The clock is ticking. Phase 2 of CMMC 2.0 begins November 10, 2026, requiring third-party certification for any contract involving Controlled Unclassified Information (CUI). Over 220,000 contractors and subcontractors are affected—and many aren't ready.
C3PAO assessment fees are expected to reach $75,000-$150,000 by late 2026 due to assessor bottlenecks. The time to prepare is now.
Understanding the CMMC 2.0 Framework
CMMC 2.0 replaced the original five-level model with a streamlined three-tier framework based on data sensitivity.
CMMC 2.0 Certification Levels
Level 1: Federal Contract Information (FCI)
- Applies to: Contractors handling basic federal contract information
- Controls: 15 FAR 52.204-21 safeguards
- Assessment: Annual self-assessment
- Effort: Low (most contractors already meet these)
Level 2: Controlled Unclassified Information (CUI)
- Applies to: Contractors handling CUI (most defense work)
- Controls: All 110 NIST SP 800-171 Rev 2 controls
- Assessment: Self-assessment OR third-party C3PAO certification
- Effort: Significant (300-500 evidence artifacts required)
Level 3: Advanced Threats
- Applies to: Highest-risk programs
- Controls: NIST SP 800-171 + SP 800-172 enhanced controls
- Assessment: Government-led assessment (DIBCAC)
- Effort: Extensive (nation-state level defenses)
Most contractors need Level 2. That's our focus.
The Implementation Timeline
CMMC Implementation Timeline
| Phase | Date | Requirement |
|---|---|---|
| Phase 1 | November 10, 2025 | Self-assessments and SPRS scores required pre-award |
| Phase 2 | November 10, 2026 | C3PAO certification required for new CUI contracts |
| Phase 3 | November 10, 2027 | CMMC required for contract options/renewals |
| Phase 4 | November 10, 2028 | Full implementation across all applicable contracts |
Key insight: Even if you only need self-assessment now, the same 110 controls apply. Building toward certification now avoids scrambling later.
The 110 Controls: Organized by Domain
NIST SP 800-171 organizes requirements into 14 control families. Here's what each requires:
Access Control (22 controls)
The largest domain. Key requirements:
AC.L2-3.1.1 Limit system access to authorized users
AC.L2-3.1.2 Limit system access to authorized functions
AC.L2-3.1.3 Control CUI flow between systems
AC.L2-3.1.5 Employ least privilege
AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions
Implementation approach:
// Role-based access control implementation
interface AccessPolicy {
role: string;
permissions: Permission[];
cuiAccess: boolean;
mfaRequired: boolean;
sessionTimeout: number; // minutes
}
const policies: AccessPolicy[] = [
{
role: 'standard_user',
permissions: ['read_public', 'read_own_projects'],
cuiAccess: false,
mfaRequired: false,
sessionTimeout: 480
},
{
role: 'cui_handler',
permissions: ['read_public', 'read_cui', 'write_cui'],
cuiAccess: true,
mfaRequired: true, // AC.L2-3.5.3
sessionTimeout: 30 // AC.L2-3.1.10
},
{
role: 'system_admin',
permissions: ['all'],
cuiAccess: true,
mfaRequired: true,
sessionTimeout: 15
}
];
// Enforce least privilege (AC.L2-3.1.5)
function checkAccess(user: User, resource: Resource, action: Action): boolean {
const policy = policies.find(p => p.role === user.role);
if (!policy) return false;
if (resource.containsCUI && !policy.cuiAccess) return false;
if (!policy.permissions.includes(action)) return false;
// Log all access attempts (AU.L2-3.3.1)
auditLog.record({
user: user.id,
resource: resource.id,
action,
timestamp: new Date(),
granted: true
});
return true;
}
Audit and Accountability (9 controls)
Every action involving CUI must be logged and reviewable.
