Explore the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) v2.0 proposed rule with our concise summary. Unveiled shortly after Christmas 2023, this over-200-page document holds crucial implications for small business suppliers and potential entrants into the Defense Industrial Base (DIB). As we break down the key points, understand the significance of compliance and its phased implementation.

  1. Applicability

    Discover how the CMMC v2.0 rule impacts DoD Contract and Subcontract awardees handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on Contractor Information Systems. External Service Providers and Cloud Service Providers face specific requirements, highlighting the importance of compliance across the board.

Phased Roll Out

The implementation of CMMC will follow a phased approach, gradually incorporating its stipulations into solicitations and contracts. This ensures a systematic and organized adoption process.

Phases of CMMC Implementation
  1. CMMC Model

  2. The security requirements under CMMC are determined by the assigned level, with some aspects allowing for Organizationally-Defined Parameters. The model comprises three levels, each with specific documentation and assessment requirements.

Maturity Levels and Assessment Requirements

CMMC Level 1 (Documentation): This involves a subset of NIST SP 800-171, Revision 2 security requirements, with an emphasis on an annual self-assessment and affirmation.

CMMC Level 2 (Documentation): Compliance with NIST SP 800-171, Revision 2 is required, with options for self-assessment or certification assessment. It includes a triennial self-assessment and annual affirmation.

CMMC Level 3 (Documentation): This involves a Level 2 Certification Assessment, followed by a Level 3 Certification Assessment, which integrates additional NIST SP 800-172 security requirements. Compliance includes a triennial self-assessment and annual affirmation.

CMMC Certification Levels

Scoping Your Environment


For small businesses, it’s crucial to reduce the scope of assets in assessments, categorize assets effectively, and ensure external service providers comply with CMMC levels. Strategies such as Contractor Risk-Managed Assets and physical/logical separation are emphasized.

Small businesses should focus on achieving the following goals:

a. Reduce the number of Controlled Unclassified Information (CUI) assets, including people, systems, and providers, within scope.

b. Properly scope assets based on relevant categories.

c. Contractor Risk-Managed Assets offer valuable flexibility, but it’s essential to conduct regular audits to ensure adherence to established controls.

d. For complete out-of-scope designation, physical and logical separation is necessary, providing an extra layer of security for sensitive assets.


External Service Providers

Ensure compliance with Cybersecurity Maturity Model Certification (CMMC) levels for external service providers by incorporating specific security requirements into contracts.

External Service Providers (ESPs) – Must have a FINAL CMMC Certification Assessment for the CMMC level of the organization(s) they support.

Determining SPRS Score

The DoD Assessment Methodology is used for scoring. For Level 3 organizations where each requirement is assigned one point. Immediate attention is needed for items that cannot be placed in a Plan of Action and Milestones (POA&M).

Cloud Services

Cloud Services utilized to store, process, or transmit Controlled Unclassified Information (CUI) must be FedRAMP Moderate Authorized or “Equivalent”.

Cloud Services utilized for non-CUI stuff (e.g., like accounting software) don’t have to be FedRAMP authorized. But make sure you don’t begin to do stuff with CUI in there or it will need to be.

FedRAMP Moderate “Equivalent” in the Proposed Rule is simple… get their SSP that says they are doing the requirements of FedRAMP. Well, that was blown up when DoD came out with a memo that actually explained what’s needed (Documentation). In essence, it says they have to do everything another organization doing FedRAMP has to do – and some (100% compliance!!) – except the process to get on the FedRAMP Marketplace.


As the DoD’s CMMC 2.0 becomes prominent, small business suppliers in the DIB must stay informed and proactive in meeting cybersecurity requirements. The structured framework of phased implementation and compliance levels provides a roadmap for navigating the evolving landscape of defense sector cybersecurity.

Download the PDF below for more details and links to the Proposed Rule documentation.

Download our FREE Self-Assessment Workbook

Stay up-to-date!
Get insights and tips from experts