CMMC 2.0: what it is, who needs it, and how MSPs can help clients comply

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense’s framework for ensuring that the defense industrial base, the contractors and subcontractors that make up the DoD supply chain, maintains adequate cybersecurity to protect sensitive defense information.

According to the 2026 Kaseya State of the MSP Report, 71% of MSPs reported a year-over-year cybersecurity revenue growth. CMMC compliance is rapidly becoming the gateway to the defense contracting market, and with the DoD estimating 350,000 suppliers in the defense industrial base, the addressable market for MSPs offering CMMC readiness services is significant.

Phase 1 enforcement began November 10, 2025. Phase 2, which makes C3PAO certification mandatory across a broader set of contracts, begins November 10, 2026. Organizations that are not certified when a Phase 2 solicitation appears cannot compete for that award. Preparation typically takes 9 to 12 months. The window for clients who still need to act is now.

This guide covers what CMMC 2.0 requires, who it applies to, and what MSPs need to understand to help clients, and themselves, achieve and maintain compliance.

What CMMC is and why it exists

CMMC was created to address a specific problem: sensitive defense information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), was being handled by DoD contractors with inadequate cybersecurity controls. The existing requirement (DFARS 252.204-7012, which required compliance with NIST SP 800-171) relied on self-attestation. Contractors attested compliance, often inaccurately, and sensitive information remained at risk.

CMMC changes the model from self-attestation to verified compliance. Contractors either self-attest (Level 1 and some Level 2 contracts) or are assessed by a Certified Third-Party Assessor Organization (C3PAO) or government assessors (Level 3), depending on the sensitivity of the information they handle and the CMMC level required by the contract.

The final rule was codified in 32 CFR Part 170 and took effect December 16, 2024. The acquisition rule that incorporates CMMC into DoD contracts through DFARS became effective November 10, 2025.

CMMC 2.0: what changed from 1.0

CMMC 1.0, announced in 2020, had five maturity levels and introduced significant complexity. Following industry feedback, the DoD released CMMC 2.0 in 2021, which simplified the framework in four meaningful ways.

Three levels instead of five. CMMC 2.0 consolidates to three levels aligned with the actual risk tiers in the defense supply chain: Foundational, Advanced, and Expert.

NIST SP 800-171 alignment at Level 2. Level 2 aligns exactly with the 110 practices in NIST SP 800-171, the standard most defense contractors were already working toward. This reduces duplication and makes compliance more achievable for organizations with existing NIST programs.

Self-attestation permitted for some Level 2 contracts. Prioritized acquisitions (contracts involving the most sensitive CUI) require third-party C3PAO assessment. Non-prioritized acquisitions may permit annual self-attestation during the phased rollout. Level 1 is always self-attestation.

Plans of Action and Milestones (POA&Ms) permitted. The 2.0 framework allows POA&Ms for limited, time-bound remediation of identified gaps, providing a path to contract eligibility while working toward full compliance.

The three CMMC levels

Level 1, Foundational (15 practices). Applies to organizations handling Federal Contract Information (FCI) but not CUI. Requires implementation of the 15 basic cyber hygiene practices from FAR clause 52.204-21. Annual self-attestation by a senior company official, with results submitted in the Supplier Performance Risk System (SPRS). No third-party assessment required. No POA&Ms permitted at this level; all 15 requirements must be met in full.

Note: earlier CMMC materials referenced 17 Level 1 practices. The final 32 CFR Part 170 rule, effective December 2024, consolidated three Physical Protection requirements into one, bringing the official count to 15.

Level 2, Advanced (110 practices). Applies to organizations handling Controlled Unclassified Information (CUI). Requires full implementation of NIST SP 800-171 Rev 2. Prioritized acquisitions require triennial assessment by a C3PAO. Non-prioritized acquisitions may permit annual self-attestation. Level 2 is the level that most defense contractors pursuing continued DoD contract eligibility need to achieve.

Level 3, Expert (130+ practices). Applies to organizations handling the most sensitive CUI on critical programs. Requires full NIST SP 800-171 plus selected NIST SP 800-172 practices. Assessment by DCSA government assessors (DIBCAC). Applies to a small subset of highly sensitive programs.

Who needs CMMC compliance?

CMMC applies to any organization, prime contractor or subcontractor, that handles FCI or CUI as part of DoD contracts. The scope is broader than many organizations initially realize.

Direct DoD contractors. Companies with prime contracts with the DoD. Most will need Level 1 or Level 2 depending on whether they handle CUI.

Subcontractors. Any organization in the supply chain that handles FCI or CUI. Flow-down is mandatory: prime contractors must ensure their subcontractors meet the CMMC level required by the contract. A small engineering firm that is a second-tier subcontractor on a defense program may handle CUI and be subject to Level 2.

Managed Service Providers. If an MSP handles, stores, or transmits CUI on behalf of a defense contractor client, or if the MSP’s systems process CUI as part of service delivery, the MSP is part of the CUI boundary and may be subject to CMMC requirements itself. This is the most commonly overlooked implication for MSPs.

