Understanding CMMC 2.0: What You Need to Know

MAC DI RAMOS | Delivery Director, Compliance

Security and compliance are top priorities across every industry, but when it comes to the defense supply chain, the mandate to protect sensitive and private data is more critical than ever. A data breach in the infrastructure of a Department of Defense (DoD) contractor could jeopardize national security or even lives.  

To keep supply chain data secure, the DoD has implemented various regulations and mandates for decades. In 2019, its latest framework was the Cybersecurity Maturity Model Certification (CMMC), designed to standardize a set of security guidelines across the entire DoD supply chain. In October 2024, the DoD announced an update of the framework, CMMC 2.0, which went into effect in mid-December.  

An Evolving Threat Landscape Requires an Evolving Security Posture 

Supply chains are more complex and interconnected today than they’ve ever been. They’re also at more risk of cyberattack. Because supply chains are so interconnected, attacks on them can be devastating for a wide network of organizations. Take, for example, the 2020 SolarWinds supply chain attack. It ultimately infected 18,000 companies, including government agencies, and compromised national security. A ransomware attack on Colonial Pipeline in 2021 severely disrupted fuel distribution across the Eastern seaboard. Most recently, Seattle-Tacoma Airport was attacked in August 2024 and stranded thousands of travelers and disrupted operations for several weeks. 

Designed to address the cybersecurity gaps that allowed those attacks to happen on critical supply chain and national infrastructure, CMMC 2.0 protects data in both government and private-sector systems. It specifies security requirements for Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the Defense Industrial Base (DIB). As cybersecurity threats become more sophisticated, ranging from advanced persistent threats to ransomware attacks, CMMC 2.0 addresses several critical concerns: 

• Data breaches: Protecting sensitive defense information is paramount, as breaches could compromise national security. 

• Supply chain attacks: With multiple contractors and subcontractors involved, securing the supply chain and preventing unauthorized access are critical concerns. 

• Evolving cybersecurity threats: Adapting to rapidly evolving cyberthreats means continually improving defense contractors’ cybersecurity frameworks. 

• Compliance complexity: This version of the mandate simplifies compliance processes for companies working with the DoD to ensure effective oversight. For instance, the original CMMC framework had five different certification levels, whereas CMMC 2.0 has three. 

CMMC 2.0’s updated framework aims to close existing gaps in the areas above by enhancing and streamlining security requirements and giving contractors the tools to meet evolving demands. Experts estimate that the mandate will affect approximately 220,000 companies across the world.  

CMMC 2.0 Certification Is Mandatory to Receive DoD Contracts 

To be eligible to gain access to DoD contracts, defense contractors and subcontractors must become CMMC 2.0-certified by meeting specific CMMC 2.0 cybersecurity practices and processes.  

The mandate states that direct contractors that handle CUI and FCI must meet CMMC 2.0 requirements based on the level of sensitive information they manage. This could require organizations to conduct audits, implement certain security measures, and maintain detailed compliance records. Many subcontractors will be required to achieve certification as well, even if they don’t directly handle CUI and FCI. Simply being part of the larger defense supply chain could make subcontractors subject to the requirements.  

The bottom line here is that both contractors and subcontractors in the defense supply chain need to be aware of the CMMC 2.0 certification and requirements if they wish to continue receiving DoD contracts. Not only do contractors have to prove certification to DoD contacts before bidding for contracts, they also have to verify the CMMC 2.0 compliance of any subcontractors they wish to engage.  

Understanding CMMC 2.0 Levels and Certification Paths 

CMMC 2.0 introduces three key certification levels designed to provide a clear path for compliance: 

• Level 1: Foundational – This level focuses on basic cybersecurity hygiene for contractors handling only FCI. Requirements are based on National Institute of Standards and Technology (NIST) SP 800-171 standards and emphasize protection against low-level cybersecurity threats. It includes requirements for basic data protection such as access control and authentication. 

• Level 2: Advanced – Designed for contractors handling CUI, this level involves implementing a broader set of cybersecurity practices, including risk management strategies and ensuring adherence to additional NIST standards. Contractors must also develop processes for detecting and responding to cybersecurity incidents. This level requires safeguards against a variety of hacking methods, such as data exfiltration and phishing.  

• Level 3: Expert – This is the highest level of certification and applies to contractors dealing with highly sensitive information. It requires rigorous cybersecurity practices across the organization and includes continuous monitoring, risk management, active threat detection, data encryption, and incident response capabilities. 

To help determine which certification path applies to your organization:  

1. Identify the type of data your organization handles 
2. Check your DoD contracts because they often include which CMMC certification is required 
3. Assess your current cybersecurity posture
4. Choose the appropriate CMMC certification level that aligns best with your organization’s needs 
5. Create a compliance plan, which includes a roadmap to implement necessary security controls 

To achieve Level 1 certification, a self-assessment is usually acceptable. Levels 2 and 3 will require an assessment by a certified third-party assessment organization (C3PAO).  

Let BlueAlly Guide You Through CMMC 2.0 Compliance Complexities 

Achieving and maintaining CMMC 2.0 compliance can seem daunting at first, especially with the varying requirements across certification levels. Many organizations look for expert guidance to ensure the certification process is smooth, seamless, and effective.   

When it comes to choosing a certification consultant, you have a lot of options. But it’s important to remember that not all consultants are created equal. You need a company that will help eliminate the challenges and complexities involved in certification. 

That’s what BlueAlly does. We can help you conquer complexity while providing insight that will elevate your compliance efforts. Our offerings include: 

• Full white-glove service to manage your CMMC compliance project from initial consultation to final certification. This includes performing gap assessments, identifying vulnerabilities, and working with your team to implement necessary controls and procedures for compliance. 

• Commitment to achieving certification on time and on budget. The clock is often ticking when it comes to achieving CMMC certification, especially for contractors with active DoD contracts. BlueAlly helps ensure you meet your compliance deadlines, preventing costly delays or missed opportunities. We manage the complexities, so you can focus on your core business. 

• Minimization of project and compliance risks, such as nonconformities, exceptions, or unexpected issues. Our proactive approach helps you carefully assess your current security posture, identify potential challenges, and create a strategic plan to address them. 

• Flexibility to accommodate your unique business needs. Your company has a unique structure, culture, and way of doing business. We take the time to understand your specific challenges and work with you to develop a customized roadmap that aligns with your goals. 

• A laser focus on results and achieving successful outcomes. Whether you’re aiming for Level 1 or Level 3 compliance, we work relentlessly to ensure that your organization is certified on schedule and ready for future business opportunities. 

• Timely access to compliance experts. We provide ongoing support, answering your questions and offering guidance whenever you need it. Our team of certified cybersecurity professionals ensures that you’re always up to date on CMMC requirements and how they relate to your business. 

• A long-term relationship. Compliance doesn’t stop after certification. BlueAlly is committed to developing a long-term relationship with you, offering ongoing support and consulting to help you maintain your certification and adapt to future changes in compliance requirements. 

Navigate the Future with BlueAlly 

The DoD’s final ruling on CMMC 2.0 brings more clarity to the cybersecurity certification process, but it also presents significant challenges for contractors and subcontractors who must meet its stringent requirements. Whether you are new to the process or in need of guidance to meet specific compliance milestones, BlueAlly is your ally in next, providing the expertise, resources, and flexibility to help you succeed. 

By partnering with BlueAlly, you gain access to dedicated compliance experts who can guide you through every stage of the process, ensuring that your organization is fully prepared to meet CMMC 2.0 standards and continue serving the defense sector with confidence.