CMMC 2.0
Levels 1, 2, and 3 assessment, evidence, and remediation

CMMC 2.0 in context: the DoD's compliance regime for the Defense Industrial Base

The Cybersecurity Maturity Model Certification (CMMC) is the United States Department of Defense compliance regime that verifies how contractors in the Defense Industrial Base protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC was first published in 2020, restructured into CMMC 2.0 in late 2021, and codified in the final rule at 32 CFR Part 170 published by the DoD in October 2024. The DFARS rule that operationalises CMMC inside contracts (DFARS 252.204-7021) is rolling out under a phased implementation through 2025 and beyond, applied first to selected DoD acquisitions and then to the wider contract portfolio.

CMMC sits inside a wider US federal control ecosystem. The Level 2 control set is drawn directly from NIST SP 800-53 Rev. 5 as expressed in NIST SP 800-171 Rev. 2 for non-federal systems. The Level 3 enhancements come from NIST SP 800-172. For cloud services delivering capability into a CMMC environment, the cloud service provider must hold an equivalent FedRAMP authorisation (typically Moderate baseline or above) under DFARS 252.204-7012. The control catalogue, the risk language, and the assessment artefacts all map cleanly across these regimes, which matters most for organisations that have to satisfy more than one programme from the same body of work.

The three CMMC 2.0 levels and who they apply to

CMMC 2.0 collapsed the original five-level model into three levels. The level a contract requires is determined by the data classification handled (FCI or CUI) and the sensitivity of the programme. Many DoD primes and subcontractors operate at Level 2 because most CUI contracts land there; Level 1 is common for parts of a portfolio that touch FCI only; Level 3 is reserved for the highest-value programmes. A single organisation can hold different levels for different parts of its environment, with the boundary diagram and the SSP evidencing the separation.

Scoping CMMC: FCI, CUI, and the asset categories that decide effort

CMMC scope is the most consequential single decision in the programme. It determines which assets get assessed, which controls apply, and how much remediation effort is required. Scope is defined first by data classification (does the asset handle FCI, CUI, or neither) and then by asset category. The DoD CMMC scoping guidance defines five asset categories; each category drives a different assessment treatment.

The fastest way to inflate a CMMC programme's cost is to scope too broadly: pulling every workstation, file share, and SaaS account into the CUI environment when only a subset actually handles CUI. The fastest way to fail a C3PAO assessment is to scope too narrowly and miss CUI flows that the assessor finds during the on-site review. The boundary diagram, the data flow inventory, and the asset classification have to be defensible against both risks at once.

Level 2: NIST SP 800-171 Rev. 2 and the 14 control families

Level 2 is the centre of gravity of the CMMC programme. The 110 controls are organised into 14 families that mirror the broader NIST SP 800-53 catalogue but are tailored for non-federal systems handling CUI. Every control has a one-line basic security requirement and a more detailed derived security requirement; both have to be evidenced for the assessment. The NIST SP 800-171 framework page covers the requirement families, the DoD Assessment Methodology scoring, and the SPRS submission workflow that underpin every CMMC Level 2 assessment.

For the day-to-day vulnerability scanning required under family 3.11, the vulnerability assessment workflow keeps scan output, severity, and evidence linked per asset. For the SI family flaw remediation work, the remediation tracking workflow keeps owners, deadlines, and verified close evidence linked to the original finding.

Level 3: NIST SP 800-172 enhancements

Level 3 layers 24 selected NIST SP 800-172 enhanced security requirements on top of the full Level 2 baseline. The SP 800-172 enhancements are written for adversaries with advanced capabilities and persistence, and they assume the contractor is operating against a credible threat model rather than against generic compliance text. Themes include penetration-resistant architecture, damage-limiting operations, designed-in security, and cyber resiliency. Level 3 assessments are run by the DIBCAC and a single Level 3 finding can scope the contractor out of a programme, which makes the evidence discipline at Level 3 materially heavier than at Level 2.

DFARS clauses: how CMMC ends up in your contract

CMMC reaches contractors through DFARS clauses, not directly through the CMMC rule. Understanding the four clauses below is the difference between treating CMMC as an operational programme and treating it as a paperwork exercise.

The flowdown matters. A Level 2 prime with a Level 1 subcontractor is in scope at Level 2 for the prime portion of the work and has to ensure the subcontractor meets at least the contract-required level for any CUI or FCI passed down. The contract clauses, the asset inventory, and the data flow diagrams have to evidence the boundary at every supplier hop.

The DoD Assessment Methodology, SPRS scoring, and the POA&M window

The DoD Assessment Methodology is the scoring rubric that turns NIST SP 800-171 control implementation into a single number posted to the Supplier Performance Risk System (SPRS). It is the artefact most often cited in pre-award reviews and the artefact most often misunderstood. The mechanics are deliberate.