// Comprehensive audit logging (AU.L2-3.3.1, AU.L2-3.3.2)
interface AuditEvent {
eventId: string;
timestamp: string;
userId: string;
userRole: string;
sourceIP: string;
action: string;
resource: string;
resourceType: 'cui' | 'fci' | 'public';
outcome: 'success' | 'failure';
details: Record<string, unknown>;
}
class CMMCAuditLogger {
private readonly retentionDays = 365 * 6; // 6-year retention
async log(event: Omit<AuditEvent, 'eventId' | 'timestamp'>): Promise<void> {
const fullEvent: AuditEvent = {
...event,
eventId: crypto.randomUUID(),
timestamp: new Date().toISOString()
};
// Write to immutable storage (AU.L2-3.3.8)
await this.writeToImmutableLog(fullEvent);
// Alert on failures (AU.L2-3.3.4)
if (event.outcome === 'failure' && event.resourceType === 'cui') {
await this.alertSecurityTeam(fullEvent);
}
}
private async writeToImmutableLog(event: AuditEvent): Promise<void> {
// Use write-once storage or blockchain-backed logging
await immutableStorage.append('audit-log', event);
}
}
Identification and Authentication (11 controls)
Multi-factor authentication is mandatory for CUI access.
// MFA implementation (IA.L2-3.5.3)
interface AuthenticationResult {
authenticated: boolean;
mfaCompleted: boolean;
method: 'password' | 'certificate' | 'token';
factors: string[];
}
async function authenticateUser(
credentials: Credentials,
accessingCUI: boolean
): Promise<AuthenticationResult> {
// Factor 1: Something you know
const passwordValid = await verifyPassword(credentials);
if (!passwordValid) {
return { authenticated: false, mfaCompleted: false, method: 'password', factors: [] };
}
const factors = ['password'];
// Factor 2 required for CUI (IA.L2-3.5.3)
if (accessingCUI) {
const mfaValid = await verifyMFA(credentials.mfaToken);
if (!mfaValid) {
return { authenticated: true, mfaCompleted: false, method: 'password', factors };
}
factors.push('totp');
}
return {
authenticated: true,
mfaCompleted: factors.length >= 2,
method: 'password',
factors
};
}
Configuration Management (9 controls)
Track and control all system configurations.
| Control | Requirement | Evidence Needed |
|---|---|---|
| CM.L2-3.4.1 | Baseline configurations | Documented baselines for all systems |
| CM.L2-3.4.2 | Security configuration settings | Hardening standards applied |
| CM.L2-3.4.3 | Track configuration changes | Change logs with approvals |
| CM.L2-3.4.5 | Define authorized software | Software inventory/whitelist |
Incident Response (3 controls)
// Incident response workflow (IR.L2-3.6.1, IR.L2-3.6.2)
interface SecurityIncident {
id: string;
detectedAt: string;
severity: 'low' | 'medium' | 'high' | 'critical';
affectsCUI: boolean;
description: string;
status: 'detected' | 'contained' | 'eradicated' | 'recovered' | 'closed';
timeline: IncidentEvent[];
}
const incidentResponsePlan = {
detection: {
sources: ['siem_alerts', 'user_reports', 'automated_scans'],
escalationTime: '15_minutes'
},
containment: {
cuiIncident: {
isolateAffectedSystems: true,
preserveEvidence: true,
notifySecurityOfficer: true,
notifyContractingOfficer: true // If CUI compromised
}
},
reporting: {
internal: '24_hours',
dod: '72_hours', // If CUI spillage
dibnet: 'as_required'
}
};
Other Critical Domains
| Domain | Controls | Key Requirements |
|---|---|---|
| Media Protection | 9 | Encrypt portable media, sanitize before disposal |
| Personnel Security | 2 | Screen individuals, terminate access promptly |
| Physical Protection | 6 | Limit physical access, escort visitors |
| Risk Assessment | 3 | Periodic vulnerability scans, remediation |
| Security Assessment | 4 | Assess controls periodically, POA&M for gaps |
| System & Communications | 16 | Boundary protection, encryption in transit |
| System & Information Integrity | 7 | Malware protection, patch management |
Building Your Evidence Package
Level 2 assessments require 300-500 evidence artifacts. Organize by control family:
Documentation Structure
/cmmc-evidence
├── /policies
│ ├── access-control-policy.pdf
│ ├── incident-response-plan.pdf
│ ├── configuration-management-policy.pdf
│ └── ...
├── /procedures
│ ├── user-provisioning-procedure.pdf
│ ├── vulnerability-scanning-procedure.pdf
│ └── ...
├── /evidence
│ ├── /AC (Access Control)
│ │ ├── AC.L2-3.1.1-user-access-list.xlsx
│ │ ├── AC.L2-3.1.1-access-request-forms/
│ │ ├── AC.L2-3.1.5-rbac-configuration.png
│ │ └── ...
│ ├── /AU (Audit)
│ │ ├── AU.L2-3.3.1-audit-log-samples/
│ │ ├── AU.L2-3.3.2-audit-retention-config.png
│ │ └── ...
