Frameworks / Federal & DoD / CMMC Level 1 & 2
DoD · 32 CFR Part 170 · CCP-led practice

Contract eligibility, defended.

Most contractors think CMMC is about passing an assessment. The assessment is the event; the affirmation is the liability. Every year a senior official signs that the controls still operate, under False Claims Act exposure. The controls matter because the signature matters. CMMC Level 1 & Level 2: the DoD’s 2024 final rule (32 CFR Part 170, effective December 16, 2024) under DFARS 252.204-7021. Level 1 is annual self-assessment against the 17 FAR safeguards for FCI; Level 2 is triennial third-party assessment against all 110 NIST 800-171 controls for CUI; Level 3 adds NIST 800-172 enhanced controls assessed by DIBCAC.

Our stance: Don’t self-attest Level 2. Affirmation under FCA exposure means a Certified CMMC Professional reads every artifact before it’s submitted.

§ 0 · Why it matters

CMMC isn't a checkbox. It's contract eligibility.

  • Contract eligibility. No qualifying CMMC assessment on record means no DoD award, and no keeping the contracts you already hold.
  • Mandatory, not optional. 32 CFR Part 170 makes CMMC a condition of doing business across the defense industrial base.
  • The affirmation carries liability. A senior official signs annually, and a false affirmation is False Claims Act exposure that reaches the signer.
  • The level sets the lift. Level 1 is 17 FCI safeguards; Level 2 is all 110 NIST SP 800-171 controls, assessed by a C3PAO.
  • Your score is visible. The SPRS score is posted where the DoD and your primes can see it before they award.
Context

CMMC is not a certificate you frame on the wall. It is the gate that decides whether you can win or keep a DoD contract. No qualifying assessment on record, no award. For Level 2, that means a C3PAO assessment against all 110 NIST SP 800-171 controls, a score posted to SPRS, and an annual affirmation a senior official signs personally. That signature is the real exposure. Under the False Claims Act, an affirmation the program cannot actually back is a liability that reaches the person who signed and the company that bid. The work is not passing once. It is being able to prove, every year, that the program is real.

Eligibility architecture

CMMC is eligibility,
not paperwork

One assessed program.
Every safeguard defensible.

  • Level 1: FCI
  • Level 2: CUI
  • Level 3: enhanced
  • System Security Plan
  • C3PAO assessment
  • Annual affirmation
  • SPRS score
  • FCA exposure
CMMC holds when the program is assessed and defensible, not assembled the quarter before a bid.

Controlled unclassified information, defended.

§ I · The rule

What CMMC actually is, in plain English.

The one-line version

A verification regime that proves you actually run the safeguards you've claimed since 2017 — self-assessed, C3PAO-assessed, or DoD-assessed, then posted to SPRS with a senior-official affirmation.

32 CFR Part 1702024 final rule Three levelsFCI → CUI → enhanced Self / C3PAO / DoDby data & contract SPRS scorenumerical, posted Annual affirmationsenior-official signed
The three levels, in detail

CMMC is the DoD's program for verifying that defense-industrial-base contractors have actually implemented the safeguards they have, on paper, claimed to implement since the 2017 DFARS clause. The 2024 final rule (32 CFR Part 170) put a verification regime behind the requirement: depending on the type of information you handle and the contract you're bidding, you will either self-assess, get assessed by an authorized third-party (C3PAO), or be assessed by DoD's own DIBCAC. The result posts to the Supplier Performance Risk System as a numerical score and a senior-official affirmation.

The model has three levels. Level 1 covers Federal Contract Information (FCI) and maps to 17 basic safeguards from FAR 52.204-21: annual self-assessment, annual affirmation. Level 2 covers Controlled Unclassified Information (CUI) and maps to all NIST SP 800-171 r2 110 controls, with a triennial third-party assessment for most CUI contracts, with annual affirmation between assessments. Level 3 adds a subset of NIST SP 800-172 enhanced controls and is assessed by DoD directly. Phased contractual enforcement began with rule effectiveness on December 16, 2024 and ramps through 2028.

Contract eligibility journey
Gate 1 of 5

You want DoD work.

