CMMC 2.0 Assessment Guide 2026:
DoD Contractor Compliance Roadmap

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is now embedded in DoD acquisition regulations. Any defense contractor seeking to bid on or perform DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must demonstrate compliance with the appropriate CMMC level. In 2026, CMMC requirements are appearing in solicitations across the defense industrial base (DIB), and contractors who are not prepared risk contract ineligibility. This guide covers everything you need to know for a successful CMMC 2.0 assessment.

Understanding CMMC 2.0 Levels

CMMC 2.0 streamlined the original five-level model into three levels, each mapped to a specific set of security practices and assessment requirements.

Level 1 — Foundational (17 Practices)

Level 1 applies to organizations that handle only FCI — information provided by or generated for the government under a contract — but not CUI. The 17 practices align directly with FAR 52.204-21 basic safeguarding requirements, covering fundamental cyber hygiene: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Annual self-assessments with an affirmation by a senior organization official are required.

Level 2 — Advanced (110 Practices)

Level 2 applies to organizations that handle CUI and requires implementation of all 110 security requirements from NIST SP 800-171 Rev 2, organized across 14 domains. This is the level that affects the vast majority of DoD contractors. Level 2 can be met through either an annual self-assessment (for non-prioritized acquisitions) or a triennial third-party assessment conducted by a Certified Third-Party Assessor Organization (C3PAO) (for prioritized acquisitions involving CUI critical to national security).

Level 3 — Expert (130+ Practices)

Level 3 targets organizations supporting the most critical DoD programs. It requires all 110 NIST SP 800-171 practices plus a subset of NIST SP 800-172 enhanced requirements. Level 3 assessments are conducted by the Defense Contract Management Agency (DCMA) DIBCAC every three years.

The 14 NIST SP 800-171 Domains at Level 2

Level 2 compliance requires documented implementation across all 14 domains: Access Control (22 requirements), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7).

Each domain requires not only that controls are implemented technically, but that they are documented in a System Security Plan (SSP) that describes how the organization meets each requirement, and a Plan of Action and Milestones (POA&M) that documents any requirements not yet fully implemented with a remediation timeline.

Most Common CMMC 2.0 Gaps

Based on CMMC 2.0 readiness assessments across the defense industrial base, the following gaps are most frequently identified:

• CUI not identified or scoped: Many contractors handle CUI without having formally identified it, defined its location, and bounded the CMMC assessment scope. Without a CUI inventory, no meaningful assessment is possible.
• Multi-factor authentication (MFA) gaps: MFA is required for local and network access to CUI systems, as well as for privileged accounts. Many small and mid-sized contractors still rely on password-only authentication for some CUI-handling systems.
• Audit logging incomplete: NIST SP 800-171 requires audit records for user activities, security events, and system events — with protection of audit logs from modification. Many organizations have partial logging that does not meet the specificity and retention requirements.
• No formal incident response plan: Contractors must have a documented incident response capability including detection, analysis, containment, eradication, recovery, and user activities. A plan that was written once and never exercised does not demonstrate operational capability.
• Configuration management baseline absent: Organizations must establish and maintain baseline configurations for IT systems containing CUI. Undocumented configurations and shadow IT are pervasive gaps.
• SSP incomplete or outdated: The System Security Plan is the primary artifact assessors review. SSPs that are incomplete, inaccurate, or not updated to reflect current system state are a critical gap.

Preparing for a C3PAO Assessment

If your organization handles CUI on prioritized DoD contracts, you will need to undergo a triennial assessment by a C3PAO. Preparing for a C3PAO assessment involves several structured steps. First, determine your CUI scope: identify all systems, networks, and personnel that process, store, or transmit CUI. Second, complete your SSP — it must describe how each of the 110 NIST SP 800-171 requirements is implemented. Third, document all gaps in a POA&M with realistic remediation timelines. Fourth, conduct a thorough pre-assessment to identify any scoring deficiencies before the C3PAO arrives. Fifth, exercise your incident response plan through a tabletop exercise to demonstrate operational capability.

CMMC Level 2 scoring uses a 110-point scale (1 point per practice, with multi-value practices worth more). Organizations with a POA&M score below certain thresholds may receive a conditional certification pending remediation. The goal is to achieve a score demonstrating that the preponderance of CUI controls are implemented.

OT/ICS Environments and CMMC 2.0

Defense contractors operating operational technology (OT) or industrial control system (ICS) environments — such as defense manufacturers, shipyards, or aerospace facilities — face unique CMMC challenges. OT systems often cannot run endpoint agents, may have minimal logging capabilities, and frequently rely on legacy operating systems that cannot support modern MFA solutions. For these environments, compensating controls, network segmentation between IT and OT networks, and documented risk acceptance are typically required to demonstrate compliance.

Tabletop exercises for CMMC-focused organizations in OT/ICS sectors should specifically simulate scenarios involving CUI exfiltration from manufacturing systems, ransomware affecting CUI-handling production networks, and insider threat scenarios involving CUI mishandling — all areas where the intersection of CMMC requirements and OT security is most complex.

CMMC 2.0 Readiness Checklist: 10 Key Items

Next Steps: From Gap Analysis to Certification

CMMC 2.0 compliance is not a one-time project — it is an ongoing program. Organizations that treat it as a checkbox exercise typically fail C3PAO assessments because their documentation does not reflect actual system state. The organizations that succeed are those that have integrated CMMC requirements into their operational processes, conduct regular internal assessments, train their personnel, and use exercises to validate that their incident response and CUI handling procedures actually work.

The first step for any contractor is an honest gap assessment: where are you today against all 110 NIST SP 800-171 requirements? That baseline determines your remediation roadmap, your POA&M, and your timeline to certification readiness.