When is CMMC 2.0 enforceable?

The DoD has been phasing CMMC 2.0 into solicitations under DFARS 252.204-7021. As of 2025-2026, an increasing number of contracts include CMMC 2.0 requirements; by the end of the rollout, all relevant DoD contracts will. Contractors should treat CMMC 2.0 as enforceable now for any contract that names it, and should expect every relevant DoD contract to name it within the rollout window.

Does Level 2 require a C3PAO every year?

No. The C3PAO assessment is every three years. The contractor performs an annual self-affirmation in the intervening years. The evidence base, however, must be maintained continuously to support the affirmation and the next assessment.

Can a POA&M cover failing controls during assessment?

CMMC 2.0 permits limited POA&M items under specific conditions — primarily for higher-scoring controls and with closure deadlines. POA&M is not a get-out-of-jail-free card; it is a structured way to acknowledge a known gap and commit to its remediation.

Is CMMC 2.0 the same as NIST SP 800-171?

CMMC 2.0 Level 2 is built on the 110 controls of NIST SP 800-171. CMMC 2.0 adds the assessment infrastructure (C3PAO, scoring, affirmation) on top of the NIST control set. An organisation that fully implements NIST SP 800-171 is functionally at Level 2 control coverage; CMMC 2.0 then adds the certification process.

What is CMMC 2.0? Definition, components, and why it matters

Definition

CMMC 2.0 is the streamlined successor to the original CMMC programme. Where CMMC 1.0 had five maturity levels with bespoke practices and processes, CMMC 2.0 collapses to three levels and aligns those levels directly to existing NIST publications: Level 1 maps to the basic safeguarding requirements in 48 CFR 52.204-21 (FAR clause), Level 2 maps to the 110 controls of NIST Special Publication 800-171, and Level 3 adds a subset of NIST SP 800-172 enhanced security requirements.

The programme is administered by the US Department of Defense and assessed through three mechanisms depending on level. Level 1 is an annual self-assessment with executive affirmation. Level 2 is a third-party assessment conducted every three years by a CMMC Third-Party Assessor Organisation (C3PAO), supplemented by annual self-affirmation. Level 3 is a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Implementation flows through DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and the new DFARS 252.204-7021, which allows the DoD to insert CMMC certification requirements into solicitations. Failure to meet the required level by the contract award date disqualifies a contractor from that award.

Core components

Federal Contract Information (FCI). Information provided by or generated for the Government under a contract not intended for public release. Triggers CMMC 2.0 Level 1.
Controlled Unclassified Information (CUI). Government-created or owned unclassified information that requires safeguarding under law, regulation, or government-wide policy. Triggers CMMC 2.0 Level 2.
Level 1. 17 basic safeguarding practices from FAR 52.204-21. Annual self-assessment with executive affirmation. Required for FCI handling.
Level 2. 110 security controls from NIST SP 800-171. Third-party assessment by a C3PAO every three years; annual self-affirmation in between. Required for CUI handling.
Level 3. 110 NIST SP 800-171 controls plus a subset of NIST SP 800-172 enhanced controls. Government-led assessment by DIBCAC. Required for the most sensitive CUI.
C3PAO. CMMC Third-Party Assessor Organisation — accredited to perform CMMC 2.0 Level 2 certification assessments.
System Security Plan (SSP). Document describing the system boundary, the controls implemented, and how each control is implemented. Required for Level 2.
Plan of Action and Milestones (POA&M). Document tracking known control gaps, planned remediation, and milestone dates. Limited POA&M is permitted under CMMC 2.0 with conditions.

Why it matters

CMMC 2.0 is now an active procurement gate for DoD contractors and subcontractors. As the programme rolls forward, contracts that previously required only self-attestation under DFARS 252.204-7012 will increasingly require Level 1 self-assessment with affirmation, Level 2 C3PAO certification, or Level 3 DIBCAC assessment. Contractors that fail to meet the required level lose eligibility for affected awards.

For MSPs serving DoD-contractor or sub-contractor clients, CMMC 2.0 affects two relationships. First, the MSP-as-service-provider must maintain a control posture compatible with the client's required level, because the MSP is part of the client's system boundary. Second, the MSP often delivers compliance support as a billable service — implementing controls, generating SSPs, preparing POA&Ms, and shepherding the client through the C3PAO assessment.

The Canadian Program for Cyber Security Certification (CPCSC) is being designed in alignment with CMMC 2.0 — same NIST SP 800-171 control base — so Canadian MSPs can use a single evidence base to support clients pursuing either certification.

How Lavawall® helps with CMMC 2.0

Lavawall® treats CMMC 2.0 (Levels 1, 2, and the in-scope portions of Level 3) as a first-class framework. The 110 NIST SP 800-171 controls map directly to live evidence Lavawall® already collects: patching state, configuration posture, MFA enforcement, audit logging, privileged-access controls, incident response artefacts, and supply-chain risk indicators across Windows, macOS, and Linux endpoints and M365, Entra ID, Azure, and Google Workspace tenants.

For MSPs, multi-tenant delivery is the key advantage. Standard CMMC 2.0 Level 1 and Level 2 control profiles can be applied to new client tenants in minutes; co-branded SSP and POA&M generation lets the MSP deliver client-ready deliverables without manual Word-document work each quarter. The same evidence base satisfies CPCSC for Canadian Government of Canada contractors.

Because Lavawall® is built and used internally by ThreeShield — an audit firm with CISSP and CISA staff — the control mapping reflects what CMMC assessors actually look for, not the literal text of a control read by a software engineer who has never sat through a real C3PAO assessment.

Frequently asked

When is CMMC 2.0 enforceable?: The DoD has been phasing CMMC 2.0 into solicitations under DFARS 252.204-7021. As of 2025-2026, an increasing number of contracts include CMMC 2.0 requirements; by the end of the rollout, all relevant DoD contracts will. Contractors should treat CMMC 2.0 as enforceable now for any contract that names it, and should expect every relevant DoD contract to name it within the rollout window.
Does Level 2 require a C3PAO every year?: No. The C3PAO assessment is every three years. The contractor performs an annual self-affirmation in the intervening years. The evidence base, however, must be maintained continuously to support the affirmation and the next assessment.
Can a POA&M cover failing controls during assessment?: CMMC 2.0 permits limited POA&M items under specific conditions — primarily for higher-scoring controls and with closure deadlines. POA&M is not a get-out-of-jail-free card; it is a structured way to acknowledge a known gap and commit to its remediation.
Is CMMC 2.0 the same as NIST SP 800-171?: CMMC 2.0 Level 2 is built on the 110 controls of NIST SP 800-171. CMMC 2.0 adds the assessment infrastructure (C3PAO, scoring, affirmation) on top of the NIST control set. An organisation that fully implements NIST SP 800-171 is functionally at Level 2 control coverage; CMMC 2.0 then adds the certification process.