The opportunity is real, but access is gated. Interest alone does not make you eligible to win or keep the contract.

The controls are not the destination. Eligibility is.
Interest01 FCI02 CUI03 Assessment04 Eligible
§ II · FCI vs CUI scope

Which level applies to you?

Two information categories drive almost everything. Most contractors over-scope CUI on first read; under-scope FCI on second.

Interactive · 3 questions

CMMC level scoping check

1. Do any of your DoD contracts include FAR 52.204-21? (Almost all do.)
2. Do any contracts flow down DFARS 252.204-7012 (CUI handling)?
3. Bidding on programs with critical-program info or APT-relevant CUI?
Answer above: we'll tell you which CMMC level applies.
§ III · The three levels

The three CMMC maturity levels.

CMMC 2.0 collapsed the original five-level model to three. The middle level, Level 2, is where the bulk of the DIB sits and where the actual third-party assessment regime lives.

Level 1 · Annual selfFoundational: FCI safeguards

Level 1 is the floor for any DoD contractor handling FCI. Annual self-assessment against the 17 safeguards in FAR 52.204-21. No third-party required. Senior official affirmation in SPRS. The lift is real but bounded. Most well-run small businesses are 70%+ there already.

View the 6 control families+
AC.L1
Access control · 4 practices
Limit system access to authorized users; transactions / functions; external connections; public information.
IA.L1
Identification & auth · 2 practices
Identify users / processes / devices; authenticate identities before granting access.
MP.L1
Media protection · 1 practice
Sanitize or destroy media before disposal.
PE.L1
Physical protection · 4 practices
Limit physical access; escort visitors; maintain logs; control devices.
SC.L1
System & comms · 2 practices
Monitor / control / protect comms at boundaries; implement subnetworks for public components.
SI.L1
System & info integrity · 4 practices
Identify / report flaws; protect against malicious code; update protections; monitor for threats.

Level 2 · Triennial C3PAOAdvanced: 110 NIST 800-171 controls

Level 2 is the meaningful one. Most DoD contracts with CUI flow-down land here. Triennial assessment by an authorized C3PAO; annual affirmation in years 2 and 3. The 110 controls span 14 families covering access, audit, awareness, configuration, identification, incident response, maintenance, media, personnel, physical, risk, security assessment, system & comms, system & integrity.

View the 6 control families+
3.1 AC
Access control · 22 controls
Account mgmt, separation of duties, least privilege, remote & wireless access, session lock.
3.3 AU
Audit & accountability · 9 controls
Logging events, retention, review, time stamps, protection of audit information.
3.4 CM
Configuration mgmt · 9 controls
Baselines, change control, least functionality, software inventory, user-installed software.
3.13 SC
System & comms · 16 controls
Boundary protection, FIPS-validated crypto, network architecture, mobile code, VoIP, key mgmt.
3.14 SI
System & info integrity · 7 controls
Flaw remediation, malware, monitoring, alerting, validation of inputs, error handling.
3.12 CA
Security assessment · 4 controls
SSP, plans of action, monitoring, system interconnections.

Level 3Expert: NIST 800-172 enhancements

Level 3 is rare. Required for programs with CUI critical to national security and APT-grade threat models. Adds a subset of NIST SP 800-172's enhanced security requirements on top of all 110 800-171 controls. Assessed by DoD DIBCAC, not a C3PAO.

View the 4 control families+
3.1.1e
Dual authorization
Sensitive operations require concurrence from two authorized individuals.
3.13.1e
Threat hunting
Active hunting for indicators of compromise across the enterprise.
3.14.1e
Verified pedigree
Software / firmware integrity validated against trusted source.
3.11.1e
Threat-informed risk
Risk decisions reflect current threat intelligence specific to the program.

RequiredSystem Security Plan: the assessor's map

The SSP is the single document the C3PAO reads first. Per-control implementation statement; per-control evidence reference; system boundary; data flows; CUI inventory. A weak SSP guarantees a long assessment. We write SSPs surgically, not exhaustively, and treat them as living documents.

