Cybersecurity Maturity Model Certification (CMMC) 2.0
We help DoD contractors and subcontractors implement CMMC 2.0 correctly and prove readiness fast — combining our auditors’ work with a SaaS built to program requirements (SSP, POA&M, SPRS, scoping & evidence). We operate strictly in line with official guidance.
Pre-award cybersecurity assurance
CMMC is a consistent pre-award assessment methodology to confirm a prospective contractor has implemented protections necessary to adequately safeguard DoD information (FCI/CUI).
Protect FCI & CUI across the DIB
The program raises the cybersecurity posture of the Defense Industrial Base and better protects Federal Contract Information and Controlled Unclassified Information.
Self or independent assessment
Contractors show compliance through self-assessment or independent assessment prior to award (excluding COTS). Results are posted to SPRS/eMASS and affirmed annually.
Key CMMC dates (DoD)
Phase 1 — Begins Nov 10, 2025
Where applicable, solicitations require Level 1 or Level 2 self-assessment. DoD may implement some Level 2 C3PAO requirements.
Phase 2 — Begins Nov 10, 2026
Where applicable, solicitations require Level 2 Certification (C3PAO). DoD may defer certification to an option period.
Phase 3 — Begins Nov 10, 2027
Where applicable, solicitations require Level 3 Certification; may be deferred to an option period.
Phase 4 — Begins Nov 10, 2028
All solicitations and contracts include applicable CMMC level requirements as a condition of contract award.
Effective date for the final DFARS CMMC clause (252.204-7021): Nov 10, 2025.
Which contracts are in scope?
- Applies where a contractor/subcontractor will process, store, or transmit FCI or CUI on unclassified contractor information systems.
- Applies to new DoD solicitations and procurement instruments (contracts, task/delivery orders) and option periods.
- Requirements flow down to applicable subcontractors.
Implementation occurs through new contracts awarded after Nov 10, 2025; adding to older contracts requires bilateral modification.
Core program requirements
- Minimum passing score: 80% (88/110).
- Restrictions on which items can be on a POA&M; 180-day POA&M close-out.
- Annual affirmation of continued compliance in SPRS.
- Flow-down to applicable subcontractors.
How CMMC is measured and recorded
Post-assessment remediation
Limited use of POA&Ms is allowed. No POA&Ms are permitted for Level 1. For Level 2 and 3, see §170.21 for items not allowed on a POA&M. Close-out assessments are performed by the OSA (self) or C3PAO/DIBCAC (certification), and POA&Ms must be closed within 180 days. Failure to close results in an expired CMMC Status.
Conditional vs Final Status
Conditional Status: an Organization Seeking Assessment (OSA) achieves this when a passing score includes allowable POA&M items.
Final Status: an Organization Seeking Certification (OSC) achieves this with a passing score and no POA&M, or after closing allowed POA&M items within 180 days.
Process (contractor perspective)
- Government identifies CMMC Status requirements.
- Contractor/sub performs self-assessment or undergoes C3PAO/DIBCAC assessment.
- Assessment results are entered in SPRS or eMASS (as applicable).
- Contractor/sub completes annual affirmation in SPRS; status is visible to DoD.
Who’s who in the ecosystem
DoD CIO CMMC PMO: owns the scheme; publishes Model, Assessment/Scoping/Hashing Guides; sets requirements for C3PAOs/CAICO/assessors.
DCMA DIBCAC: conducts Level 2 assessments on C3PAOs and Level 3 assessments on DIB; advises the PMO.
CMMC AB: accredits C3PAOs and CAICO; ISO/IEC compliant.
CAICO: certifies CMMC professionals/assessors/instructors per ISO/IEC 17024.
C3PAOs: conduct Level 2 certification assessments; submit reports in eMASS; issue certificates.
End-to-end CMMC 2.0 readiness with lower time & cost
Gap Analysis & Readiness
- Full review against NIST 800-171 controls (Level 1–3)
- Evidence mapping, SSP/POA&M scaffolding, SPRS score support
- Remediation plan, milestones, and ownership
Policies & Procedures
- Access control, incident response, configuration, training
- Supplier/flow-down controls for FCI/CUI
- Versioning and approval workflows
LexCyberAI Platform (SaaS)
- Control mapping to 32 CFR Part 170 & DFARS 7021
- Evidence capture, export-ready auditor views
- Risk register, tasks, and POA&M close-out tracking (180-day)
Audit Support
- Self-assessments, annual affirmations in SPRS
- Prep for C3PAO/DIBCAC assessments
- On-call advisory during assessments
Our GRC workflow is aligned to official DoD materials (Model, Assessment & Scoping Guides).
Where to verify CMMC requirements
DoD & Program
- DoD CIO — CMMC resources (Model/Assessment/Scoping/Hashing Guides)
- DFARS 252.204-7021 final clause and 32 CFR Part 170 program rule
- SPRS & eMASS portals for assessment entry
Training: Defense Acquisition University (CYB-1010 / CYB-1030).
Ecosystem & additional help
- CMMC Accreditation Body (The Cyber AB) — marketplace for C3PAOs & assessors
- DoD CUI quick reference (marking & handling)
- FedRAMP marketplace (moderate authorized services)
- SMB support: DoD OSBP resources, CISA Shields Up, NIST MEP, APEX Accelerators
Links curated from DoD’s “Additional Resources”.
Book Your Free Readiness Consultation
15-minute intro with a vCMMC Advisor — quick status review and a tailored plan.