The flow-down obligation is the element most frequently missed. An MSP that has never reviewed whether its service delivery creates a CUI handling obligation is operating with an undiscovered liability, and so are the prime contractors whose compliance depends on it.

What CMMC Level 2 actually requires

Level 2’s 110 practices across 14 domains represent a comprehensive security program. The domains most operationally demanding for SMBs and defense contractors starting from a low baseline:

Access Control (AC), 22 practices. MFA on all accounts, principle of least privilege, controlled access based on need-to-know, session timeout controls, remote access restrictions, and controlled use of mobile devices.

Configuration Management (CM), 9 practices. Documented baseline configurations, monitoring for and alerting on configuration changes, restriction of unauthorized software installation.

Incident Response (IR), 3 practices. Documented and tested incident response plan, capability to contain and recover from incidents, and mandatory reporting of incidents to the DoD.

Risk Assessment (RA), 3 practices. Periodic risk assessments, remediation of identified vulnerabilities, and participation in threat information sharing.

System and Communications Protection (SC), 16 practices. Network segmentation isolating CUI from non-CUI systems, encryption of CUI in transit and at rest, managed interfaces and boundary protections.

System and Information Integrity (SI), 7 practices. Malware protection with regular updates, security alert monitoring, patch management for operating systems and applications, and system monitoring for anomalous behavior.

The scope of Level 2 makes it a substantial undertaking for organizations starting from a low baseline. A gap assessment against NIST SP 800-171 is the starting point, identifying which of the 110 practices are already implemented, which are partially implemented, and which are not addressed. On average, a defense contractor requires 9 to 12 months to become assessment-ready from the point a formal gap assessment begins.

MSPs and CMMC: the supply chain complication

MSPs occupy a complex position in the CMMC ecosystem. If an MSP accesses, processes, or stores CUI as part of service delivery to a defense contractor, the MSP may need to meet Level 2 requirements for its own environment. The practical test is whether the MSP’s systems and personnel come into contact with CUI in the course of delivering managed services.

A concrete example: an MSP that provides remote monitoring and management for a defense contractor, with RMM agents deployed on endpoints that process CUI, has systems that are arguably within the CUI boundary. The MSP needs to determine whether this creates a CMMC obligation for its own environment.

Prime contractors are increasingly including CMMC flow-down clauses in MSP service agreements. Ignorance of the scope is not a defense, and a false attestation carries legal exposure under the False Claims Act.

MSPs that achieve CMMC compliance for their own environments gain a meaningful competitive advantage: they become the preferred IT partner for defense contractors who need to demonstrate that their MSP supply chain does not create compliance gaps. CMMC-ready MSPs can access a market segment that non-compliant MSPs cannot serve, and can price accordingly.

Achieving CMMC compliance: a practical approach

Step 1: Scope the CUI environment. Identify all systems, personnel, and processes that handle CUI. The CUI boundary defines what must be brought into compliance. Minimizing the scope by isolating CUI handling to a defined enclave reduces the compliance burden significantly.

Step 2: Conduct a gap assessment. Assess current implementation against the 110 NIST SP 800-171 practices. A System Security Plan (SSP) documents current compliance state. A Plan of Action and Milestones (POA&M) documents identified gaps and remediation timelines. Both documents are required artifacts for Level 2 certification.

Step 3: Remediate gaps. Address the most critical gaps first, particularly those in Access Control, Incident Response, and System and Information Integrity, which address the highest-probability attack vectors. Automated tools address large numbers of controls simultaneously: patch management covers SI requirements, MFA deployment covers AC requirements, EDR covers SI malware and monitoring requirements, and SIEM covers audit logging requirements across multiple domains.

Step 4: Select assessment path. Determine whether Level 2 self-attestation is permitted for the specific contract or whether a C3PAO assessment is required. From November 10, 2026, C3PAO certification becomes mandatory for applicable Level 2 solicitations. Prepare evidence of compliance: the SSP, the POA&M, and technical evidence from security tools demonstrating control implementation.

Step 5: Maintain compliance. CMMC is not a one-time certification. Annual self-attestations or triennial C3PAO assessments require ongoing compliance maintenance: continuous monitoring, patch management, incident response plan testing, and evidence generation between assessments.

How Compliance Manager GRC supports CMMC

Compliance Manager GRC provides a structured path to CMMC readiness that addresses both the assessment burden and the ongoing evidence requirements.

The platform includes a dedicated CMMC Level 2 assessment template aligned to the 110 NIST SP 800-171 Rev 2 requirements, including the DoD risk scorecard. The SSP and POA&M, both required certification artifacts, are generated and tracked within the platform. As gaps are remediated, evidence is recorded against each control.

Direct integration with VSA and Datto RMM pulls technical evidence from patch compliance, endpoint health, and configuration data directly into the Compliance Manager GRC record, reducing the manual effort of documenting control implementation. Datto EDR provides evidence for malware protection and system monitoring controls. IT Glue integration automatically pushes completed compliance reports to each client’s documentation, keeping audit-ready evidence current between assessments.

For MSPs positioning CMMC readiness as a service offering, Compliance Manager GRC’s multi-client architecture allows management of assessments across multiple defense contractor clients from a single console.

Explore Compliance Manager GRC for CMMC