If you work in the federal contracting space, CMMC 2.0 compliance has probably made its way into your contract conversations, your inbox, and maybe the occasional panic-driven Google search. And if you are like most organizations trying to make sense of it, your first reaction was probably something along the lines of: “Where do I even start?“
That’s a fair reaction. The Cybersecurity Maturity Model Certification program has had a long and, at times, messy road to where it is today. Understanding how it got here is actually one of the most useful ways to understand what it is, and what it is asking for organizations to do.
The Foundation: Controlled Unclassified Information (CUI)
To understand CMMC, you first need to understand Controlled Unclassified Information, better known as CUI. And to understand CUI, you need to buckle up for a ride in the Wayback Machine.
For a long time, the federal government had a reasonably clear handle on classified information. There were rules, classifications, clearances, and procedures for handling anything that carried a national security label. What it did not have was a consistent way to protect the enormous volume of sensitive but unclassified information that flows through agencies, contractors, and their partners on any given day. (Think of things such as technical specifications, export-controlled research, privacy data, or sensitive law enforcement information.) Each agency was essentially making up its own rules, using its own labels, and calling things different names. To put it in modern terms, this would be classified as a “hot mess”.
In 2010, President Obama signed Executive Order 13556, which created a standardized framework for how agencies should identify, mark, handle, and protect this category of information. That framework formalized the term “Controlled Unclassified Information” and established the CUI Program under the National Archives and Records Administration. If the government was going to protect this information consistently, it needed a consistent name and consistent rules across the board.
That addressed the internal side, but the federal government doesn’t operate in a vacuum. Billions of dollars in work, research, and services flow through contractors and subcontractors; many of them small and mid-size businesses that handle CUI as part of daily operations. If the government is going to protect CUI internally, it also needs the organizations working on its behalf to protect it too. Otherwise, you have secured the front door and left the back window wide open.
Enter NIST SP 800-171: The First Real Answer for Federal Contractors
In 2015, the National Institute of Standards and Technology published Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. If CUI was the problem, NIST 800-171 was the first real answer aimed at the federal contractor community.
The publication laid out 110 security requirements across 14 control families, covering everything from access control and incident response to configuration management and system and communications protection. It was a set of requirements designed to create a genuine security baseline.
The Defense Federal Acquisition Regulation Supplement, or DFARS, made 800-171 a contractual requirement for Department of Defense contractors in 2017. If your contract involved CUI, you were expected to meet these requirements. (I need to add “In theory” to this section, because the biggest issue here was that compliance was almost entirely self-attested. Meaning that every company could look at their environment and say “Yeah, that should be good enough…”.)
Contractors submitted a score on a government portal, and that score was largely taken at face value. As you might imagine, the honor system produced some…optimistic results.
Studies and audits over the years revealed that the self-assessment scores many contractors reported had very little relationship to their actual security posture. Some organizations with high scores had significant, obvious gaps. The Department of Defense (DoD) had a requirement on paper that was not producing real-world security outcomes, and that was a problem that was not going to fix itself.
The Start of CMMC: A Noble Idea with a Rocky Launch
The Cybersecurity Maturity Model Certification (CMMC) program was introduced in 2020 as the DoD’s answer to the self-attestation problem. The premise itself was pretty straightforward: instead of allowing contractors to grade their own homework, the government would require independent third-party assessments for organizations handling the most sensitive CUI. The assessments must be conducted by accredited organizations against a defined set of practices across maturity levels.
The original CMMC 1.0 model had five maturity levels and an ambitious rollout plan expected to reach tens of thousands of contractors. What followed was significant industry pushback, logistical challenges, and an acknowledgment that the original design had real flaws. The assessment infrastructure wasn’t built for the scale. Third-party assessment costs were prohibitive for small businesses. And the maturity model itself added complexity beyond what NIST 800-171 already required.
So, like what happens quite frequently in Government land, the DoD went back to the drawing board.
CMMC 2.0: A Streamlined Approach
In late 2021, the DoD announced CMMC 2.0, which collapsed the five-level model down to three levels and re-anchored the entire program back to NIST 800-171 as the gold standard. The entire philosophy shifted toward making the program more accessible to many, more aligned with existing requirements, and more realistic for the contractors it was meant to reach.
