April 9, 2026
The CEO's Guide to CMMC 2.0: What Every Defense Contractor Executive Must Know in 2026
CMMC 2.0 is now on most DoD contracts. This executive guide covers Level 1–3 requirements and what separates compliant contractors from those failing audits.
If your company holds a Department of Defense contract, or wants one, the question is no longer whether you’ll pursue CMMC 2.0 certification. The real question is whether you’re already behind.
As of 2026, CMMC 2.0 is contractually enforced. Self-attestation isn’t enough for most contractors handling Controlled Unclassified Information (CUI). Third-party assessments by accredited C3PAOs are live. And the DoD is conditioning contract awards on verified compliance. For CEOs of defense contractors in Southern California and across the country, this isn’t a cybersecurity project. It’s a business continuity issue. AdVran’s CMMC 2.0 compliance services cover gap assessments, SSP development, and full C3PAO readiness for contractors across the region.
This guide covers where CMMC came from, what each level actually requires, the best practices that separate contractors who pass from those who don’t, and the leadership decisions that will determine whether your company competes in the defense market over the next decade.
The Origins of CMMC: Why the DoD Built a New Compliance Framework
To understand CMMC, you need to understand the failures that made it necessary.
The foundation of defense contractor cybersecurity obligations is DFARS clause 252.204-7012, which has required contractors to implement the 110 security practices in NIST Special Publication 800-171 since 2017. Every defense contractor handling CUI was already legally obligated to meet these requirements, and self-reporting compliance scores through the DoD’s Supplier Performance Risk System (SPRS) was part of that obligation.
The problem was enforcement. The system ran entirely on the honor system. Contractors submitted SPRS scores, a number between -203 and 110 representing how many controls they’d implemented, and the government largely took them at face value. Nobody verified the scores.
The predictable result was widespread misrepresentation. The DoD’s own analysis found that hundreds of contractors had submitted scores of 110, perfect compliance, while assessors who actually evaluated those environments found scores ranging from negative territory into the 30s and 40s. In 2019 and 2020, a series of high-profile breaches linked to defense contractor networks made the gap between claimed and actual security posture impossible to ignore. China’s theft of F-35 design data, enabled partly through contractor network compromises, became the most cited example of what the existing system was failing to prevent.
CMMC Program History
DFARS 7012
Self-attestation required. No verification mechanism.
CMMC 1.0
5-level model introduced. Criticized as overcomplicated.
CMMC 2.0
Streamlined to 3 levels. Aligned to NIST standards.
Final Rule
Rulemaking complete. C3PAO assessments begin.
Full Enforcement
CMMC clause in most DoD contract solicitations.
CMMC 1.0 was the DoD’s initial response, announced in 2020. It introduced five maturity levels and required third-party certification at most levels. It was widely criticized as overcomplicated. Small and mid-sized defense contractors faced certification requirements that were difficult to meet and expensive to pursue.
CMMC 2.0, announced in November 2021 and finalized in the 2024 rulemaking, addressed those criticisms by cutting from five levels to three, aligning exactly with existing NIST standards, and introducing a tiered verification approach. CMMC 2.0 became operative in late 2024, with full enforcement through 2025 and 2026.
The lesson from CMMC’s origins is worth sitting with: this program exists because the DoD decided the defense industrial base had a systemic cybersecurity honesty problem. The government’s answer is verification, and that verification only matters if it has real consequences for contractors who can’t pass.
Understanding the Three CMMC Levels
| Level | Name | Who It Applies To | Requirements | Verification |
|---|---|---|---|---|
| Level 1 | Foundational | Contractors handling FCI only: basic procurement and contract data | 17 practices from FAR 52.204-21 | Annual self-attestation by senior official |
| Level 2 | Advanced | Contractors handling CUI: technical specs, weapon data, research, ITAR material | 110 practices from NIST SP 800-171 across 14 domains | C3PAO third-party assessment (most contracts) or self-attestation (limited cases) |
| Level 3 | Expert | Contractors on the most sensitive DoD programs, APT-targeted environments | 110 NIST 800-171 practices + NIST 800-172 enhancements | Government-led assessment by DCMA DIBCAC |
Level 1: Foundational
Who needs it: Contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI covers basic procurement data, contract communications, and similar low-sensitivity information.
