Fortinetics
← Frameworks · DEFENSE · CUI

CMMC Levels 1, 2, and 3 — by a team that helped draft the standard.

CMMC Phase 2 was suspended on July 13, 2026, and third-party assessment can no longer be required while a 60-day review runs. What did not move: DFARS 252.204-7012, NIST SP 800-171 Rev 2 via self-assessment, and the False Claims Act exposure attached to the SPRS score you already affirmed. A member of our team contributed to CMMC itself at the Department of Defense in 2019. We build the architecture underneath the certificate — the part that survived the suspension.

110/110
Perfect C3PAO scores
6–9 mo
Typical engagement
2019
Team helped draft CMMC

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's cybersecurity certification program for the Defense Industrial Base. Under CMMC 2.0, contractors are assessed at one of three levels:

  • Level 1 — basic cyber hygiene (17 controls), self-assessed annually.
  • Level 2 — protection of Controlled Unclassified Information (110 NIST SP 800-171 Rev 2 controls), assessed every three years by a C3PAO.
  • Level 3 — protection against advanced persistent threats (Level 2 + a subset of NIST SP 800-172 controls), assessed by DIBCAC.

The assessment framework and contractual enforcement arrived in 32 CFR Part 170 — the CMMC Program rule, published October 15, 2024 and effective December 16, 2024.

Status as of July 13, 2026: the phased rollout is suspended. The Department of War CIO suspended the November 2026 transition to Phase 2 and held all pending and future CMMC implementation milestones in abeyance pending a 60-day review. During the suspension, program managers may designate only Level 1 (Self) or Level 2 (Self) assessments — not Level 2 (C3PAO) or Level 3 (DIBCAC) — and solicitations already carrying those requirements are being amended to remove them. The rule at 32 CFR Part 170 has not been rescinded and DFARS 252.204-7021 has not been removed; this is a pause with an announced review, not a repeal. We break down both memos in [CMMC Phase 2 is suspended](/insights/cmmc-phase-2-suspended/).

What still applies during the suspension

This is the part that matters most right now, because the suspension is being read far more broadly than it was written.

  • DFARS 252.204-7012 — safeguarding covered defense information and the 72-hour cyber incident reporting obligation. The CIO memo states these requirements "are still in effect."
  • NIST SP 800-171 Rev 2 — still the enforced baseline. The memo commits to "continue enforcing baseline compliance with NIST SP 800-171 Rev 2 through DIB self-assessments and select government-led assessments." The delivery mechanism changed; the 110 requirements did not.
  • DFARS 252.204-7019 and 252.204-7020 — your SPRS score and the DoD Assessment Methodology. Separate clauses from CMMC, both still active.
  • False Claims Act exposure — liability attaches to the SPRS score you affirmed, not to a CMMC certificate. No breach is required and no assessor needs to visit. This did not pause.
  • Prime flowdown — DoW suspending its own requirement does not rewrite a subcontract you already signed, and primes remain free to require whatever assurance they want.

The short version: the assessment stopped, the requirements did not.

Who needs CMMC Level 2?

Any organization holding or subject to a DoD contract that involves Controlled Unclassified Information — which, in practice, is the majority of the Defense Industrial Base's roughly 70,000 contractors. If your DFARS 252.204-7012 clause is in the contract, the safeguarding obligation is already live regardless of what happens to the certification schedule.

Typical Level 2 targets include defense subcontractors, prime contractors with CUI-handling subcontracts to flow down, cloud service providers supporting DoD work, and any vendor whose product or service touches CUI at any stage of the federal supply chain.

Level 1 applies when the contract involves only Federal Contract Information, not CUI. Level 3 applies to a narrow set of programs where the adversary threat model justifies the enhanced control set.

What a realistic CMMC Level 2 engagement looks like

Six to nine months is the realistic window from kickoff to assessment-ready for a prepared organization with consistent executive support. The engagement breaks roughly into four parallel workstreams:

  • Technical — CUI enclave design, identity + MFA, endpoint + EDR, centralized logging, boundary protection.
  • Policy — drafting and aligning the policy library to CMMC practice statements.
  • Evidence — designing the evidence pipeline so artifacts are produced as a byproduct of operations (not reconstructed at assessment time).
  • Assessor — C3PAO selection, scheduling, dry-run rehearsal, and the assessment itself. This workstream is on hold during the Phase 2 suspension; the other three are not.

The single most common cause of schedule slips is treating evidence as an end-of-engagement sprint rather than a continuous byproduct. The team that wins 110/110 scores consistently is the team whose operations produce audit-grade artifacts by default.

Why Fortinetics for CMMC

Authorship-level knowledge. A member of our team contributed to the CMMC standard itself at the U.S. Department of Defense in 2019. The framework is not abstract to us; we helped shape what assessors now test against.

Perfect track record. Multiple CMMC Level 2 engagements to perfect 110/110 assessor score, typically in six to nine months from first engagement to certification. The pattern is repeatable because we design the program around evidence-as-byproduct, not assessment-time reconstruction.

Architecture, not audit. We design, implement, document, and sit with you through the actual assessment. Not a gap-analysis-and-leave firm. This is also why the July 2026 suspension changed little about how we work: clients who built the architecture still hold it, while the ones who bought a certificate against a date are the ones re-planning.