Level 1 covers basic cyber hygiene, aligns to the 15 practices in FAR 52.204-21, and allows annual self-attestation by a senior company official. Most organizations should already be doing most of these things.
Level 2 aligns to all 110 practices in NIST 800-171. For most contracts involving CUI, it requires a third-party assessment by a Certified Third-Party Assessment Organization, known as a C3PAO. This is where the majority of defense contractors will land.
Level 3 is reserved for the highest-priority programs and adds requirements from NIST SP 800-172 on top of Level 2. All Level 3 assessments are conducted by the Defense Contract Management Agency (DCMA) through its Defense Industrial Base Cybersecurity Assessment Center (DIBCAC); no C3PAO option at this tier.
The final CMMC rule was published in the Federal Register in late 2024 and began its phased rollout into contracts in 2025. It is not hypothetical anymore. CMMC 2.0 compliance requirements are in contracts now, and the scope will continue to expand.
What Most Organizations Do Not Realize About CMMC Readiness
Here is where the conversation usually gets uncomfortable, and it is worth being direct about it.
Most organizations that believe they are “pretty close” to CMMC compliance are not nearly as close as they think. The self-assessment process under NIST 800-171 requires a scored assessment using the DoD Assessment Methodology, starting at 110 points and deducting points for every practice that is not fully implemented. Many organizations that have gone through honest, rigorous assessments are sitting well below the 110 mark, sometimes significantly.
The most common gaps we see from a consultant’s perspective are not exotic or technical. They tend to be things like:
- No formal System Security Plan documenting how each 800-171 requirement is being met.
- No documented Plan of Action and Milestones showing how identified gaps are being addressed.
- MFA that exists for some users but not all (and CMMC requires all).
- Access control practices that work well operationally but have never been formally documented and tested.
The documentation requirements for CMMC can be a grind. Writing policies, procedures, and a system security plan for your organization is time consuming and not for the faint of heart. Remember that the documentation matters just as much as the technical controls.
There is also a subcontractor dimension that catches organizations off guard. If CUI flows down to your subs, your compliance obligation follows it. Your security posture is only as strong as the weakest link in your supply chain and assessors know it. Vetting your downstream partners’ security mindset before engaging them is not optional.
CMMC Compliance is a Marathon, Not a Sprint
This is possibly the most important thing to take away from this entire article. Organizations that approach CMMC as a project with a start date and an end date tend to struggle.
Organizations that approach it as an ongoing program, something built deliberately over time and sustained, tend to do much better.
A realistic CMMC Level 2 readiness effort for an organization starting from a modest baseline can take 12 to 24 months, depending on the size of the environment, the number of gaps, available internal resources, and how quickly decisions and funding can move. That timeline is not meant to discourage. It is meant to make the case for starting now rather than waiting until a contract requires it.
Real costs are involved: the assessment itself, remediation work to close gaps beforehand, ongoing maintenance of policies and procedures, and potentially infrastructure changes. A clear plan before you begin makes all of it more manageable.
Where Arctic IT Can Help
Arctic IT works with organizations that depend on federal, defense, and tribal contracts. We understand that CMMC can feel like a lot of noise and very little signal when you are trying to figure out what it all means for your business. So, we built a practical starting point.
Our 1-Hour CMMC Consultation is a focused working session with our cybersecurity consultants who are experienced in both CMMC and NIST 800-171. In this session, we cover:
- Whether CMMC applies to your organization and at which level.
- An honest look at your current security and documentation practices.
- Your incident response readiness.
- A plain-language assessment of your key gaps and risks.
After the session, you receive a written CMMC Action Plan tailored to your organization. It will tell you where you stand in plain language, what your key gaps and risks are, what remediation steps you should prioritize, and what it will realistically take in time, money, and effort to move toward your target level. No jargon-heavy report that collects dust. A real plan you can actually use.
CMMC does not have to be paralyzing. With the right guidance, the path forward becomes a lot clearer.
Ready to turn CMMC confusion into a clear plan? That is exactly what we are here for. Connect with us today to get started with your CMMC Consultation and Action Plan.
Run with us.
By Kevin Fassanella, Director of Security and Compliance at Arctic IT