View the 3 control families+
SSP · 1
System boundary & CUI flow
Authorization boundary, data-flow diagram, CUI inventory and locations.
SSP · 2
Control implementation
Per-control narrative · who, how, where, evidence reference.
SSP · 3
Shared responsibility
For cloud / managed services, what the CSP / MSP does vs what you do.

180-day close-outPOA&M: limited not-yet-implemented

CMMC permits a Plan of Action & Milestones for a limited subset of controls, none worth more than 1 point in the SPRS scoring, none on the “not POA&M-able” list, and a minimum SPRS score of 88 to qualify. All POA&M items must close within 180 days of conditional certification. Items that don't close convert to denial.

View the 3 control families+
POA&M · 1
Eligible controls
1-point controls only · subset listed in 32 CFR 170.21.
POA&M · 2
Score floor
Minimum SPRS 88/110 to qualify for conditional certification.
POA&M · 3
Close-out window
180 days to close all items · close-out assessment required.
§ IV · Assessment type

Self vs C3PAO: which applies?

The contracting officer specifies the level required by the contract. For most CUI work, Level 2 with C3PAO assessment is the path. A small subset of L2 work permits self-assessment when the CUI is non-critical and DoD has opted in.

Where allowed

L2 Self-Assessment

Permitted only on contracts the DoD has specifically designated as eligible. Annual self-assessment against all 110 controls. Senior official affirmation. Same SSP, same evidence quality bar: same FCA exposure on the affirmation. Cheaper at sticker price; identical liability if you get it wrong.

View the 7 attributes+
  • CycleAnnual self-assessment
  • FormatInternal · senior-official signed
  • Posted toSPRS · numerical score
  • FCA exposureFull · false affirmation = treble
  • CostInternal labor + readiness fees
  • EligibilityContract-specific · DoD-designated only
  • Recommended forNon-critical CUI · small surface
Default for most CUI contracts

L2 C3PAO Assessment

A Cyber AB-authorized C3PAO conducts a triennial assessment with one or more Certified CMMC Assessors (CCAs). On-site / hybrid · sampling · interviews · evidence review · remediation window. Result is a final assessment, scoring, and certificate at L2.

View the 7 attributes+
  • CycleTriennial · annual affirmation between
  • FormatOn-site / hybrid · CCA-led
  • ResultFinal, conditional, or not-met
  • Cost$45 – 200k+ depending on scope
  • AuthorityCyber AB authorizes C3PAOs & CCAs
  • POA&MPermitted for limited controls · 180 days
  • Recommended forAll CUI contracts unless self is permitted
Affirmation readiness
Layer 1 of 5

A control is implemented.

The control operates in the environment. On its own, it is a fact no one outside the team can yet stand behind.

What matures is not the score. It is confidence in the affirmation.
DEFENSIBILITY ControlL1 EvidenceL2 SSP reflects realityL3 Continuous monitoringL4 Senior-official affirmationsigned · SPRS · annual
§ V · The clock

A first-time Level 2, realistically: 9 to 15 months.

Most contractors underestimate scoping and CUI inventory; both are the gate to everything downstream. The C3PAO doesn’t cause the delay. Your data flows do.

Wk 0 – 6
CUI inventory & scoping
Find every place CUI lives: endpoints, file shares, mailboxes, SaaS, ITAR-marked drives. Draw the authorization boundary. Most engagements lose two months here.
Wk 6 – 14
Gap & SSP draft
CCP-led gap against all 110 controls. SSP v0 written control-by-control with evidence references. Initial SPRS score recorded as a baseline.
Wk 14 – 36
Remediation & enclave
FIPS-validated crypto, GCC High or comparable enclave (if needed), MFA, audit pipelines, IR plan, access reviews, vendor flow-down. SPRS climbs into the high 90s.
Wk 36 – 44
Pre-assessment dry-run
Mock C3PAO assessment by a Nexurion CCP / external CCA. Findings remediated. SSP locked. Evidence packaged.
Wk 44 – 60
C3PAO assessment
Assessment, any required remediation, certification or conditional + 180-day POA&M close-out, then certificate at L2.
Why teams hire Nexurion
§ VI · How Nexurion runs it

A Certified CMMC Professional on every engagement.