Pragmatic commercial model. Firm fixed-price engagements with milestone-based payments, or time-and-materials for more ambiguous scopes. No retainers, no surprise change orders, no reselling of tools.

Recent regulatory changes

What changed in CMMC, recently.

  • July 2026
    CMMC Phase 2 suspended — no C3PAO or DIBCAC designations during a 60-day review

    The Department of War CIO suspended the November 2026 Phase 2 transition and held all pending and future CMMC implementation milestones in abeyance. Program managers may designate only Level 1 (Self) or Level 2 (Self); active solicitations carrying Level 2 (C3PAO) or Level 3 (DIBCAC) requirements must be amended to remove them; no waivers during the review. DFARS 252.204-7012 and NIST SP 800-171 Rev 2 self-assessment remain explicitly in effect.

    Read more →
  • June 2026
    CISA BOD 26-04 retires the BOD 22-01 KEV 'must-patch' deadline

    CISA replaced the flat KEV remediation deadline with a four-criteria, risk-scored model (as fast as three days when all four are met). BODs bind federal civilian agencies, not contractors — but the KEV catalog still sits inside your NIST 800-171 SI-2/RA-5 evidence and prime flow-downs, so the prioritization logic is worth adopting voluntarily.

    Read more →
  • December 2025
    First subcontractor-level DOJ FCA settlement — $421K

    An Illinois precision machining subcontractor settled with DOJ in December 2025 — reportedly the first cyber-fraud settlement to reach the subcontractor tier rather than a prime. Cyber-fraud FCA settlement value rose roughly 233% year-over-year in 2025. False Claims Act liability attaches to the SPRS certification itself — no breach required, and the July 2026 CMMC suspension does not change this.

    Read more →
  • September 2025
    CMMC final rule published — 7021 phases in; 7019/7020 remain in force

    The CMMC final rule (DFARS Case 2019-D041) layers the CMMC clause 252.204-7021 onto contracts and adds a new notice clause, 252.204-7025. It does not delete the self-assessment clauses — 252.204-7019 and 252.204-7020 remain active.

    Read more →
Frequently asked

Questions we get about CMMC.

What score do I need to pass a CMMC Level 2 assessment?
Perfect 110/110 on the NIST SP 800-171 Rev 2 controls. Any 'Other than Satisfied' finding fails the assessment unless it can be converted to a POA&M item under narrow DoD eligibility rules. Most contractors plan to the 110/110 bar rather than rely on POA&M flexibility. The same 110 requirements are what the self-assessment covers during the Phase 2 suspension, and what your SPRS score is computed against.
When does CMMC Level 2 actually become mandatory?
As of July 13, 2026 it is not. The Department of War CIO suspended the November 2026 transition to Phase 2 and held all pending and future CMMC implementation milestones in abeyance pending a 60-day review by a new CMMC Reform Task Force. During the suspension, program managers may designate only CMMC Level 1 (Self) or Level 2 (Self) assessments — not Level 2 (C3PAO) or Level 3 (DIBCAC) — and solicitations or contracts already carrying those requirements are directed to be amended or modified to remove them. No waivers are being granted during the review. What did not change: DFARS 252.204-7012 safeguarding and 72-hour incident reporting are still in effect, NIST SP 800-171 Rev 2 is still enforced through self-assessment, and the SPRS score you affirmed still carries False Claims Act exposure. Further guidance is promised at the conclusion of the review, which puts it around mid-September 2026.
Should we stop our CMMC program now that Phase 2 is suspended?
Stopping the certification event is reasonable; stopping the security work is not. The obligations with real legal exposure — 7012 safeguarding and 72-hour reporting, and the accuracy of your SPRS score under 7019/7020 — are explicitly still in force, and a false or unsupported score is a False Claims Act problem whether or not anyone assesses you. The 60-day review is chartered to recommend a reformed framework rather than nothing, and primes can impose their own flowdown expectations regardless. Keep implementing 800-171; pause the C3PAO booking.
What's the difference between self-assessment and C3PAO assessment?
A self-assessment is performed by the contractor and affirmed in SPRS; a C3PAO assessment is performed by a third-party organization accredited by the Cyber AB. The technical work is identical; the difference is who signs and whether that signature is trusted by the contracting officer. During the Phase 2 suspension this distinction is temporarily moot on new work — program managers may only designate self-assessment (Level 1 or Level 2), and may not designate C3PAO or DIBCAC assessments at all.
How much does CMMC Level 2 certification cost?
Assessment fees alone run $60k–$150k depending on C3PAO choice and scope — though third-party assessments cannot be designated on new work during the Phase 2 suspension. Preparation — the work before the assessment, and the work that still binds you regardless of the suspension — ranges from $150k–$500k+ depending on starting posture, scope, and whether IT buildout is required. We quote every engagement after a scoping call; pricing is scope-dependent and not published.
Can we use a compliance platform like Vanta or Drata instead of hiring Fortinetics?
The platforms handle evidence collection and auditor workflow well; they do not handle control design, architecture decisions, or gap remediation. For a simple SaaS with a clean architecture, the platform is often enough. For CMMC — which involves CUI enclave design, DFARS 7012 incident reporting path, and assessor-grade evidence — most contractors use a firm for the judgment work and a platform (or our evidence pipeline) for the automation.
Tools & comparisons
Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific CMMC target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →