With CMMC 2.0 requirements expected to be phased into contracts later this year, contractors, subcontractors and service providers across the Defense Industrial Base (DIB) must start preparing now. 

Your next contract could require certification and the level you need (1, 2, or 3) will dictate how much effort, assessment, and preparation is involved.

Earlier this month, Barry Leffew of the IQT Government Platform Accelerator hosted a webinar with Marc Rubbinaccio, Head of Cybersecurity and Compliance at Secureframe, to demystify the CMMC process so organizations can start preparing for certification before it becomes a contract requirement. As a compliance expert and former auditor who has helped hundreds of organizations through compliance and is currently leading Secureframe’s own CMMC journey, Marc offered valuable insight into the challenges, misconceptions, and lessons learned around this framework.

Here are six expert takeaways from the discussion.

1. CMMC isn’t like other frameworks—it’s significantly more demanding

Many companies underestimate what it takes to become CMMC compliant because they compare it to frameworks they’ve already achieved, like SOC 2 or ISO 27001. According to Marc, that’s a mistake.

“Coming from an organization that has gone through SOC 2 and ISO 27001 certification and, as an auditor who has performed hundreds if not a thousand PCI audits in my past, I can say that CMMC is on another level,” he said. 

That complexity shows up in nearly every stage of the process—from scoping your environment to implementing the controls and assessment objectives to maintaining extensive documentation like a system security plan (SSP) that can stretch to 200 pages.

Marc’s advice is to treat CMMC like a new initiative, not an extension of your existing compliance program. 

“You need to be prepared to allocate budget, personnel, and time, and possibly even make infrastructure changes to meet the requirements.”

2. CMMC requirements will start appearing in contracts sooner than you think

Although the final CMMC 2.0 rule was published in December 2024, no current contracts require certification yet. But that’s about to change. The final acquisition rule (48 CFR) is expected to be final by the end of 2025, which will trigger phased implementation.

• In Phase 1, new contracts will begin requiring self-assessments for Level 1 and low-risk Level 2 contractors.
• One year after Phase 1, Phase 2 will require third-party Level 2 assessments for new contracts. 
• Phase 3 will start one year after that, requiring third-party assessments on contract options and renewals, with Level 3 assessments beginning for certain programs. 
• Finally, Phase 4 is the full rollout. One year after Phase 3, CMMC requirements will appear in all DoD contracts.

That timeline may seem generous, but the gap between recognizing the need for compliance and being ready for an assessment is often longer than expected.  

“If you start too late, it’s going to take you months—if not years—to get ready, and that could push you past the deadline when you actually need to be compliant,” Marc said. “So if you're thinking about CMMC compliance, I’d recommend getting started today.”

3. If CMMC isn’t a contract requirement, getting compliant could still be the smart choice

For prime contractors and subcontractors that handle FCI or CUI, CMMC certification will be a requirement in their contracts. But even if CMMC isn’t a contract requirement, some organizations may be better off getting certified.

Marc explained that some companies fall into scope for CMMC assessments, not because they hold a DoD contract or subcontractor, but because their infrastructure or services are part of a contractor’s assessment boundary. 

For example, if an organization seeking assessment (OSA) uses a security operations center (SOC) that is pulling in event data to respond to incidents, this service will be in the OSA’s boundary. So the SOC is required to maintain a customer responsibility matrix (CRM) that makes it clear which NIST 800-171 Revision 2 requirements they are responsible for, as well as provide evidence showing that the requirements that they maintain are in place. This would be the case for every one of their customers going through a CMMC assessment. 

“This is why it might be helpful for that SOC to perform their own CMMC assessment so that they don't need to go through this full [process and evidence gathering] anytime their customers need CMMC,” Marc explained.

Another example is a cloud service provider (CSP) that stores, processes, or transmits CUI or provides a security function. In that case, the CSP is responsible for those applicable CMMC requirements and needs to be FedRAMP Moderate authorized or maintain FedRAMP equivalency.  If they are not, they would need to provide evidence showing that they're meeting the NIST 800-171 controls that they are responsible for. Again, this would be true for every one of their customers seeking CMMC certification. 

“Getting CMMC compliant would help alleviate that effort in participating in all of their customers' CMMC audits,” Marc said.

4. Your compliance level depends on what data you handle

While your CMMC level and obligations may be spelled out in your contract if you’re a direct contractor or subcontractor, other organizations will have to do more digging. So how can you determine your certification level if it’s not in your contract?

“It primarily depends on the type of data that you're handling,” Marc explained.