A Cyber AB Certified CMMC Professional reads every engagement we lead, signs off on the SSP and affirmation packet before either reaches your senior official. Not a junior consultant, not a SaaS portal.

Methodology detail

Our founder is a Cyber AB Certified CMMC Professional with prior service as a USAF nuclear-security engineer and DoD-cleared roles at Raytheon Technologies. Every CMMC engagement we lead is read by a CCP, who signs off on the SSP and the affirmation packet before either reaches your senior official. Read our methodology.

We build for the affirmation, not just the assessment. Annual senior-official affirmations are the FCA exposure surface. We instrument continuous monitoring against all 110 controls, document the SSP as a living artifact, and pre-stage the affirmation packet so the senior official is signing on evidence, not on hope. More on ConMon »

For multi-cloud or hybrid environments, we’ll architect a CUI enclave (typically Microsoft 365 GCC High or AWS GovCloud) and write the shared-responsibility section of the SSP, the place most C3PAO findings cluster. We do not resell licenses; we have no kickback from any CSP. See engagement outcomes.

01
A CCP on every engagement
A Cyber AB Certified CMMC Professional reads the work and signs off on the SSP and affirmation packet. No junior hand-off, no SaaS portal.
02
Built for the affirmation
Continuous monitoring against all 110 controls, a living SSP, and a pre-staged affirmation packet so the senior official signs on evidence.
03
CUI enclave architected for you
GCC High or GovCloud enclave with the shared-responsibility SSP section written, where most C3PAO findings cluster.
04
Independent of the C3PAO
Aligned to the RPO model, we won’t assess whom we readied, and we take no referral fees from any C3PAO.
Engagement structure

Independent of the C3PAO: by design.

The Cyber AB ecosystem distinguishes RPOs (readiness) from C3PAOs (assessment); the same firm cannot do both on the same engagement. We are aligned with the RPO model and will not assess clients we readied. We’ll introduce you to three C3PAOs with active assessor relationships, calibrated to your sector and timeline. C3PAO relationships »

§ VII · Where engagements stall

Six places a CMMC goes sideways.

The pattern repeats. Almost every failed CMMC engagement we see was killed by scoping or affirmation hygiene, not by the controls themselves.

01 / Over-scoped CUI

"Everything handles CUI."
If the whole company handles CUI, the whole company is in the assessment boundary. Enclaves exist for a reason. We segment CUI to a defined system boundary; everything outside is out of scope and stays cheaper.
02 / Under-scoped CUI

"It’s only on that one share."
Email forwards. Personal OneDrive caches. A contractor laptop. A C3PAO finds the CUI you didn’t. Inventory it before the assessment, not during.
03 / Wrong cloud

M365 commercial for CUI workloads.
Commercial M365 doesn’t meet 800-171 3.13.11 (FIPS-validated) requirements for CUI. Plan the GCC High migration in scoping; doing it during remediation costs months.
04 / Affirmation hygiene

Senior official signs without reading.
The annual affirmation creates FCA liability. We package the affirmation with a full evidence index; the senior official reads what they sign. Aerojet, Penn State, Verizon Business, Comprehensive Health, Insight. Every recent CCFI settlement traces to this.
05 / Vendor flow-down

Subs not at your level.
If you’re a prime at L2, your subs handling CUI must also be at L2. Inventory the subs, get their SPRS scores, paper the flow-down before bid.
06 / SSP staleness

SSP written once, never updated.
An SSP that doesn’t reflect your environment is a common source of findings. ConMon-driven SSP updates at every material change. The C3PAO will diff your SSP against your evidence; weak diffs lose certificates.
§ VIII · C3PAOs

C3PAOs we’ve walked clean assessments with.

Cyber AB authorizes C3PAOs and the assessors (CCAs / CCPs) who work for them. The pool is small, a few dozen authorized firms in 2026 and growing, and bandwidth is constrained. Booking an assessor for a Q3 / Q4 contract deadline can require six months of lead time. We’ll introduce you to three C3PAOs with active relationships, calibrated to sector and turnaround.

