CMMC 2.0 (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense framework for verifying that contractors and suppliers protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If your organization is in—or wants to enter—the defense supply chain, CMMC is no longer optional background reading. It is a contractual reality that is rolling out through DFARS and contract language.
This guide is written for small and mid-size businesses: manufacturers, professional services firms, engineering shops, IT providers to primes, and other suppliers who need clarity, not marketing slogans. We explain what CMMC is, how levels work, what “readiness” means versus formal assessment, and where organizations commonly get stuck.
What CMMC is (and is not)
CMMC exists because self-attestation alone did not produce consistent cybersecurity outcomes across the Defense Industrial Base (DIB). The model maps cybersecurity practices to contract requirements so DoD can trust that sensitive information is handled with defined safeguards.
- It is a maturity/certification model tied to safeguarding FCI and CUI.
- It is aligned with established NIST guidance (notably SP 800-171 for CUI protection at Level 2).
- It is not a generic “cyber score” for every business on earth.
- It is not the same as a full enterprise SOC 2 program—though some controls overlap in spirit.
For leadership, the practical question is simple: Do our contracts (or target contracts) require CMMC, and at which level? Everything else—tools, policies, evidence—flows from that answer.
Who CMMC typically applies to
CMMC obligations generally flow through DoD contracts and subcontracts. You may be in scope if you:
- Prime or subcontract on DoD work
- Handle FCI in email, files, ERP, or collaboration tools
- Handle CUI (drawings, specs, technical data, certain operational info)
- Provide IT, cloud, or managed services to organizations that handle FCI/CUI
Even companies that never “feel like a defense contractor” can be pulled in as a supplier. Geography matters less than contract flow-down. Impetra works with organizations across Connecticut, New York, and New Jersey that face these requirements while running ordinary SMB IT environments—Microsoft 365, laptops, shared drives, remote access, and a small IT budget.
CMMC levels at a glance
CMMC 2.0 simplified the earlier multi-level model. For most SMBs, the conversation centers on Level 1 and Level 2:
| Level | Focus | Typical information | Assessment style (high level) |
|---|---|---|---|
| Level 1 | Basic safeguarding | FCI | Annual self-assessment (affirmation requirements apply as specified in rule/contract language) |
| Level 2 | Broad protection of CUI | CUI | Aligned to NIST SP 800-171; third-party assessment for many cases |
| Level 3 | Higher assurance against advanced threats | Prioritized programs | Government-led assessment model for selected programs |
Always read your contract and current DFARS/CMMC rule language. Levels and assessment paths can depend on the solicitation and the type of information involved. This guide is educational, not legal advice.
Level 1 in practice
CMMC Level 1 is often described as “basic cybersecurity hygiene,” but that phrase undersells the operational reality. Level 1 maps to the 15 basic safeguarding requirements historically associated with FAR 52.204-21—things like limiting access, authenticating users, sanitizing media, and updating systems.
What trips SMBs up is not the existence of antivirus. It is:
- Inconsistent identity practices (shared accounts, weak MFA coverage)
- Unclear asset inventory (what devices and cloud apps actually hold FCI)
- Policies that exist in a binder but not in daily operations
- Inability to show evidence during self-assessment
Level 1 readiness is less about buying a stack of enterprise tools and more about proving basic control over access, devices, and data handling for in-scope systems.
Level 2 and NIST SP 800-171
NIST SP 800-171 is the control set most people mean when they talk about protecting CUI in nonfederal systems. CMMC Level 2 is built around implementing those requirements (with assessment methodology defined by DoD’s program).
Expect work across domains such as:
- Access control and least privilege
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
For a 30–150 person company, Level 2 is a program, not a weekend project. It touches Microsoft 365 configuration, endpoint management, logging, backup, vendor access, and documentation quality.