What it requires: 17 cybersecurity practices derived from FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). These cover the fundamentals: limiting system access to authorized users, screening individuals before system access, sanitizing media before disposal, controlling physical access, managing user accounts, and running basic security awareness training.
How verification works: Annual self-attestation by a senior company official, a C-suite executive who certifies in the SPRS system that all 17 controls are implemented. No third-party assessment required. But the attestation carries False Claims Act exposure: a false attestation that leads to a contract award is federal fraud.
The executive takeaway: If your work genuinely only touches FCI, Level 1 is achievable with modest investment. The key question is whether any of your contracts involve technical specifications, weapon system data, research data, or any of the 125 CUI categories in the National Archives CUI Registry. If they do, or could in the future, you’re in Level 2 territory.
Level 2: Advanced
Level 2 is where the vast majority of meaningful defense contractors operate. It’s also where most CMMC compliance activity is concentrated.
Who needs it: Contractors handling Controlled Unclassified Information (CUI), the category that covers most substantive defense work. CUI includes technical drawings and specifications, export-controlled technology (ITAR/EAR), research data, military operations information, personally identifiable information, and roughly 120 other defined categories.
What it requires: All 110 security practices from NIST Special Publication 800-171, organized into 14 domains:
Access Control
22 practices: User accounts, least privilege, remote access, wireless, mobile
Audit & Accountability
9 practices: Log creation, protection, review, and retention
Awareness & Training
3 practices: Documented training programs and security awareness records
Configuration Management
9 practices: Secure baselines, change control, software inventory
Identification & Authentication
11 practices: MFA for all CUI access, device identity, password management
Incident Response
3 practices: Documented IR plan, defined roles, tested and trained
Maintenance
6 practices: Secure maintenance, controlled tools, remote maintenance records
Media Protection
9 practices: CUI media lifecycle, storage, transport, sanitization, disposal
Personnel Security
2 practices: Pre-access screening, termination procedures
Physical Protection
6 practices: Physical access controls, visitor management, physical devices
Risk Assessment
3 practices: Documented risk assessments, threat identification, prioritized remediation
Security Assessment
4 practices: Periodic control assessments, POA&M management, continuous monitoring
System & Communications Protection
16 practices: Network segmentation, CUI encryption in transit, DoS protection
System & Information Integrity
7 practices: Malware protection, vulnerability scanning, security alert monitoring
How verification works: Most Level 2 contracts require a third-party assessment by an accredited C3PAO (CMMC Third-Party Assessment Organization). A small subset may permit annual self-attestation. Your contracting officer or the solicitation’s CMMC clause will specify which pathway applies.
For C3PAO assessments, the outcome is binary: a score of 110 out of 110 (all practices implemented) or a conditional authorization with an accepted Plan of Action and Milestones (POA&M). Assessments are valid for three years.
The System Security Plan (SSP) is the cornerstone document. It’s a living record that maps each of the 110 controls to your specific environment, what systems are in scope, how each control is implemented, who owns it, and what the current gaps are. An outdated or inaccurate SSP is a direct assessment failure risk.
Level 3: Expert
Who needs it: Contractors working on the DoD’s most critical and sensitive programs, typically involving advanced technologies, specialized weapon systems, or information that adversaries would most aggressively target.
What it requires: All 110 NIST 800-171 practices from Level 2, plus a subset of practices from NIST Special Publication 800-172 (Enhanced Security Requirements for CUI). NIST 800-172 adds requirements designed to protect against Advanced Persistent Threats, nation-state-level attackers. These enhancements include more rigorous access controls, advanced monitoring requirements, tighter configuration management, and additional incident response capabilities.
How verification works: Government-led assessment by the Defense Contract Management Agency (DCMA) DIBCAC, not a commercial C3PAO. DCMA assessors have authority to conduct unannounced assessments on high-priority programs.
The executive takeaway: If your contracts require Level 3, your contracting officer will have told you explicitly. This guide focuses primarily on Level 2, where most contractor investment and compliance work is concentrated.
The Business Risk No One Is Quantifying
Most CMMC conversations focus on technical controls. CEOs need to understand the commercial exposure.
Contract Disqualification
CMMC requirements are embedded in solicitations. Without certification at the required level, you are excluded from the award regardless of technical qualifications, past performance, or pricing.
False Claims Act Liability
When your company submits a bid or invoice, it certifies compliance with all requirements. If your company was not actually compliant and submitted anyway, that is a potential FCA violation, with personal liability for executives.
