CMMC 2.0 is the DoD’s mechanism to ensure defense contractors actually implement — and can prove — cybersecurity controls for protecting Controlled Unclassified Information. It ended the era of self-certification and introduced three maturity levels that tie directly to contract eligibility.
At Level 2, the largest population of impacted contractors must achieve third-party certification by a CMMC Third-Party Assessor Organization (C3PAO) — demonstrating full implementation of all 110 NIST SP 800-171 controls. Certification is required before award and must be maintained throughout contract performance.
The CMMC Center of Awesomeness (CMMC COA) was created to provide the DIB with free, high-quality resources for understanding and implementing CMMC. Its content has been merged into the SCF’s GRC Fundamentals library to expand its scope alongside Supply Chain Risk Management (SCRM) and broader GRC requirements.
GRC-Focused Overview of CMMC
The Cybersecurity Maturity Model Certification (CMMC) program was developed by the DoD to address pervasive cybersecurity weaknesses across the Defense Industrial Base (DIB). Prior to CMMC, contractors self-certified compliance with DFARS cybersecurity requirements — a model that produced inconsistent security postures and systemic risk to national security information.
CMMC 2.0, codified in Title 32, Part 170, establishes a tiered certification model that directly links cybersecurity maturity to contract eligibility. It builds on NIST SP 800-171 requirements and introduces independent verification at higher levels. From a GRC perspective, CMMC is not merely a compliance program — it is an operational mandate requiring defensible documentation, technical rigor and third-party assurance.
This page provides a cybersecurity-focused summary of CMMC from a GRC practitioner’s perspective, including: the history and structure of the program; CMMC certification levels and their requirements; the CMMC Center of Awesomeness (COA) resources; practical compliance strategies and assessment preparation; and the role of high-quality documentation in certification readiness.
CMMC — Origins and Purpose
CMMC emerged from years of escalating concern within the DoD about the theft of sensitive defense information from the supply chain. Adversaries systematically exploited cybersecurity gaps in the Defense Industrial Base, often targeting small and mid-sized subcontractors with limited security resources.
Key milestones in CMMC’s development include:
2015–2019: DFARS 252.204-7012 mandates NIST SP 800-171 implementation, but relies on contractor self-certification through SPRS. Audit data reveals widespread non-compliance and inflated SPRS scores;
2020: DoD releases CMMC 1.0, a five-level maturity model requiring third-party assessments for all contracts involving CUI;
2021: DoD initiates CMMC 2.0 revision, streamlining from five to three levels and removing certain unique CMMC practices not grounded in NIST SP 800-171; and
2024: CMMC 2.0 final rule published and codified in 32 CFR Part 170, with phased contract implementation beginning in 2025.
CMMC 2.0 preserves the core intent of its predecessor — independent verification of contractor cybersecurity posture — while reducing complexity and aligning more precisely with existing NIST standards.
CMMC 2.0 Certification Levels
CMMC Level 1 — Foundational (Annual Self-Attestation)
Level 1 applies to contractors that handle Federal Contract Information (FCI) but not CUI. It requires implementation of 17 basic safeguarding requirements drawn from FAR 52.204-21. Annual self-attestation by a senior company official is required; no third-party assessment is required at Level 1; and it aligns with the foundational cybersecurity hygiene expected of all federal contractors.
CMMC Level 2 — Advanced (Third-Party Certification)
Level 2 is the most impactful tier for the DIB, applying to contractors that handle CUI on DoD programs. It requires full implementation of all 110 controls from NIST SP 800-171 Rev 2. Third-party assessment by a certified C3PAO is required for most Level 2 contracts; certification is valid for 3 years, with annual affirmations required; POA&Ms may be permitted for a limited number of controls under prescribed conditions; and self-attestation remains an option for a small subset of non-prioritized acquisitions.
CMMC Level 3 — Expert (Government-Led Assessment)
Level 3 applies to contractors supporting the DoD’s highest-priority programs with the most sensitive CUI. It builds on Level 2 by incorporating selected controls from NIST SP 800-172. Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC); it represents the most rigorous cybersecurity standard in the CMMC program; and applies to a limited set of critical defense programs and contractors.
