If you’re part of the Defense Industrial Base, you already know the ground has shifted. The Cybersecurity Maturity Model Certification (CMMC) 2.0 became effective on December 16, 2024, and its acquisition requirements started appearing in DoD contracts on November 10, 2025. The era of self-attestation—where contractors could simply claim they met cybersecurity standards without independent verification—is over.
But CMMC doesn’t exist in a vacuum. It’s one layer of an interconnected framework that includes DFARS 252.204-7012 (which has been mandatory since 2017), NIST SP 800-171, and FedRAMP Equivalence requirements for cloud service providers. Each serves a different purpose. Each imposes distinct obligations. And misunderstanding how they relate to one another is one of the most common—and costly—mistakes we see organizations make.
We wrote this guide to cut through the noise. Whether you’re a prime contractor, a subcontractor deep in the supply chain, a managed service provider supporting DIB clients, or a cloud service provider hosting defense workload, this post maps out exactly what’s required, who’s responsible, and how to build a compliance strategy that holds up under scrutiny.
The Foundation that may be Overlooked (DFARS 252.204-7012)
Before CMMC entered the conversation, DFARS 252.204-7012 established the baseline. Effective since December 31, 2017, it applies to virtually all DoD acquisitions except contracts solely for Commercial Off-The-Shelf items. If your organization handles Covered Defense Information under a DoD contract, you’ve been legally required to implement the 110 security controls in NIST SP 800-171 Revision 2 for years.
The clause also mandates cyber incident reporting to the DoD Cyber Crimes Center within 72 hours of discovery, preservation of forensic images, and cooperation with damage assessments. These aren’t aspirational goals—they’re contractual obligations with real enforcement consequences.
What Many Organizations Miss
DFARS 7012 also established the cloud security standard that’s now causing significant confusion. The clause requires that any external cloud service provider storing, processing, or transmitting Covered Defense Information must meet security requirements “equivalent” to the FedRAMP Moderate baseline. What “equivalent” means wasn’t clarified until the DoD’s December 2023 memorandum—and the answer surprised many in the industry.
The clause distinguishes between two system categories based on how they’re operated. Systems covered under paragraph (b)(1)—IT services or systems operated on behalf of the Government—must comply with DFARS 252.239-7010 and the DISA Cloud Computing Security Requirements Guide. Systems covered under paragraph (b)(2)—contractor-owned systems not operated on behalf of the Government—are subject to NIST SP 800-171. This distinction matters because it determines your compliance pathway. Note that while practitioners sometimes refer to these informally as “Type 1” and “Type 2” systems, those labels don’t appear in the regulatory text itself; using the paragraph citations is the technically precise framing.
Critically, prime contractors must flow DFARS 7012 requirements down to all subcontractors that will process, store, or transmit CUI. This creates cascading compliance obligations throughout the supply chain—a reality that CMMC is now putting teeth behind.
CMMC 2.0: From Trust to Verification
The fundamental shift CMMC introduces isn’t new security requirements—at Level 2, the controls are the same 110 from NIST SP 800-171 that DFARS 7012 has required since 2017. The shift is verification. Organizations can no longer simply assert compliance; they must demonstrate it through structured assessments and, for most CUI-handling contractors, independent third-party certification.
The Three-Level Framework
- Level 1: Foundational – Level 1 applies to contractors handling only Federal Contract Information (FCI). It requires the implementation of 15 basic safeguarding practices from FAR 52.204-21, validated through an annual self-assessment with affirmation submitted to SPRS. POA&Ms are not permitted at Level 1—every requirement must be fully met.
- Level 2: Advanced – This is where the rubber meets the road for most of the Defense Industrial Base. Level 2 applies to contractors handling CUI and requires all 110 NIST SP 800-171 Revision 2 controls. Assessment can be a self-assessment or a third-party assessment by a C3PAO. C3PAO certifications are valid for three years with annual affirmation required.
- Level 3: Expert – Reserved for contractors supporting the most critical DoD programs, Level 3 requires all Level 2 controls plus 24 additional controls from NIST SP 800-172. Assessment is government-led by DIBCAC, and organizations must first achieve Level 2 C3PAO certification. Approximately 1,500 companies fall into this tier.
The POA&M Reality Check
CMMC 2.0 allows limited use of POA&Ms for Level 2 and Level 3, but the constraints are strict. Contractors can achieve a Conditional CMMC Status only if they score at least 80% and fully implement all designated critical requirements. Every non-compliant item must be remediated within 180 days. If you don’t achieve Final CMMC Status within that window, your conditional status expires and you lose contract eligibility.
Implementation Timeline
| Phase | Effective | What Happens |
| Phase 1 | Nov 2025 | Level 1 & Level 2 Self-Assessment requirements. Discretionary Level 2 C3PAO for select contracts. |
| Phase 2 | Nov 2026 | Level 2 C3PAO certification required in applicable solicitations; DoD may defer to option period rather than award condition. |
| Phase 3 | Nov 2027 | Level 3 government-led assessment requirements added. |
| Phase 4 | Nov 2028 | Full CMMC implementation across all applicable DoD contracts. |
FedRAMP Equivalence: The Cloud Security Standard That Raised the Bar
The December 21, 2023, DoD memorandum clarifying FedRAMP Moderate Equivalence established that “equivalent” means 100% compliance with the FedRAMP Moderate baseline—all 323 controls based on NIST SP 800-53. No gaps. No Plans of Action and Milestones except for operational items.