Supply Chain Exclusion
Primes including Northrop Grumman, Raytheon, Boeing, and Lockheed Martin conduct their own cybersecurity assessments of their supplier base. Failing those assessments means losing subcontract opportunities even before the DoD formally requires CMMC at your tier.
Cyber Insurance Gaps
Most cyber insurance policies include representations about security controls. A false CMMC score, followed by a breach, may void your policy. Breach exposure plus loss of coverage plus FCA liability is a company-ending risk profile.
The Department of Justice has actively pursued FCA cases against defense contractors for cybersecurity misrepresentations, with settlements reaching into the tens of millions. The personal liability exposure for individual executives who sign contract certifications is real. It’s also quantifiable.
And here’s what makes Southern California defense contractors particularly exposed: the aerospace and defense supply chain in Long Beach, Anaheim, El Segundo, and Thousand Oaks is dense. Primes have options. A supplier that can’t clear a cybersecurity audit gets replaced. That’s the commercial reality.
What “Actually Compliant” Means
Many organizations that fail CMMC assessments had implemented most of the technical controls. They fail because compliance isn’t just binary in the way people assume. Controls must work, be documented, be understood by staff, and be demonstrably operated on an ongoing basis.
The assessor isn’t just checking whether the controls exist. They’re verifying that controls work, that people know how to use them, and that the organization can show continuous operation, not just a snapshot in time.
The most consistently failed controls in C3PAO assessments are operational and organizational, not technical.
Risk Assessment (RA). CMMC requires documented, current risk assessments that identify threats, evaluate likelihood and impact, and drive remediation priorities. Most organizations that fail CMMC do so in part because their risk assessments are outdated, incomplete, or not formally documented.
Audit and Accountability (AU). All activity on CUI systems must be logged, and those logs must be reviewed. Many organizations collect logs but have no formal review process. Assessors consistently cite this gap.
Incident Response (IR). You must have a documented incident response plan, conduct training on it, and test it. Having a plan in a drawer isn’t enough. The assessor will ask about tabletop exercises and training records.
System Security Plan (SSP). The SSP must be current and accurate. An SSP written 18 months ago for a different environment is a red flag. An SSP that describes controls you intend to implement rather than controls you have implemented is a finding.
Best Practices: What High-Performing Contractors Do
After supporting multiple defense contractors through C3PAO assessments, the practices that separate contractors who pass from those who don’t fall into six clear patterns.
Assessment-Ready Practices
Treat the SSP as a living document
Contractors who pass have SSPs that are visibly current, updated when systems, personnel, or controls change. An SSP written for the assessment and never touched again is a red flag assessors catch immediately.
Implement continuous log review, not periodic batch review
High-performing contractors implement automated SIEM alerting with documented escalation procedures, so they can show a review log demonstrating daily or continuous operation. Manually reviewed logs with large gaps are a finding.
Scope CUI environments tightly and defend the scope
Aggressive CUI scoping means isolating all CUI-handling systems into a defined, documented enclave. That reduces the number of systems requiring all 110 controls. Contractors who allow CUI to flow freely across their entire environment face an overwhelming compliance task.
Run internal assessments before the C3PAO arrives
Contractors who perform well have typically conducted at least one rigorous internal assessment, ideally with an outside advisor, in the six months before the official assessment. This surfaces findings that can be remediated before they become official deficiencies.
Build compliance into operations, not alongside them
The most resilient CMMC programs are embedded in standard operating procedures. IT change management includes security impact review. Onboarding includes CUI handling training before access is granted. Programs built as a parallel process consistently fail as staff turns over.
Document everything with timestamps
Evidence collection discipline is the difference between a finding and a passing control. When an assessor asks "how do you know your vulnerability scans are running weekly?" the answer must be a report, log, or ticket, timestamped and retrievable, not "our IT provider handles that."
What to Expect from the C3PAO Assessment
A CMMC Level 2 assessment typically takes one to three days on-site, plus several weeks of documentation review before the site visit. The C3PAO assessor will:
- Review your System Security Plan and verify it matches your actual environment
- Interview key personnel: IT staff, security staff, management, and users who handle CUI
- Test selected controls in your environment, including reviewing access control lists, checking encryption configurations, pulling log review records, and examining incident response documentation
- Identify deficiencies and document findings in a Corrective Action Plan (CAP)
A score below 110 out of 110 doesn’t automatically mean failure. Deficiencies can sometimes be remediated before the assessment is finalized, and a POA&M with an accepted remediation timeline may allow conditional authorization. But significant gaps, especially in high-weighted controls like access control, audit logging, and configuration management, will result in a failing assessment.