Documentation that actually matters
Three artifacts show up repeatedly in serious readiness work:
System Security Plan (SSP)
An SSP describes your environment and how each required practice is implemented. Weak SSPs are vague (“we use MFA”) without scope, exceptions, or system boundaries. Strong SSPs are specific enough that a technical reviewer can understand what is in scope and how controls operate.
Plan of Action & Milestones (POA&M)
A POA&M tracks gaps honestly: what is not fully implemented, who owns remediation, and when it will be done. Hiding gaps helps nobody—especially if you later face assessment.
Evidence and operational proof
Screenshots, policies, configs, tickets, training records, and diagrams. If a control only lives in a slide deck, it is not implemented.
Related glossary: SSP, POA&M, SPRS, CUI, FCI.
Common mistakes we see
- Assuming “we have Microsoft 365” equals compliance. Licensing and secure configuration are different problems.
- Undefined system boundary. If you cannot say which systems process FCI/CUI, you cannot protect them consistently.
- Shared admin accounts and incomplete MFA. Identity failures dominate real incidents and assessment findings.
- Policies without operations. Written incident response plans that nobody has exercised.
- Treating CMMC as only an IT project. HR, facilities, vendors, and leadership all touch requirements.
- Waiting for a contract deadline to start Level 2. Documentation and evidence take calendar time.
- Confusing readiness consulting with certification. See readiness vs certification.
Technical building blocks (SMB-realistic)
Exact architectures vary, but most modern SMBs lean on:
- Identity: Microsoft Entra ID, strong MFA, Conditional Access, least privilege
- Endpoints: managed devices, patching, EDR
- Email & collaboration: hardened M365, careful external sharing, DLP where appropriate
- Network: segmented access, secure remote access, minimized flat networks
- Logging & response: enough telemetry to investigate incidents
- Backup & recovery: tested restores aligned to business needs (RPO/RTO)
Technology without process fails assessment. Process without technology fails attackers. You need both.
A practical readiness path
- Confirm contractual level and data types (FCI vs CUI).
- Define the enclave / system boundary—what is in scope.
- Baseline current controls against Level 1 or 800-171 as applicable.
- Prioritize gaps by risk and assessment impact.
- Implement controls in identity, endpoints, email, logging, and backup first when they are weak.
- Write and revise the SSP; maintain a living POA&M.
- Collect evidence continuously—not the week before assessment.
- Decide assessment path with counsel/prime guidance when Level 2 certification is required.
Many organizations start with a structured assessment (such as ImpetraInsights™ CMMC Readiness) to replace guesswork with a scored baseline and roadmap.
How Impetra helps
Impetra is a cybersecurity-first technology partner for businesses in CT, NY, and NJ. For CMMC-related work we typically help with:
- Readiness assessments and gap prioritization
- Practical control implementation in Microsoft-centric environments
- Documentation support (SSP/POA&M structure and evidence habits)
- Ongoing managed IT and security operations so controls do not decay
We do not claim to certify you. We help you prepare, operate, and improve—honestly.
Related commercial pages: Compliance & CMMC consulting, Cybersecurity, Managed IT, CMMC Insights.
FAQ
Is CMMC only for huge primes?
No. Requirements flow to suppliers of many sizes. Level depends on information and contract language.
Can we self-assess Level 2 forever?
Do not assume that. Many Level 2 scenarios require third-party assessment. Confirm against current program rules and your contracts.
How long does readiness take?
Level 1 improvements can move faster if identity and asset basics exist. Level 2 programs often take months, especially documentation and evidence maturity.
Do we need a separate “CMMC network”?
Sometimes a well-scoped enclave reduces cost and complexity. Sometimes hardening the existing tenant is better. It depends on data flows and business operations.
Where should we start this week?
Identify whether you handle FCI, CUI, or both; inventory systems that touch that data; enforce MFA on all privileged and remote access; and schedule a structured readiness conversation.
Need a clear baseline for your environment?
Start with a free 15-minute review. When a structured assessment is the right next step, ImpetraInsights™ can provide multi-framework scoring and an executive-ready report—including CMMC and HIPAA readiness paths.