│ └── ...
├── /system-security-plan
│ └── SSP-v2.1.pdf
└── /poa-m
└── plan-of-action-milestones.xlsx
Evidence Types by Control
| Evidence Type | Examples | Controls |
|---|---|---|
| Policies | Written policy documents | All domains |
| Screenshots | System configurations | CM, AC, SC |
| Logs | Audit trails, access logs | AU, AC |
| Reports | Vulnerability scans, assessments | RA, CA |
| Interviews | Process walkthroughs | All domains |
| Observations | Assessor direct verification | PE, MP |
Cost-Effective Compliance Strategies
1. Leverage Cloud Security Inheritance
FedRAMP-authorized cloud services (AWS GovCloud, Azure Government, Google Cloud) inherit many controls:
| Control Domain | Cloud-Inherited | Customer Responsibility |
|---|---|---|
| Physical Protection | ✅ Mostly inherited | Logical access only |
| Media Protection | ✅ Partially inherited | Encryption keys |
| System & Comms | ⚠️ Shared | Boundary controls, encryption |
| Access Control | ❌ Customer | All logical access |
Potential savings: 20-30% fewer controls to implement from scratch.
2. Scope Reduction
Limit where CUI lives to reduce assessment scope:
Before: CUI scattered across 50 systems
After: CUI isolated to 5 hardened systems
Assessment scope reduced by 90%
How to scope down:
- Create dedicated CUI enclaves
- Use data loss prevention (DLP) to prevent CUI spread
- Implement CUI handling procedures that restrict locations
3. Shared Services
For small contractors, managed security services can be more cost-effective than building in-house:
| Service | Build In-House | Managed Service |
|---|---|---|
| SIEM/Log Management | $50K+ setup, $100K/year | $2-5K/month |
| Vulnerability Scanning | $20K+ tools | $500-2K/month |
| Endpoint Protection | $30K+ | $5-15/user/month |
Common Compliance Gaps
Based on assessment data, these controls fail most often:
1. Audit Log Review (AU.L2-3.3.1)
Problem: Logs exist but nobody reviews them.
Solution: Automated alerting plus weekly manual review with documented sign-off.
2. Risk Assessments (RA.L2-3.11.1)
Problem: No documented risk assessment or it's outdated.
Solution: Annual risk assessment with quarterly reviews. Use NIST SP 800-30 methodology.
3. Incident Response Testing (IR.L2-3.6.3)
Problem: Plan exists but has never been tested.
Solution: Tabletop exercises annually, documented with lessons learned.
4. System Security Plan (CA.L2-3.12.4)
Problem: SSP is incomplete or doesn't match reality.
Solution: Living document updated with every significant change. Include all 110 controls with implementation details.
Preparing for Assessment
90 Days Before Assessment
- Complete all control implementations
- Finalize System Security Plan
- Close or document all POA&M items
- Conduct internal pre-assessment
- Train staff on assessment process
30 Days Before Assessment
- Verify all evidence is current
- Test technical controls
- Review access lists for accuracy
- Ensure logs are complete and accessible
- Brief key personnel
During Assessment
- Designate assessment coordinator
- Have SMEs available for each domain
- Provide dedicated workspace for assessors
- Respond to findings promptly
- Document any clarifications
Key Takeaways
-
Start now - November 2026 will arrive faster than expected; 12+ months of preparation is typical
-
Scope aggressively - Every system out of scope is evidence you don't need to create
-
Leverage the cloud - FedRAMP services inherit significant control responsibility
-
Document everything - The assessment is as much about evidence as implementation
-
Budget realistically - Plan for $75K-$150K assessment fees plus implementation costs
Getting CMMC Ready
CMMC compliance is achievable for contractors of any size with the right approach. The key is starting early, scoping appropriately, and building sustainable practices rather than checkbox compliance.
PEW Consulting helps defense contractors achieve CMMC certification efficiently. Our approach emphasizes scope reduction, cloud-native security, and documentation practices that serve both compliance and operations.
Schedule a CMMC readiness assessment to identify your gaps and build a realistic implementation timeline.
Sources
- Virtru: Federal Cybersecurity in 2026
- Kiteworks: 2026 CMMC Compliance Software Selection
- Holland & Knight: CMMC Regulations Key Questions
- NIST SP 800-171 Rev 2
Related reading: High-Availability Architecture: Engineering 99.97% Uptime