The CEO’s Six-Month Action Plan
Six-Month CMMC Readiness Roadmap
Commission an independent gap assessment against all 110 NIST 800-171 controls. Get a current SPRS score. Identify the highest-severity gaps. Make the organizational commitment that this will be completed on schedule.
Designate a CMMC Program Manager with direct executive access. Select a managed service provider that operates at CMMC Level 2 standards themselves. Establish a Shared Responsibility Matrix documenting who owns which controls.
Prioritize the highest-impact technical remediation: MFA deployment, CUI encryption at rest and in transit, access control implementation, log management and SIEM, vulnerability scanning. These take time to implement and test. Start them first.
Complete or update your System Security Plan. Conduct workforce CUI handling training. Run a tabletop incident response exercise. Document everything with timestamps. Your evidence package is what the assessor will review.
Conduct a formal pre-assessment readiness review. Remediate any remaining findings. Schedule the C3PAO assessment with a two-to-four-week buffer between your pre-assessment results and the formal assessment date.
Choosing the Right Partner
Not all IT providers and MSPs are equipped to support CMMC compliance. These are the questions worth asking before you sign anything.
Does your IT provider operate at CMMC Level 2 standards themselves? If they handle your CUI environment and aren’t themselves compliant, they’re the source of your biggest audit risk. AdVran’s compliance and risk management services include Shared Responsibility Matrix documentation so every control owner is explicit before the C3PAO arrives.
Does your provider maintain US-only personnel? ITAR and CUI handling restrictions prohibit access by foreign nationals. A provider with offshore support staff is a disqualifying factor.
Can your provider produce a Shared Responsibility Matrix documenting which of the 110 controls they own, which you own, and which are shared? Clear accountability is a requirement, not a preference.
Does your provider have experience with actual C3PAO assessments, not just NIST 800-171 self-assessments? Preparing for a verified third-party assessment is fundamentally different from self-attestation prep. Ask for references from clients who have completed C3PAO assessments successfully.
Closing: The Executive Responsibility
CMMC compliance is ultimately a business decision that only the CEO can make. The history of this program, why it was created, why CMMC 1.0 was revised, why CMMC 2.0 has real enforcement teeth, makes clear that the DoD isn’t retreating from verification. The contractors who treated the original DFARS 7012 self-attestation as a formality are now facing retroactive FCA exposure and urgent remediation timelines. The contractors who invested early are winning contracts their competitors can’t even bid on.
Southern California’s defense industrial base faces this as a regional issue, not just a regulatory one. Companies in Long Beach, Anaheim, Pasadena, El Segundo, and Thousand Oaks that achieve Level 2 certification in 2026 will hold a real competitive edge over those that wait. AdVran’s aerospace and defense IT services are purpose-built for contractors in this region.
The question to ask your leadership team this week: Do we know our current NIST 800-171 score, and do we have a credible plan to reach 110?
If the answer is no, the work starts now.
AdVran provides CMMC Level 2 compliance services to defense contractors in Southern California, including gap assessments, SSP development, managed security controls, and C3PAO assessment preparation. Our founder Adrian Monges Rodriguez is a computer engineer who managed complex network infrastructure at Boeing on projects with NASA and other defense and aerospace organizations. That same engineering discipline is applied to every defense client’s compliance posture.
Related Reading
Keep reading
Related articles
CMMC 2.0 in 2026: A Practical Guide for Southern California Defense Suppliers
CMMC 2.0 is now contractually enforced. What SoCal defense suppliers must have in place, what the audit looks like, and where most SMBs lose points.
EDR vs MDR vs XDR: What Your Business Actually Needs
Endpoint detection, managed detection, extended detection: cutting through the acronyms to find the right security approach for your organization.
42 CFR Part 2 vs HIPAA: What Behavioral Health Clinics in Orange County Need From IT
42 CFR Part 2 is stricter than HIPAA. Here's what behavioral health clinics and FQHCs in Orange County need from IT to stay compliant in 2026.