This is, paradoxically, often more stringent than full FedRAMP authorization. With a full FedRAMP ATO, a government Authorizing Official can accept residual risk and approve systems with open POA&Ms. With equivalency, there is no government official accepting risk—which is why zero findings are required.
Why SaaS Solutions Typically Require FedRAMP Authorization or Equivalence
Virtually every SaaS application used to store, process, or transmit CUI in a defense contractor’s environment must be FedRAMP Moderate authorized or equivalent. DFARS 252.204-7012(b)(2)(ii)(D) is explicit: any external cloud service provider handling covered defense information must meet FedRAMP Moderate equivalent security. SaaS solutions are, by definition, external cloud services subject to this requirement.
The second mandate flows from CMMC scoping. The 32 CFR Part 170 final rule confirms that CSPs storing, processing, or transmitting CUI must meet FedRAMP Moderate or equivalent standards. During assessment, C3PAOs will examine every CSP in your boundary. If a SaaS provider cannot demonstrate FedRAMP authorization or equivalence, that’s a finding—and potentially a failed assessment.
The Commercial SaaS Trap
Commercial versions of popular productivity suites and collaboration tools typically lack FedRAMP authorization, U.S. data residency guarantees, and U.S.-person access controls required for CUI workloads. This requirement extends to every SaaS application in your CUI boundary—project management, engineering tools, CRM, HR platforms, ticketing systems. DIB contractors should audit every SaaS application and verify its FedRAMP status on the FedRAMP Marketplace.
Contractor Accountability
Defense contractors bear responsibility for validating their CSPs’ compliance. They must endorse the use of the cloud service offering, confirm the CSP has an incident response plan, ensure the CSP follows that plan, and report any compromise. The contractor—not the CSP—is held accountable for reporting and compliance failures.
Navigating Your Compliance Pathway
One of the most frequent questions we encounter is deceptively simple: What do I need to do? The answer depends entirely on your role in the defense ecosystem and the type of information you handle.
| Organization Type | Data Handled | Required Pathway | Assessment Method |
| Prime Contractor | FCI Only | CMMC Level 1 | Annual Self-Assessment |
| Prime Contractor | CUI | CMMC Level 2 (C3PAO) | Triennial C3PAO + Annual Affirmation |
| Prime Contractor | High-Value CUI | CMMC Level 3 | DIBCAC (requires Level 2 first) |
| Subcontractor | CUI (Flow-Down) | Match Prime Requirement | Per Prime Contract Specs |
| MSP/MSSP | CUI on own systems | CMMC Level 2 (C3PAO) | Own certification required |
| MSP/MSSP | SPD only | In-scope for client | Within client’s CMMC boundary |
| CSP (SaaS/PaaS/IaaS) | CUI | FedRAMP Moderate | 3PAO + JAB P-ATO or Agency ATO |
| CSP | CUI (no FedRAMP) | FedRAMP Equivalent | 3PAO (100%, zero findings) |
A Special Note for MSPs and MSSPs
The determining factor is straightforward: does your organization store, process, or transmit CUI on your own systems? If yes, you need your own CMMC Level 2 C3PAO certification. If you handle only Security Protection Data (SPD), you don’t need independent certification—but your services will be examined as part of your client’s CMMC assessment. If you have no access to CUI or SPD, you’re out of scope entirely.
In practice, the boundaries can blur. An MSSP analyzing logs in their own SIEM might inadvertently be processing CUI. An MSP backing up client systems might be storing CUI on MSP-owned infrastructure. Increasingly, many MSPs and MSSPs are proactively pursuing their own CMMC Level 2 certification as both a risk mitigation strategy and a competitive differentiator.
The Shift from Checkbox Compliance to Continuous Assurance
Point-in-time compliance is no longer sufficient. The DoD’s direction is unmistakable—they’re building a system that demands continuous security, not periodic demonstrations of adequacy. Research shows that 58% of breaches affecting the top 100 U.S. federal contractors involve third-party attack vectors—roughly double the global average.
What Continuous Compliance Looks Like in Practice
- Real-time visibility into security posture. Configurations drift. Vulnerabilities emerge. Personnel change. Your compliance posture on the day of assessment isn’t your compliance posture three months later unless you’re continuously monitoring.
- Automated evidence collection. When a C3PAO requests evidence, you shouldn’t be scrambling to assemble artifacts. Continuous monitoring platforms map evidence to specific NIST 800-171 controls and maintain audit-ready documentation as a byproduct of daily operations.
- Supply chain risk management. Prime contractors are responsible for subcontractor compliance. Continuous visibility into your supply chain’s security posture is no longer optional—it’s a program requirement.
- Proactive POA&M management. With a 180-day hard deadline for remediation, discovering gaps only during formal assessments is a formula for lost contracts.
The Time for Preparation Is Now
The DoD’s cybersecurity framework for the Defense Industrial Base has matured into an integrated system with real enforcement mechanisms. CMMC requirements are appearing in contracts today. C3PAO assessments will be mandatory across applicable solicitations by November 2026. Full implementation is expected by 2028.
Organizations that treat this as a compliance exercise will struggle. Organizations that treat it as a security transformation—investing in the infrastructure, processes, and culture of continuous assurance—will not only maintain contract eligibility but emerge as stronger, more resilient participants in the defense ecosystem.
The frameworks are interconnected. The obligations are clear. The timeline is set. The question isn’t whether your organization needs to act—it’s whether you’ll act on your terms, with time for thoughtful preparation, or under pressure as deadlines close in.
