What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's cybersecurity certification program for the Defense Industrial Base. Under CMMC 2.0, contractors are assessed at one of three levels:
- Level 1 — basic cyber hygiene (17 controls), self-assessed annually.
- Level 2 — protection of Controlled Unclassified Information (110 NIST SP 800-171 Rev 2 controls), assessed every three years by a C3PAO.
- Level 3 — protection against advanced persistent threats (Level 2 + a subset of NIST SP 800-172 controls), assessed by DIBCAC.
The assessment framework and contractual enforcement arrived in 32 CFR Part 170 — the CMMC Program rule, published October 15, 2024 and effective December 16, 2024.
Status as of July 13, 2026: the phased rollout is suspended. The Department of War CIO suspended the November 2026 transition to Phase 2 and held all pending and future CMMC implementation milestones in abeyance pending a 60-day review. During the suspension, program managers may designate only Level 1 (Self) or Level 2 (Self) assessments — not Level 2 (C3PAO) or Level 3 (DIBCAC) — and solicitations already carrying those requirements are being amended to remove them. The rule at 32 CFR Part 170 has not been rescinded and DFARS 252.204-7021 has not been removed; this is a pause with an announced review, not a repeal. We break down both memos in [CMMC Phase 2 is suspended](/insights/cmmc-phase-2-suspended/).
What still applies during the suspension
This is the part that matters most right now, because the suspension is being read far more broadly than it was written.
- DFARS 252.204-7012 — safeguarding covered defense information and the 72-hour cyber incident reporting obligation. The CIO memo states these requirements "are still in effect."
- NIST SP 800-171 Rev 2 — still the enforced baseline. The memo commits to "continue enforcing baseline compliance with NIST SP 800-171 Rev 2 through DIB self-assessments and select government-led assessments." The delivery mechanism changed; the 110 requirements did not.
- DFARS 252.204-7019 and 252.204-7020 — your SPRS score and the DoD Assessment Methodology. Separate clauses from CMMC, both still active.
- False Claims Act exposure — liability attaches to the SPRS score you affirmed, not to a CMMC certificate. No breach is required and no assessor needs to visit. This did not pause.
- Prime flowdown — DoW suspending its own requirement does not rewrite a subcontract you already signed, and primes remain free to require whatever assurance they want.
The short version: the assessment stopped, the requirements did not.
Who needs CMMC Level 2?
Any organization holding or subject to a DoD contract that involves Controlled Unclassified Information — which, in practice, is the majority of the Defense Industrial Base's roughly 70,000 contractors. If your DFARS 252.204-7012 clause is in the contract, the safeguarding obligation is already live regardless of what happens to the certification schedule.
Typical Level 2 targets include defense subcontractors, prime contractors with CUI-handling subcontracts to flow down, cloud service providers supporting DoD work, and any vendor whose product or service touches CUI at any stage of the federal supply chain.
Level 1 applies when the contract involves only Federal Contract Information, not CUI. Level 3 applies to a narrow set of programs where the adversary threat model justifies the enhanced control set.
What a realistic CMMC Level 2 engagement looks like
Six to nine months is the realistic window from kickoff to assessment-ready for a prepared organization with consistent executive support. The engagement breaks roughly into four parallel workstreams:
- Technical — CUI enclave design, identity + MFA, endpoint + EDR, centralized logging, boundary protection.
- Policy — drafting and aligning the policy library to CMMC practice statements.
- Evidence — designing the evidence pipeline so artifacts are produced as a byproduct of operations (not reconstructed at assessment time).
- Assessor — C3PAO selection, scheduling, dry-run rehearsal, and the assessment itself. This workstream is on hold during the Phase 2 suspension; the other three are not.
The single most common cause of schedule slips is treating evidence as an end-of-engagement sprint rather than a continuous byproduct. The team that wins 110/110 scores consistently is the team whose operations produce audit-grade artifacts by default.
Why Fortinetics for CMMC
Authorship-level knowledge. A member of our team contributed to the CMMC standard itself at the U.S. Department of Defense in 2019. The framework is not abstract to us; we helped shape what assessors now test against.
Perfect track record. Multiple CMMC Level 2 engagements to perfect 110/110 assessor score, typically in six to nine months from first engagement to certification. The pattern is repeatable because we design the program around evidence-as-byproduct, not assessment-time reconstruction.
Architecture, not audit. We design, implement, document, and sit with you through the actual assessment. Not a gap-analysis-and-leave firm. This is also why the July 2026 suspension changed little about how we work: clients who built the architecture still hold it, while the ones who bought a certificate against a date are the ones re-planning.
Pragmatic commercial model. Firm fixed-price engagements with milestone-based payments, or time-and-materials for more ambiguous scopes. No retainers, no surprise change orders, no reselling of tools.