If you already have a C3PAO

If you already have a C3PAO: we sit a pre-assessment alignment call with their lead CCA on scope, the SSP, and evidence format. We do not accept referral fees from any C3PAO, by policy. The Cyber AB code-of-conduct prohibits readiness firms from cross-referencing assessment work; we honor that absolutely.

§ IX · Cross-mapping

CMMC against the rest of the stack.

CMMC L2 is built on NIST 800-171 r2, that’s the most direct overlap. Most other federal frameworks share substantial control DNA but require their own packaging.

The stack

CMMC against the rest of the stack.

CMMC L2the gate NIST 800-171 r2~100% overlap ISO 27001~75% overlap FedRAMP~70% overlap SOC 2 Type 2~60% overlap NIST 800-172~30% overlap
Line weight indicates approximate control overlap with CMMC Level 2. Higher overlap means more of the control work carries directly into that framework. Detailed crosswalk below.
The stack

CMMC L2 is the eligibility gate.

Overlap from CMMC’s perspective, tap any row for detail
NIST 800-171 r2
100%
What CMMC covers
Level 2 is 800-171 r2, assessed by a C3PAO.
What’s still needed
The CMMC packaging: SSP rigor, annual affirmation, SPRS posting.
ISO 27001
75%
What CMMC covers
Most Annex A controls have CMMC equivalents.
What’s still needed
ISMS scope, Statement of Applicability, three-year cert cycle, internal audit program.
FedRAMP
70%
What CMMC covers
NIST 800-53 is a superset of 800-171.
What’s still needed
3PAO authorization, agency ATO, continuous monitoring per FedRAMP cadence.
SOC 2 Type 2
60%
What CMMC covers
Access, change, and monitoring controls overlap.
What’s still needed
AICPA system description, complementary user-entity controls, CPA firm engagement.
NIST 800-172
30%
What CMMC covers
Enhanced controls layered above 800-171 for Level 3.
What’s still needed
L3 enhanced practices, threat hunting, dual authorization, advanced detection.
FrameworkOverlap with CMMC L2What you still need to do
NIST 800-171 r2~100%: L2 IS 800-171 with C3PAO assessment.The CMMC packaging: SSP rigor, affirmation, SPRS posting.
NIST 800-172~30%: enhanced controls layered above 800-171.L3 enhanced practices, threat hunting, dual auth, advanced detection.
FedRAMP Mod / High~70%: NIST 800-53 superset of 800-171.3PAO authorization, agency ATO, continuous monitoring per FedRAMP cadence.
SOC 2 Type 2~60%: access, change, monitoring overlap.AICPA system description, complementary user-entity controls, CPA firm engagement.
ISO 27001~75%: most Annex A controls have CMMC equivalents.ISMS scope, SoA, three-year cert cycle, internal audit program.
ITAR / EAROrthogonal: export controls, not security.EAR/ITAR registration, export licenses, US-persons-only access, a separate regime.
Reference & lookup Everything below stays on the page in full: cross-mappings, recent changes, adjacent frameworks, frequently-asked questions, and field notes. It is here when you need it, and out of the way until you do.
§ X · 2024 final rule

What the final rule changed.

The 2024 final rule (32 CFR Part 170, effective December 16, 2024) finalized the program after years of proposed-rule iteration. Key shifts:

  • Five levels collapsed to three. CMMC 2.0 retired the original L2/L4 maturity-process tiers in favor of L1 (FCI), L2 (CUI), L3 (critical CUI).
  • Conditional certification with POA&M. Limited POA&Ms are now permitted at L2 for 1-point controls, requiring SPRS ≥ 88 and a 180-day close-out.
  • Affirmation regime. Senior-official affirmations are now codified between assessment cycles, and posted to SPRS.
  • Phased contractual rollout. Phase 1 (post-rule) covers L1 / L2 self-assessment. Phase 2 (mid-2025) introduces L2 C3PAO. Full rollout by 2028.
  • External Service Provider (ESP) clarity. MSPs / MSSPs handling CUI must themselves be at the contractor’s level, a major shift for managed-services arrangements.