CMMC Center of Awesomeness (CMMC COA)
The CMMC Center of Awesomeness (COA) was created to provide the Defense Industrial Base with free, practitioner-developed resources for understanding and implementing CMMC and NIST SP 800-171. Originally released in 2020 under a Creative Commons Attribution-NoDerivatives 4.0 license, the COA has been merged into the SCF’s GRC Fundamentals library to expand its scope alongside broader Supply Chain Risk Management (SCRM) and GRC requirements.
Creative Commons Licensing
COA materials are free to share, including copying and redistributing for any purpose, even commercially — provided appropriate credit is given and no modified versions are distributed. The licensor cannot revoke these freedoms as long as license terms are followed. There is no endorsement of any kind for products or services — it is entirely your responsibility to conduct appropriate due diligence in selecting and engaging any product or service.
Attribution Required
Appropriate credit must be given, with a link to the license and indication of any changes made.
NoDerivatives
If you remix, transform, or build upon the material, you may not distribute the modified version.
Commercial Use Allowed
Sharing and redistribution for commercial purposes is permitted under the CC BY-ND 4.0 license.
No Endorsement
Use of COA materials does not imply endorsement of any products or services. Due diligence is the user’s responsibility.
CMMC COA Awesomeness Spreadsheet & Resources
The CMMC COA Awesomeness Spreadsheet is a practitioner-developed, freely available resource for NIST SP 800-171 and CMMC 2.0 implementation. The latest version is available via the SCF shared Box drive and includes: CMMC COA Awesomeness Spreadsheet for NIST SP 800-171 R2 & CMMC 2.0; CMMC COA Awesomeness Spreadsheet for NIST SP 800-171 R3; NIST SP 800-171 R3 Kill Chain; CMMC Kill Chain (NIST SP 800-171 R2 & CMMC 2.0); Compliance Decision Making Process (CDMP); CMMC Assessment Preparation Guide; and numerous useful reference documents.
Awesomeness Spreadsheet — Key Features
Control to Assessment Objective (AO) visibility; crosswalk mapping to the SCF, NIST SP 800-53, NIST CSF 2.0, ISO 27002, and others; RASCI matrix (shared responsibility matrix); roles & responsibilities based on NIST NICE Cybersecurity Workforce Framework; cadence for control execution (e.g., daily, weekly, monthly); and Evidence Request List (ERL) identifying reasonable evidence for each Assessment Objective.
CMMC Assessment Preparation Guide
The CMMC Assessment Preparation Guide was developed to help contractors prepare for C3PAO and DIBCAC assessments. The goal of any CMMC assessment is a passing score — and unforced errors are the primary cause of failures. Unforced errors are primarily due to assessees lacking the ability to answer questions in a concise and straightforward manner. The Assessment Preparation Guide provides guidance on the following:
Avoiding Unforced Errors
The most common CMMC assessment failures stem from documentation gaps, inconsistencies between stated and actual practices, and inability to produce evidence on demand. The guide walks through common failure modes and how to address them before the assessment begins.
Structuring Evidence
Each of the 110 NIST SP 800-171 controls (mapped to CMMC Level 2 practices) has associated Assessment Objectives (AOs). The guide helps organizations structure evidence packages that directly satisfy each AO — reducing ambiguity during assessor interviews and technical reviews.
Managing POA&Ms Effectively
A limited number of POA&Ms may be accepted at Level 2, but each must be realistic, resourced and time-bound. The guide covers how to develop defensible POA&Ms that satisfy DoD expectations and avoid triggering conditional certification denials.
Other Very Useful CMMC & NIST SP 800-171 Resources
NIST SP 800-171 and CMMC are more focused on good IT practices than hardcore cybersecurity practices alone — evident when breaking down processes and practices by People, Processes, Technology, Data & Facilities (PPTDF). The following resources from the CMMC COA library are available on the SCF shared Box drive:
NIST SP 800-171 & CMMC Spider Charts
A free spreadsheet for generating spider charts showing control-level maturity comparisons between current and targeted states.
Download from Box →CUI / FCI Scoping Guide
Incorporates DoD Level 2 scoping guidance. Examples of how to scope environments using leading practices for CUI, CTI and other sensitive data. Also available as the Unified Scoping Guide (USG).