There are three certification levels:

• Level 1 applies to organizations that handle only Federal Contract Information (FCI) and requires self-assessment against 17 practices based on the FAR 52.204-21.
• Level 2 applies to contractors and subcontractors that store, process, or transmit CUI and requires full implementation of all 110 NIST 800-171 controls—usually validated by a third-party assessment.
• Level 3 applies to contractors supporting the DoD’s most sensitive programs and technologies. It requires compliance with a subset of controls from NIST 800-172 and a government-led audit.

5. Preparing for a CMMC assessment involves six key steps

The final CMMC 2.0 rule is only about six months old and fairly complex, so a lot of organizations are beginning their CMMC journey today.

If you’re ready to start your journey, Marc recommends these steps to CMMC Level 2 readiness: 

1. Understanding your CMMC requirements: Understanding your CMMC assessment scope and what requirements apply to you is very important and difficult to do. Getting it wrong could result in scope creep or gaps in coverage. “Without a tool like Secureframe and without a CMMC expert in-house, it’s important to read and understand the CMMC scoping and assessment guides, which will explain how to determine scope and what an assessor would be looking for, evidence-wise, for those 800-171 controls,” Marc said. He also recommended reading and understanding NIST 800-171 and the CMMC Final Rule when preparing.
2. Implementing the controls: Next up would be actually implementing those 110 controls and all 320 assessment objectives from NIST 800-171. “Understanding what needs to be implemented in the context of your environment for each objective is one of the most difficult parts of CMMC. Although the framework is quite prescriptive, the control language can be difficult to understand and apply correctly. This is where assessor guidance and using a platform like Secureframe can be helpful,” Marc said.
3. Documenting your control implementation: The third step is building your SSP, which includes all of your organizational information, system descriptions, diagrams, and implementation statements for each assessment objective. “Our own SSP was 150 pages and our assessment boundary is relatively small compared to other organizations in the DIB,” he said. For some contractors, it could be double that.
4. Inventory your in-scope vendors and assets and data flows: At this point, identify all the vendors and assets that are in scope—i.e., those that store, process, or transmit CUI or perform security functions—and ensure vendors are meeting the proper CMMC requirements as part of your supply chain. You’ll also need to document all CUI and Security Protection Data (SPD) flows in a data diagram.
5. Perform a gap assessment: After all the controls are implemented, and vendors, assets, and data are inventoried and understood, you’re ready to perform a gap assessment. During this assessment, you’ll evaluate all implemented controls to determine where there needs to be improvement in order to fully meet each one. Ideally, this will be performed by someone other than the person who implemented the controls. This could be a consultant or internal expert. “It’s best when the person performing the gap assessment understands GRC or CMMC and can look at the controls with a fresh perspective,” Marc said.
6. Choosing a C3PAO: Not all auditors are alike so look for a C3PAO with a strong team of Certified CMMC Assessors (CCAs), customer references, cost transparency, and an audit schedule that is aligned with yours. Marc recommended having a conversation with a potential auditor to understand their communication style and assessment process. “You want to make sure they have a firm grasp on their own process and can clearly explain how they plan to handle evidence and sensitive data—ideally in a FedRAMP Moderate authorized environment, a GovCloud, or an environment you own,” he said.

6. Seize CMMC compliance as a strategic opportunity

While many organizations view CMMC compliance as a burden, Marc encourages organizations to seize it as an opportunity.  

“Getting CMMC compliant is going to open so many doors if you’re planning to work directly with the DoD or their contractors,” he explained. 

That opportunity isn’t limited to prime contractors. If your customers, partners, or even your prospects are working with the DoD, there’s a good chance CMMC will affect your organization, either directly or through flow-down requirements. For service providers like MSSPs, cloud platforms, and SOCs, CMMC certification can become a competitive differentiator over non-compliant competitors and help remove friction during procurement cycles.

His advice for organizations like these: “Don’t wait. Start reading the scoping guidance and control documentation, build your system security plan, and start inventorying your assets and data flows. Whether you’re preparing now or in a year, those foundational steps are the same. Doing them early can save you a lot of time and money.”

Preparing for CMMC now can help improve national security

CMMC is no longer a distant requirement. With the final rule published and contract requirements expected to phase in as early as Q4, the Defense Industrial Base is entering a new era of enforceable cybersecurity expectations. 

But CMMC compliance goes beyond winning defense contracts or avoiding legal risk. CMMC exists because adversaries have repeatedly exploited weaknesses across the DIB to exfiltrate sensitive technical data, undermining not just individual companies, but U.S. national security. Compliance isn’t about checking a box. It’s about hardening the supply chain, defending critical programs, and showing that your organization takes its role in national defense seriously. 

The sooner organizations get started, the better.