CMMC Compliance: How to Meet New Cybersecurity Requirements

The average cost of a data breach in the United States hit a record high of $10.22 million in 2025 – a 9% year-over-year increase. As identity-based attacks accelerate, hackers lean into AI-enabled exploits, and supply chain risks surge, the U.S. Department of Defense (DoD) is proactively boosting security postures with the rollout of the CMMC program.  

We’ll break down what CMMC compliance involves in practice, how the three levels map to established security standards, and what organizations need to do to prepare for Phase 2 requirements in 2026. 

What is CMMC Compliance?  

The Cybersecurity Maturity Model Certification (CMMC) framework is a U.S. DoD-led program designed to assess and verify the cybersecurity maturity of organizations in the defense industrial base (DIB).  

By requiring CMMC compliance, the DoD aims to ensure that all contractors and subcontractors have implemented key cybersecurity standards across any systems that will process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI).  

CMMC 2.0 simplifies earlier versions of the framework, refining the model to include three levels rather than five. According to the DoD CIO, CMMC assessments are mapped to multiple underlying regulations and standards:  

• CMMC Level 1 aligns with the 15 basic safeguards outlined in FAR 52.204-21. 
• CMMC Level 2 mirrors the 110 requirements in NIST SP 800-171 Rev. 2. 
• CMMC Level 3 builds on Level 2 requirements by incorporating a subset of NIST SP 800-172’s enhanced security requirements for protecting CUI against advanced threats. 

CMMC Framework Scope: Who Is Covered?  

CMMC applies broadly across the defense supply chain. Whether an organization needs to be compliant – and which level of compliance applies – depends on the types of sensitive information it’s contracted to handle.  

Organizations must comply with the appropriate CMMC level when contractually required to safeguard FCI or CUI: 

• Federal Contract Information (FCI): Information not intended for public release that is provided by or generated for the government under contract. 
• Controlled Unclassified Information (CUI): Information requiring safeguarding or dissemination controls under federal laws, regulations, or government-wide policies. 

Because of its broad scope, CMMC may apply to contractors, subcontractors, or service providers whose systems store, process, or transmit sensitive information, or other entities with systems inside a contractor’s environment. Since CMMC is enforced through contractual clauses, compliance with a specific CMMC level will increasingly appear as a prerequisite for contractors. 

CMMC 2.0 Compliance: Requirements Across 3 Levels  

The CMMC framework leverages a tiered model; the three progressively advanced levels include cumulative requirements mapped to key cybersecurity standards.  

CMMC Level 1 Requirements 

Compliance with CMMC Level 1 establishes a foundational cybersecurity posture. Requirements for this tier are defined by FAR 52.204-21, including safeguards like:  

• Limiting system access to authorized users (FAR 52.204-21(b)(1)) 
• Verifying controls on external connections (b)(2) 
• Monitoring and controlling communications at boundaries (b)(7) 
• Applying basic system integrity and incident-handling protections (b)(4), (b)(12), etc. 

To achieve (and maintain) CMMC Level 1 status, organizations must complete annual self-assessments and enter their results into the Supplier Performance Risk System (SPRS) for affirmation.  

CMMC Level 2 Requirements 

Level 2 CMMC compliance requires adherence with controls outlined in NIST SP 800-171 Rev. 2. At this “advanced” tier, organizations comply with 110 requirements across 14 categories, including:  

• Access Control (AC) 
• Audit & Accountability (AU) 
• Configuration Management (CM) 
• Identification & Authentication (IA) 
• Incident Response (IR) 
• Risk Assessment (RA) 
• System & Communications Protection (SC) 
• System & Information Integrity (SI) 

At CMMC Level 2, organizations must both implement the required controls and document them in a System Security Plan (SSP) and Plans of Action & Milestones (POA&Ms). 

Certification involves either a self-assessment or an independent assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO) every three years, at which point results must be entered into SPRS; organizations are then responsible for affirming their status annually, or their certification will lapse.  

CMMC Level 3 Requirements  

Organizations that have already achieved Level 2 CMMC status are eligible to advance to Level 3 – the “expert” tier. At this stage, covered entities are subject to 134 requirements total, including the more rigorous measures outlined in NIST SP 800-172, such as:  

• Advanced monitoring  
• Anomaly detection  
• Isolation of critical assets 
• Elevated protections for critical assets  
• Resilience mechanisms  

At Level 3, the CMMC program does not allow for self-assessment. Instead, organizations must undergo an assessment every three years with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and provide annual affirmation to verify compliance with the 24 key requirements from NIST SP 800-172. 

CMMC Compliance Deadlines: 2025-2028 Phased Rollout  

In September 2025, the DoD issued a final rule amending its acquisition standards to incorporate contractual requirements related to the CMMC program. This paved the way for CMMC implementation, which began on November 10, 2025, and will roll out in four phases over three years.  

Phase 1: November 10, 2025 - November 9, 2026 

During the first year of implementation, DoD solicitations may begin requiring CMMC Level 1 and Level 2 self-assessments. Where applicable, organizations must now complete these assessments and submit results to the SPRS in order to be considered for a contract.  

Phase 2: November 10, 2026 - November 9, 2027 

In late 2026, some solicitations will begin requiring CMMC Level 2 third-party assessments alongside the ongoing requirement for certain Level 1 and Level 2 self-assessments. However, during this phase, the DoD may opt to delay the Level 2 certification requirement to an “option period” in the contract.  

Phase 3: November 10, 2027 - November 9, 2028 

During phase 3 of the CMMC rollout, applicable solicitations will begin requiring Level 3 CMMC certification, which requires a government-led assessment. Level 3 assessments are performed by the DIBCAC, with contractors required to affirm compliance annually following the assessment. Phase 3 also allows for Level 3 certification requirements to be optionally delayed.  

Phase 4: After November 10, 2028 

Starting in November 2028, all CMMC requirements will be fully integrated across the DoD acquisition process, with Level 1, Level 2, or Level 3 requirements appearing in contract clauses based on program needs. At this stage, CMMC compliance will be a condition of any contract award.

Key Control Areas for CMMC Compliance  

While specific CMMC requirements vary by level, the areas representing the most substantial requirements across every tier include:  

• Access Control: Limiting access to authorized users, managing external connections, and enforcing the principle of least privilege. 
• Audit and Accountability: Event logging and retention, audit review processes, and audit record protection. 
• System and Communication Protection: Network segmentation, cryptographic protections, and monitoring and isolating traffic. 
• Identification and Authentication: Multi-factor authentication (MFA), individual user identification, and credential management. 
• Incident Response and Resilience: Detect incidents, contain and minimize impact (in some cases, through dynamic isolation), and document incident response steps. 

Future-Proofing Cybersecurity Compliance with Zero Networks  

Zero Networks streamlines compliance with CMMC and other standards with automated, identity-aligned microsegmentation that scales granular, least-privilege access controls across the entire network.  

Zero’s radically simple solution proactively isolates every asset and identity into its own secure zone, enabling instant threat containment at the architectural level. By delivering real-time visibility into all network activity, Zero enhances audit readiness and simplifies every level of CMMC compliance.  

Find out how you can stay ahead of evolving cybersecurity standards without adding operational complexity – request a demo.