Who Does CMMC Apply To?

CMMC applies to all entities in the Defense Industrial Base that:

• Process, Store or Transmit FCI (Triggering Level 1 self-assessment),
• Process Store or Transmit CUI (Triggering Level 2 self or C3PAO assessment),
• Or support the DoDs most critical programs and technologies (triggering Level 3 assessment led by DCMA’s DIBCAC), which includes enhanced cybersecurity and detection capabilities.

The program applies equally to prime contractors and subcontractors down the supply chain, including cloud service providers (CSPs), managed service providers (MSPs), Managed Security Service providers (MSSP) and enclave solutions used to process, store or transmit CUI.

CMMC Certification Levels: What they Actually Mean

Under the CMMC final rule, the Department of Defense has established three certification levels, each mapped toa distinct type of information and the corresponding risk involved. These levels are tied directly to enforceable requirements, assessment pathways, and eligibility for contract award.

CMMC Level 1 – Foundational

CMMC Level 1 is designed for contractors that handle Federal Contract Information (FCI)— information provided by or generated for the government under contract, that is not intended for public release and is not classified. This level requires full implementation of 15 basic safeguarding requirements defined in FAR 52.204-21.

There are no partial points or phased implementation here. All 15 requirements—such as controlling physical access, limiting system access to authorized users, and regularly scanning for malicious code—must be in place.

• Focus: Protection of FCI
• Requirements: 15 basic safeguarding requirements from FAR 52.204-21
• Assessment Type: Annual self-assessment + affirmation by senior official
• POA&Ms: Not Allowed. All 15 requirements must be fully implemented at this level.
  • Scoping applies only to assets processing/storing/transmitting FCI

CMMC Level 2 – Advanced

Level 2 is for organizations that store, process, or transmit Controlled Unclassified Information (CUI). It mandates full implementation of all 110 security requirements from NIST SP 800-171, Revision 2—a set of well-established practices focused on confidentiality.

• Focus: Protecting Controlled Unclassified Information (CUI).
• Requirements: Implementation of the 110 controls from NIST SP 800-171, Rev. 2
• Assessment Type:
  • Triennial certification assessment by an authorized C3PAO if handling CUI for prioritized acquisitions
  • Annual self-assessment for non-prioritized acquisitions
• POA&Ms: Allowed with restrictions (must be closed within 180 days; not permitted for high weighted requirements)
• Scoping: Includes CUI assets, security protection assets, specialized assets, contractor risk-managed assets and out of scope assets.

CMMC Level 3 – Expert

Level 3 is reserved for prioritized acquisitions and contractors supporting the most sensitive DoD programs. At this level, security must go beyond standard protections.

• Focus: Protection of CUI against Advanced Persistent Threats (APTs)
• Requirements:
  • All 110 Level 2 NIST SP 800-172 Rev 2 Requirements
  • Plus, a DoD-selected subset of 24 enhanced requirements from NIST SP 800-172 (The specific requirements and any Department of Defense (DoD)-approved parameters are detailed in Table 1 to § 170.14(c)(4) of 32 CFR Part 170.)
  • The DoD selects which subset of 800-172 requirements applies per contract
• Assessment Type: Triennial assessment by the DoD (DCMA DIBCAC)
• Target: Cleared contractors supporting the most sensitive DoD programs

CMMC Implementation Timeline

For small and midsize defense contractors, timing matters. The final CMMC rule is no longer just policy—it’s operational. Starting in December 2024, the Department of Defense will begin phasing CMMC requirements into contracts. The CMMC rollout isn’t happening all at once—but it is happening, and every phase brings new expectations for contractors.

Here’s how the timeline is structured in the Final Rule:

📌 Phase 1 (Dec 2024 – May 2025):

DoD contracts may start requiring Level 1 self-assessments (for FCI) and Level 2 self-assessments (for non-prioritized CUI). If you’re already doing business with DoD and handling basic data, you need to be prepared to self-assess and post your results in SPRS.