Read our deeper take in Field Notes Vol. II: "The senior-official affirmation: where most CMMC FCA exposure is born."

§ XI · Pairs with

CMMC is rarely the only ask.

Federal contractors usually carry two or three frameworks at once. We sequence them so the work compounds rather than duplicates.

Required base
NIST 800-171 r2
L2 IS 800-171. The 110 controls. Same SSP. Different cover sheet.
If you’re a CSP
FedRAMP Mod / High
If you sell cloud to federal customers, FedRAMP is the path. ~70% control overlap with CMMC L2.
Commercial parallel
SOC 2 Type 2
If you sell to commercial as well as federal. ~60% control overlap; one evidence library.
If international
ISO 27001
For international defense / aerospace customers. ~75% overlap.
If AI in product
ISO 42001
AI management system. DoD AI guidance increasingly references it. Governance »
If health data
HIPAA
For VA / DHA contracts handling ePHI. Layered on top of CMMC: not a substitute.
§ XII · FAQ

Frequently asked.

When does CMMC actually start appearing in solicitations? +
It already does, in select solicitations. The 32 CFR Part 170 final rule was effective December 16, 2024. The contractual implementing rule (DFARS 252.204-7021) is rolling out in phases through 2028. By 2027, expect CMMC L2 on most CUI contracts. Plan as if it’s already in your next bid.
How long does the first Level 2 take? +
9 – 15 months from kickoff to certificate. Driver is CUI scoping + GCC High migration (if needed); the assessment itself is 1 – 2 weeks. We’ve compressed under 9 months when an enclave already exists. See timeline.
What does it cost? +
For first-time Level 2 (C3PAO): $45 – 200k+ for the C3PAO depending on scope & size, $80 – 250k for Nexurion-led readiness, plus tooling / cloud (GCC High, MFA, audit pipelines). Renewal cycle costs are materially lower. See pricing structure »
Can we self-attest Level 2? +
Only on contracts the DoD has specifically designated for L2 self-assessment (a small subset). The default for L2 is C3PAO. Either way, the senior-official affirmation creates the same FCA exposure. Self-attesting on a contract that requires C3PAO is a False Claims Act violation by definition.
Do our cloud providers need to be CMMC-certified too? +
External Service Providers handling CUI must be at the contractor’s level. For most cases that means FedRAMP Moderate / High equivalency for the CSP and a documented shared-responsibility matrix. Microsoft GCC High and AWS GovCloud are the most common paths.
What happens if a control fails at assessment? +
If the failed control is on the POA&M-eligible list (1 point, not on the prohibited list), it can be remediated within 180 days under conditional certification. If not, the assessment result is “Not Met” and you re-assess after remediation.
Does CMMC replace DFARS 7012? +
No. DFARS 252.204-7012 (cyber incident reporting + 800-171 implementation) remains. CMMC adds verification on top: -7019 (NIST score in SPRS), -7020 (DoD assessment), -7021 (CMMC requirement). All four clauses operate together.
§ XIII · From the Brief

Field notes on CMMC.

Pieces from Nexurion Field Notes directly relevant to CMMC and the DIB.

Coming · Vol. II
The senior-official affirmation, decoded.
Why every CCFI settlement to date traces to a single affirmation, and how to package one your senior official can sign without exposure.
Coming · Vol. III
CUI inventory: where it actually lives.
A field-tested CUI discovery method. Email forwards, personal OneDrives, contractor laptops, and the controls that find them.
Coming · Vol. IV
GCC High vs commercial: the migration we don’t skip.
When commercial M365 satisfies CMMC. (In our experience it rarely does.) When GCC High is the wrong answer. (It can be.)
Field Notes

Field Notes on CMMC

CMMC on a contract calendar? Get the 5-minute scoping memo.

Five questions. One reply. Within 48 hours, a senior practitioner sends a written scoping memo: FCI vs CUI determination, Level 1 vs Level 2 verdict, a realistic 9–15 month calendar (including any GCC High migration), and a fee range. C3PAO-independent, signed by a Certified CMMC Professional. The booking link is at the bottom of the memo.

Contact us See the four offers