CMMC 2.0 Final Rule: What Defense Contractors Must Do Before Assessments Begin

The Department of Defense's Cybersecurity Maturity Model Certification 2.0 final rule took effect on December 16, 2024. Phase-in timelines mean CMMC requirements are now appearing in new contracts, and C3PAO assessments for Level 2 are actively underway. For the defense industrial base, the window for preparation is closing.

This is not a compliance exercise that can be addressed reactively. Organizations that wait until a contract requirement triggers CMMC obligations will be competing for limited C3PAO assessment slots while simultaneously scrambling to close control gaps.

The Three-Level Structure You Need to Understand

CMMC 2.0 simplified the original five-level model to three levels, but the requirements are more demanding in practice than many contractors anticipated.

Level 1 covers Foundational cyber hygiene - 17 practices aligned to FAR 52.204-21. Annual self-assessment with company official affirmation. This level applies to contractors handling Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).

Level 2 is where most defense contractors face real compliance work. It requires implementation of all 110 practices from NIST SP 800-171 Revision 2. Most contracts involving CUI will require Level 2. This is also where the assessment model diverges: some Level 2 contracts will require self-assessment with annual affirmation, while others - specifically those involving critical national security information - will require a triennial third-party assessment by a C3PAO.

Level 3 applies to contractors supporting DoD's most sensitive programs. It adds 24 practices from NIST SP 800-172 on top of Level 2. DoD government-led assessments are required at this level.

The CUI Determination Problem

Many contractors do not have a complete picture of where CUI exists in their environment. The CMMC assessment scope is defined by where CUI is processed, stored, or transmitted - and by the systems that protect or support those systems.

Getting this wrong in either direction is costly. Scope too broadly and your assessment workload balloons. Scope too narrowly and you create findings during assessment that require remediation before certification.

A formal CUI inventory and data flow analysis should be your starting point, not your finishing task.

SPRS Scores: What Assessors Will Look At

Before the CMMC final rule, contractors were required to conduct NIST SP 800-171 assessments and report their scores to the Supplier Performance Risk System (SPRS). Many organizations submitted scores with limited rigor under the assumption that CMMC would replace this requirement.

It has not. SPRS scores remain a data point in contract award decisions, and assessors will compare your self-reported SPRS score against what they find during assessment. Significant discrepancies between a reported score and actual control implementation will raise credibility questions about your entire compliance posture.

How SPRS Scoring Works

The NIST SP 800-171 DoD Assessment Methodology assigns point values to each of the 110 security requirements. A perfect score is 110. Each unimplemented requirement reduces the score by a specified amount (ranging from 1 to 5 points depending on the practice).

Organizations are required to calculate their score, document a Plan of Action and Milestones (POA&M) for any requirements not yet met, and submit the score to SPRS with the date of assessment. A negative score is possible - and in some cases, accurate.

The honest approach: Calculate your actual score based on implementation reality, document the POA&M thoroughly, and begin closing gaps systematically. A low but accurate score with a credible remediation plan is a better starting position than an inflated score that will be contradicted during assessment.

C3PAO Assessment: What to Expect

C3PAO assessments for CMMC Level 2 are structured, methodical, and resource-intensive for the organization being assessed. Understanding what assessors look for helps you prepare documentation and evidence in a format that reduces assessment friction.

Evidence collection is the primary workload. For each of the 110 NIST SP 800-171 practices, assessors need to verify implementation through documentation, observation, and/or testing. The most common preparation failure is not that controls are unimplemented - it is that implementation cannot be demonstrated because evidence was not collected or organized.

Key evidence categories assessors will request:

• System Security Plan (SSP) describing scope, control implementation, and responsible parties
• Network diagrams with CUI data flows annotated
• Access control lists, user provisioning records, and privileged access reviews
• Vulnerability scan results with remediation tracking
• Audit log samples and log retention configuration
• Training completion records
• Incident response plan with tabletop exercise documentation
• Configuration baselines and deviation records

Assessment timelines are not short. A typical Level 2 assessment for a mid-sized contractor takes three to six months from kickoff to certification decision. This includes documentation review, remote interviews, on-site or virtual assessment activities, and finding remediation if required.

Conditional Certification and POA&Ms

The CMMC program allows for Conditional CMMC certification when certain non-critical practices are not yet fully implemented, subject to a documented POA&M with a completion timeline not to exceed 180 days. Not all practices qualify for POA&M deferral - practices deemed critical must be fully implemented before certification.

Understanding which practices must be fully implemented versus which can be deferred is important for sequencing your remediation work.

Priority Control Areas for Rapid Gap Closure

Based on NIST SP 800-171 assessment findings across the defense industrial base, certain control families consistently show the highest rates of non-implementation. If you are prioritizing remediation effort, start here.

Multi-Factor Authentication (IA.3.083): Required for privileged and non-privileged users accessing systems with CUI. Organizations that relied on single-factor authentication for internal systems will need to deploy MFA broadly. This is also a pre-requisite for other control implementations.

System and Communications Protection - Boundary Defense: Network segmentation isolating CUI systems from the rest of the corporate network, encrypted transmission, and documented boundary protection architecture.

Audit and Accountability: Log collection from CUI-scope systems, centralized log storage, retention meeting requirements, and evidence that logs are reviewed. Many organizations collect logs but have no documented review process and insufficient retention.

Configuration Management: Documented baselines, change control processes, and evidence that unauthorized software cannot execute on CUI systems.

Incident Response: A documented IR plan is not sufficient - evidence of tabletop exercises and defined notification procedures is required.

What This Means for Your Organization

The CMMC timeline is no longer a future planning concern - it is a current contract requirement. If your organization handles CUI under DoD contracts and has not begun formal CMMC preparation, the cost of delay is measurable in both remediation scope and competitive position.

DarkRock's federal compliance team has guided defense contractors through NIST SP 800-171 implementations and CMMC readiness assessments. We conduct scope analysis to define your assessment boundary, calculate your actual SPRS score with full documentation support, develop your System Security Plan, and prepare your evidence package for C3PAO assessment. Our team brings direct experience with the assessment methodology and knows what assessors scrutinize most closely.

Contact DarkRock to schedule a CMMC readiness assessment and establish your path to certification.