For severity calibration on findings discovered during scanning or assessment, the severity calibration research covers how to defend a CVSS-derived severity against an assessor or auditor. The vulnerability prioritisation framework covers how to triage what reaches the POA&M against what can be closed before the assessment window opens.

Penetration testing and vulnerability scanning under CMMC

CMMC does not mandate an annual penetration test in the same prescriptive way that PCI DSS does for the cardholder data environment, but several controls assume regular pentest evidence in practice. Risk Assessment family controls (3.11.2 and 3.11.3) require periodic vulnerability scanning and remediation. System and Information Integrity controls require flaw remediation in a timely manner. Configuration Management controls require periodic validation of the secure baseline. A defensible Level 2 programme runs vulnerability scanning on a defined cadence, supplements scanning with internal or external penetration testing for high-value boundaries, and retains the evidence linked to the asset and the control.

For the operational pentest workflow that supports a CMMC programme, the penetration testing workflow keeps scope, sampled assets, findings, and the retest evidence linked to the engagement record. For the wider scanning programme, the authenticated versus unauthenticated scanning guide covers when each mode is the right evidence for which control family.

Cloud, FedRAMP equivalence, and shared responsibility under CMMC

Cloud services that store, process, or transmit CUI in a CMMC environment have to meet FedRAMP equivalence under DFARS 252.204-7012, typically FedRAMP Moderate baseline or above. The shared responsibility split has to be documented in a Customer Responsibility Matrix (CRM) so the contractor knows which controls the cloud service provider satisfies, which the contractor satisfies, and which are shared. The CRM is part of the CMMC evidence pack; a missing or stale CRM is one of the most common findings during C3PAO assessments.

Evidence the C3PAO assessor (and the senior official) actually want

CMMC programmes that fail review usually fail because the evidence is scattered across drives, ticketing systems, and screenshots in personal folders. Build the evidence pack as the work happens, retain raw artefacts alongside the structured record, and tie every artefact back to the control, the asset, and the senior official affirmation. The C3PAO report reads the way the underlying evidence record reads.

Common CMMC pitfalls and how to avoid them

• Scoping by org chart instead of by data flow. CMMC scope follows where CUI lives, not which department owns the asset. Map the data flow first, then the assets, then the boundary.
• Missing the SPRS affirmation deadline. The senior official affirmation is the legal artefact, not the assessment report itself. Track the submission date and renewal cadence as a programme milestone, not an admin task.
• Treating MFA as a checkbox. NIST SP 800-171 3.5.3 requires multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. SMS-based MFA does not meet the replay-resistant requirement at higher levels.
• Cloud services without FedRAMP equivalence. Productivity, file-sharing, and email tools used to handle CUI must meet FedRAMP Moderate equivalence under 7012. Confirm authorisation status before relying on any SaaS in the CUI workflow.
• POA&M items past the 180-day window. CMMC 2.0 tightened the POA&M window. Items still open after 180 days can invalidate the certification. Track the closeout date as a contractual deadline.
• Subcontractor flowdown gaps. Primes are responsible for the flowdown of CMMC requirements to subcontractors handling FCI or CUI. A missing subcontractor affirmation can fail the prime's assessment.

Where SecPortal fits in the CMMC workflow

SecPortal is the operating layer for the CMMC programme: the workspace where scoping decisions, control implementation evidence, vulnerability scan output, findings, POA&M items, and the closure pack live as a structured workflow rather than as a long folder of screenshots and Word documents. SecPortal does not replace a C3PAO, it does not issue certifications, and it does not submit to SPRS on the contractor's behalf. It makes the underlying programme reproducible and auditable so the assessment is a refresh of an existing record rather than a rebuild.

For consultancies and MSSPs delivering CMMC readiness or assessment preparation work to multiple DoD contractors, the security consultants workspace and the MSSP workspace bundle the platform with branded client portals and AI-generated readiness reports so each contractor engagement runs as a structured client workspace rather than a shared Google Drive. For internal CMMC programme owners, the internal security teams workspace carries the same workflow without the multi-client overhead. For pentest firms whose practice is specifically concentrated on federal and defense industrial base clients, the SecPortal for government penetration testing firms page covers the FedRAMP, CMMC, NIST 800-171, and NIST 800-53 aligned operating model end-to-end.

For continuity between formal assessments, the continuous monitoring capability and attack surface management capability produce the cadence and coverage record that triennial CMMC programmes are expected to keep between certifications. For the broader compliance landscape that often runs alongside CMMC at the same group level, the NIST SP 800-53 framework page, FedRAMP framework page, and ISO 27001 framework page cover the surrounding regimes a CUI-handling organisation typically maintains.