Maturity Model Certification (CMMC) is the Department of War’s (DoW’s) method for ensuring that contractors have implemented adequate cybersecurity measures to protect Controlled Unclassified Information (CUI), International Traffic in Arms Regulations (ITAR) data, and Federal Contract Information (FCI).

    • CMMC assessments started in Q1 2025.

    • The phased rollout of CMMC in contracts began in Q3 2025.

    • There are 3 levels of CMMC. The level your business will require depends on the types of data you handle as a part of your DoW contracts.

    • For Level 2, which is the most common, it takes an average of 6-18 months to prepare for a CMMC assessment.

    • The CMMC rule is built on the assumption that contractors have already implemented National Institute of Standards and Technology (NIST) SP 800-171.

    • If you’re in a time crunch, you can create a CMMC Enclave  to certify part of your business either as a permanent solution or to ensure that you keep your contracts while gradually moving to all-in compliance.

Speak with our team

Has CMMC 2.0 been published? 

Yes, after a long period of waiting, the DoW published the 48 Code of Federal Regulations (CFR) Final Rule, officially making the CMMC a binding requirement in defense contracts.  
 
The 48 CFR Final Rule was published in the Federal Register on September 10, 2025.  

What is CMMC Level 2? 

CMMC is the DoW’s method for requiring organizations in the DoW supply chain to protect FCI, CUI, and/or ITAR to the appropriate CMMC level.  

CMMC Level 2 compliance is intended for those handling sensitive data and therefore requires organizations to satisfy all 110 security controls from NIST SP 800-171. 

CMMC Level 2 certification is necessary for those who want to bid on DoW contracts that handle the following: 

  • Controlled Technical Information (CTI) 

If the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 requirement is in your current contracts, you are most likely in the CMMC Level 2 category. 

CMMC Level Graphic

Here are a few types of data requiring different levels from CMMC Level 1 to CMMC Level 3: 

  • FCI 

What does it take to achieve CMMC Level 2 Compliance? 

A Cyber-AB CMMC Third Party Assessment Organization (C3PAO) will attest that you have fully implemented all assessment objectives for you to receive a CMMC certification. 

  • Once you’ve met all NIST 800-171 requirements, you will be responsible for scheduling your assessment with a C3PAO. A certification remains valid for 3 years from the assessment certification. 
  • Annually, a senior company official must re-affirm that all 320 assessment objectives are still being met. 
  • Every 3 years a C3PAO must re-certify the organization. 

Expert Insight: Any Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) working with the organization must have a Level 2 final certification as well. 

How do I know if I have CUI? 

When it comes to the CMMC framework, the scope of a CMMC assessment for an Organization Seeking Assessment (OSA) is dictated by the flow of CUI throughout the environment. Properly identifying all the locations where CUI resides within that environment is critical for OSAs who want to successfully pass upcoming CMMC assessments. 

Classifying CUI can define the scope of an organization’s assessment, so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with sensitive data.  

Identifying-CUI-M365-CMMC

How do DFARS and CMMC Level 2 overlap? 

 
CMMC and DFARS 7012 collectively consist of four basic requirements: 

  1. Adequate Security: NIST SP 800-171’s 110 security controls. 
  1. Contractual Flowdown: When a prime contractor must meet DFARS and CMMC requirements, and CDI/CUI is passed down to subcontractors, then the subcontractor would be required to meet the same level of CMMC. 
  1. Event and Incident Reporting: In response to an incident or cyber event, DFARS 7012 requires your organization to notify the DoW through formal reporting mechanisms. The DoW will need access to your environment, including cloud tenants and other cloud systems handling CUI. 
  1. Federal Risk and Authorization Management Program (FedRAMP) Compliance for Partners: Since 2016, DFARS clause 252.204-7012 has said that if a contractor puts CUI in the cloud, then the contractor must require and ensure that the Cloud Service Provider (CSP) meets security requirements “equivalent” to the FedRAMP Moderate baseline. 

On December 21, 2023, the DoW released a memo clarifying the stringent requirements of FedRAMP Moderate “equivalency”– and it’s effective immediately. DoW contractors are now on the hook for their CSP’s FedRAMP compliance. According to the memo, the DoW requires a lot of contractors with defense data being stored, processed, or transmitted with a FedRAMP-equivalent CSP.  
 
A FedRAMP Moderate authorized CSP will require considerably less effort by the contractor. You can check if your CSP is authorized on the FedRAMP marketplace. If you do have an FedRAMP Moderate “equivalent” CSP, you might consider switching to a FedRAMP-Tailored Solution. We recommend either Microsoft GCC or GCC High. 

*DFARS-7012-7020-7021-CMMC

How should I prepare for CMMC Level 2 now? 

​Aerospace and defense contractors should be taking the following measures right now in order to prepare for CMMC Level 2 assessments: 

What solutions can help me earn CMMC Level 2? 

The proper configuration of the Microsoft Government suite has the ability to satisfy the controls found in CMMC Level 2. Essentially, there are two options to approach CMMC Compliance.  

1. The All-In Approach 

2. Cloud Enclave 

Enclave-Graphic (1800 × 1200 px) (3)

An all-in solution certifies your entire environment whereas an enclave creates a certified section of your environment that is approved to hold CUI.

How do I prepare for a CMMC Level 2 assessment?

To pass a CMMC Level 2 assessment, your company must be assessed by an authorized Cyber-AB C3PAO on its ability to meet and demonstrate all practices to address Levels 1 and 2 in aggregate.  

Getting up to speed requires implementing technical architecture and solutions, along with written policies and procedures.  

Outsourcing to an experienced MSP or MSSP provider like Summit 7 makes following the rules set in place by NIST 800-171 far easier; in addition to having these controls down to a science, compliance with Summit 7 is more cost effective than taking on CMMC in-house.  

To get started pursuing CMMC Level 2, schedule a consultation with Summit 7. 

Contact

Speak With Our Team

Scroll to Top