Blog

Understanding CMMC 2.0: What Defense Contractors Need to Know

· CEdge Corp Cybersecurity

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 program is now in full effect, and defense industrial base (DIB) contractors are under increasing pressure to demonstrate compliance as part of the contract award process. If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), here’s what you need to understand.

What Changed from CMMC 1.0 to 2.0

CMMC 2.0 consolidated the original five maturity levels into three, significantly reducing complexity for most contractors:

  • Level 1 (Foundational) — 17 practices aligned with basic cyber hygiene for organizations handling FCI. Annual self-assessment.
  • Level 2 (Advanced) — 110 practices aligned with NIST SP 800-171. Tri-annual self-assessment or third-party assessment depending on contract requirements.
  • Level 3 (Expert) — 110+ practices based on NIST SP 800-172. Government-led assessment required.

Most small and mid-size defense contractors will fall into Level 1 or Level 2. Level 3 is reserved for programs with the highest criticality designation.

The Self-Assessment Trap

One of the most dangerous misconceptions we encounter is that “self-assessment” means easy. Level 2 self-assessments still require your organization to score against all 110 NIST SP 800-171 controls and submit the score to the Supplier Performance Risk System (SPRS). False or inflated SPRS scores carry significant legal risk under the False Claims Act — the DoJ has already brought enforcement actions.

What Contractors Should Do Now

  1. Conduct an honest gap assessment against NIST SP 800-171 if you haven’t already
  2. Document your System Security Plan (SSP) — this is required and will be reviewed during assessments
  3. Build a Plan of Action & Milestones (POA&M) for any gaps, with realistic remediation timelines
  4. Implement multi-factor authentication — this is one of the most commonly failed controls and one of the most scrutinized
  5. Ensure your supply chain is compliant — prime contractors are increasingly flowing CMMC requirements to subs

How CEdge Can Help

CEdge Corp has supported defense contractors through CMMC readiness assessments, SSP development, and technical remediation. Our team understands both the regulatory framework and the practical challenges of implementation in resource-constrained environments.

If you’re facing an upcoming contract requiring CMMC compliance — or if you want to get ahead of it — contact our team to discuss a readiness assessment.

Back to Blog