Download from Box →Non-Federal Organization (NFO) Controls
Guidance on NFO controls and their impact on both NIST SP 800-171 and CMMC, including how they affect baseline requirements for contractor environments.
Download from Box →SCF Metaframework
The SCF maps CMMC, NIST SP 800-53, NIST SP 800-171 R2 & R3, NIST CSF, ISO 27002 and 200+ other standards into a single integrated control set.
Download Free →Non-Applicable DFARS/FAR Clause MFR Template
For organizations legitimately out-of-scope for DFARS/FAR/CMMC, this Memorandum For Record (MFR) template documents non-applicability of contract clauses.
Download from Box →ITAR Reference Guide
A helpful reference to understand what ITAR is about and what that may mean for how to architect networks to account for possible limitations for “foreign persons” prohibited by ITAR.
Download from Box →CMMC Self-Assessment Tool
NIST SP 800-171A & NIST SP 800-53A based tool to evaluate CMMC 2.0 practices and processes. Included in the CMMC COA Awesomeness Spreadsheet download.
Download from Box →Goldilocks & The Three C3PAOs
A guide to finding the right C3PAO for your CMMC assessment. Helps organizations understand C3PAO evaluation criteria and selection considerations.
Watch on YouTube →CUI Training Resources
DoD CUI Program Training via dodcui.mil and US National Archives (NARA) Training Videos via archives.gov.
DoD CUI Training →Common Methods to Achieve and Maintain CMMC Compliance
CMMC compliance is not achieved with a policy document or one-time assessment — it requires a sustained operational program rooted in NIST SP 800-171 and governed through active documentation and continuous monitoring.
Implement All NIST SP 800-171 Controls
For Level 2, contractors must fully implement all 110 controls from NIST SP 800-171. POA&Ms may exist for a limited number of controls under specific conditions, but must be realistic, resourced and time-bound. NIST SP 800-171 R3 awareness is encouraged as the program evolves.
Maintain a Current System Security Plan (SSP)
The SSP is the foundational document for CMMC compliance. It must describe how each of the 110 controls is implemented; map controls to responsible roles and evidence sources; reflect actual, operational practices (not future intentions); and be maintained as a living document updated when system changes occur.
Submit Accurate SPRS Scores
Contractors must calculate a Basic Assessment score using DoD’s scoring methodology and enter the score, date and system boundary into the SPRS portal. Inflated scores without supporting evidence present significant False Claims Act (FCA) liability. All supporting documentation must be retained for government review.
Engage a Certified C3PAO
For Level 2 contracts requiring third-party certification, contractors must engage a certified CMMC Third-Party Assessor Organization (C3PAO) via the CMMC-AB Marketplace. Pre-assessments are strongly recommended to validate readiness and resolve any POA&Ms prior to the formal assessment. Level 2 certification is valid for 3 years, with annual affirmations of compliance required.
Conduct Continuous Monitoring
CMMC is not a one-time certification. Contractors must maintain their security posture throughout the certification period — including monitoring for new threats, patching vulnerabilities, reviewing access controls, and updating documentation to reflect system changes. Annual affirmations confirm continued compliance between triennial assessments.
Understanding The Value of Quality Cybersecurity Documentation in CMMC Success
Documentation is not a formality in CMMC compliance — it is the primary evidence used by C3PAOs and DIBCAC assessors to evaluate security posture and certification eligibility. Failure to produce documentation upon request is treated as failure to implement the control.
Key Documents Include
System Security Plan (SSP): Master control document detailing implementation and responsibilities for all 110 NIST SP 800-171 controls;
Plan of Action and Milestones (POA&M): Active remediation tracker with realistic timelines and resource assignments;
Security Assessment Reports (SAR): Results of internal or external control reviews prior to C3PAO engagement;
Incident Response Plan and Logs: Evidence of incident response capabilities and actual triage, containment and reporting;
Access Control Logs and User Access Reviews: Proof of access enforcement, user termination procedures and periodic review;
Configuration and Patch Management Records: Documentation of baseline configurations and patch cadence;
Training and Awareness Records: Evidence that personnel have completed required security awareness training; and
Third-Party Audit Reports or C3PAO Assessment Records: Formal evidence of certification status and any conditions.
.png)
%20(white).png)