📌 Phase 2 (June 2025 – Nov 2025):

For prioritized contracts involving more sensitive CUI, the DoD will start requiring a Level 2 certification from a C3PAO (CMMC Third-Party Assessment Organization). This is a formal audit. Now is the time to start remediating any gaps in your NIST 800-171 implementation.

📌 Phase 3 (Dec 2025 – Dec 2026):

The pool of contracts requiring a certified Level 2 assessment will expand. If you’re planning to bid on DoD work that touches CUI—even if it’s not flagged as “prioritized” today—your window to prepare is now.

📌 Phase 4 (Jan 2027 onward):

The most sensitive DoD programs will begin requiring Level 3 certification, assessed directly by the government (DCMA DIBCAC). This only applies to a small portion of the DIB but requires significant technical and procedural maturity.

How Do I Achieve CMMC Compliance?

CMMC isn’t just technical—it’s operational. And the burden often lands on small teams already stretched thin. You need specialized tooling, documentation, expertise and audit readiness. But you also need time. And for most organizations, that’s the scarcest resource of all.

That’s why many defense contractors turn to External Service Providers (ESPs)—partners that bring infrastructure, security services, and compliance expertise under one roof. When done right, working with an ESP can make the journey easier—and scalable.

CMMC: The New Baseline

For defense contractors, CMMC is fast becoming table stakes to play in the federal space. And there’s a growing difference between companies that say they’re compliant—and those that can prove it. Getting there requires more than good intentions. It takes a structured and thoughtful approach to building a security program that stands up to scrutiny, maps clearly to requirements, and demonstrates maturity over time.

How Do I Choose A CMMC Partner? Don’t Go It Alone

CMMC isn’t something you want to navigate solo—especially if you’re balancing compliance alongside day-to-day operations. The right partner can help you translate requirements into action, avoid missteps, and show up audit-ready with confidence. But not every vendor offering “compliance help” is prepared to do that.

Here’s how to separate marketing from the mission ready.

Proven Expertise: Look for a partner with direct experience implementing NIST SP 800-171, Rev. 2—not just talking about it. Have they supported organizations in the Defense Industrial Base before? Do they know how to scope an environment, build a defensible CRM, and align systems to meet audit expectations?

Accreditation Where it Counts: Consider partnering with an ESP that has already achieved its CMMC Level 2 certification. That’s more than a credential—it’s a signal that they’ve operationalized the same practices they’re asking you to implement. It shows they understand the standard from both sides: as an advisor and as a participant.

More Than a One-Off: CMMC isn’t a one-time engagement. The right partner should offer end-to-end support— Incident Response, continuous monitoring and remediation, policy development, evidence gathering, CRM clarity, audit prep and ongoing compliance monitoring. If they only show up for the audit, chances are you’re already behind.

Secure Your Future With CMMC

As cyber threats continue to evolve, organizations must prioritize cybersecurity and meet the requirements of the Cybersecurity Maturity Model Certification. By attaining CMMC compliance, you not only protect sensitive data but also gain a competitive edge in pursuing DoD contracts. Partner with a trusted CMMC expert like NeoSystems to help navigate the certification process seamlessly and safeguard your organization’s future in the digital age.

Built For Mission. Ready for What’s Next.

CMMC isn’t just about passing an assessment, it’s about continuously proving you can protect what matters most. As threats evolve and compliance becomes a condition of doing business, the ability to demonstrate readiness is a strategic advantage.

Your teams shouldn’t be burdened by infrastructure that creates more friction than function. Executing against the mission demands an environment that is secure, compliant, and resilient by design—not one that requires constant workarounds.

With the right architecture and the right partner, you gain more than technical support—you gain strategic alignment, operational clarity, and the confidence that your environment is ready for what’s next.

Let’s build a system that enables your people, safeguards your data, and stands up to scrutiny—on your terms.

Reach out to our team today and let us know where you are and where you’d like to go. NeoSystems is ready for your users to deliver on your mission.