The Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance industry has created a market for fear. Small defense contractors are being sold six-figure compliance engagements for requirements that, in many cases, a disciplined three-person internal effort could address in 90 days. I am not saying CMMC 2.0 is simple. I am saying the complexity is consistently misrepresented in ways that benefit consultants more than contractors.
My perspective is grounded in 18 years implementing the same underlying framework that CMMC 2.0 is built on — the Risk Management Framework (RMF), NIST Special Publication 800-53, and National Institute of Standards and Technology (NIST) Special Publication 800-171 — across Department of Defense (DoD) submarine network environments. I have executed full Authority to Operate (ATO) lifecycles, held Information Systems Security Manager (ISSM) billets continuously since 2012, and led commands through Fleet Cyber Command inspections that assess the same control families CMMC 2.0 requires contractors to demonstrate.
This post covers what the three levels actually require, who falls under which level, and what a realistic first-90-days plan looks like for a small contractor coming into compliance for the first time.
What the Three Levels Actually Mean
The CMMC 2.0 framework has three maturity levels. Most of the complexity in the compliance conversation comes from treating all three as if they apply to everyone, which they do not.
| Level | Who It Applies To | Controls Required | Assessment Type |
|---|---|---|---|
| Level 1 | Contractors handling Federal Contract Information (FCI) only | 17 practices (FAR 52.204-21 basic safeguarding) | Annual self-assessment |
| Level 2 | Contractors handling Controlled Unclassified Information (CUI) | 110 practices aligned to NIST SP 800-171 Rev 2 | Self-assessment (most) or C3PAO (critical programs) |
| Level 3 | Contractors on highest-priority DoD programs | 110+ practices (800-171 plus additional NIST SP 800-172 requirements) | Government-led assessment by DIBCAC |
If you are a small defense contractor — a law firm handling government contracts, an engineering firm with Defense Federal Acquisition Regulation Supplement (DFARS) clauses in your contracts, a technology company supporting a prime contractor — you almost certainly fall under Level 2. You are probably not Level 3 unless your Contracting Officer has specifically identified you as supporting a classified or critical national security program.
Level 2 is where 90 percent of the compliance industry operates and where 90 percent of the fear-selling happens. So Level 2 is where this post focuses.
What Level 2 Is Actually Asking For
CMMC Level 2 maps directly to NIST SP 800-171 Revision 2. That standard has 110 security requirements organized across 14 control families. If you have handled any federal contractor work in the last decade, you have already been contractually required to implement these controls under DFARS clause 252.204-7012. CMMC 2.0 Level 2 does not add new technical requirements — it adds verified compliance requirements.
The 14 families are: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
None of these families are novel. Every one of them appears in the RMF framework I have been implementing in DoD environments since 2012. The difference for small contractors is not the content of the requirements — it is the documentation and evidence burden that comes with demonstrating compliance to an assessor.
The compliance gap most small contractors have is not a security gap. It is a documentation gap. The technical controls are often already partially in place. What is missing is the System Security Plan (SSP), the evidence artifacts, and the Plan of Action and Milestones (POA&M) that demonstrate you know what you have and what you are working to close.
The Three Documents That Actually Matter
Before you engage a Certified Third-Party Assessment Organization (C3PAO) or spend a dollar on tooling, you need three documents. If you do not have these, nothing else matters. If you do have them, you have already done most of the foundational compliance work.
1. The System Security Plan (SSP)
The SSP is your organization's formal description of the information system, the boundary around the Controlled Unclassified Information (CUI) environment, and how each of the 110 NIST 800-171 requirements is addressed. It is not a checklist. It is a narrative document that tells an assessor: here is what we process, here is how we protect it, and here is the evidence that our controls are implemented and effective.
Most small contractors do not have one. That is the actual starting point of a CMMC compliance program. Everything else — tooling, assessments, staff training — is filling in the evidence that the SSP describes.
2. The Plan of Action and Milestones (POA&M)
No organization achieves 110 out of 110 controls on day one. The POA&M is the document that formally acknowledges which requirements are not yet met, what the remediation plan is, and what the completion timeline looks like. In DoD RMF practice, a well-structured POA&M is not a liability — it is evidence of disciplined risk management. An assessor who sees a clean POA&M with specific timelines and ownership trusts your program more than an organization that claims full compliance with no documented gaps.
I have spent 18 years writing and reviewing POA&Ms. The most common failure is treating them as a compliance artifact rather than a management tool. A POA&M that nobody owns, with completion dates that have passed two quarters in a row, is worse than no POA&M at all — it tells an assessor that your organization does not take its own commitments seriously.
3. The CUI Inventory
You cannot protect what you cannot identify. Before your SSP has meaning, you need to know exactly what CUI you receive, create, process, store, and transmit — and where it lives. This means identifying every system, every endpoint, every cloud service, every third-party tool that touches information covered under your contracts. The boundary you draw around that inventory defines your assessment scope. A smaller, well-defended boundary is nearly always better than a sprawling one that touches systems you cannot control.
What Your First 90 Days Should Actually Look Like
This is the practical sequence that makes sense for most small contractors approaching CMMC Level 2 for the first time. It assumes you have an existing IT environment and some contractual DFARS obligations but no formal CMMC compliance program.
Days 1–30: Understand Your Scope
- Identify every contract that contains DFARS clause 252.204-7012 or CUI handling requirements
- Inventory every system that touches, stores, or transmits CUI
- Define your CUI boundary — document it in writing, keep it as small as defensible
- Assign an internal owner for the compliance program (this person does not need to be a cybersecurity professional — they need to be organized and empowered)
- Download the NIST SP 800-171 Rev 2 Assessment Guide (free, public document) and read the 110 requirements against your environment
Days 31–60: Build the Foundation Documents
- Draft your System Security Plan using the NIST SP 800-171A template (also free and public)
- Score each of the 110 requirements: Implemented, Partially Implemented, Not Implemented, or Not Applicable
- Begin your POA&M for every requirement not marked Implemented — assign ownership and realistic completion dates
- Document your network diagram and data flow within the CUI boundary
- Calculate your SPRS (Supplier Performance Risk System) score using the DoD scoring methodology and submit it — this is already required under DFARS 252.204-7019
Days 61–90: Close the High-Priority Gaps
- Prioritize multi-factor authentication (MFA) for all privileged accounts and all remote access — this single control closes or supports more than a dozen 800-171 requirements
- Implement audit logging if it is not already in place — you cannot demonstrate accountability without log data
- Review user access against least-privilege principles: remove accounts that should not exist, document those that should
- Complete security awareness training for all staff with CUI access and document completion
- Establish an incident response plan — even a simple, two-page document that defines what a reportable incident is, who gets notified, and what the 72-hour reporting timeline looks like
At the end of 90 days, you will not be fully compliant. But you will have a defensible program: a scored SSP, a working POA&M, and closed gaps on the highest-risk requirements. That is the foundation that a C3PAO assessment can build on, and it is the artifact that demonstrates to your government customers that you take the requirement seriously.
Where the Compliance Industry Gets It Wrong
The CMMC compliance market has developed several persistent myths that cost small contractors money without improving their security posture.
Myth 1: You Need a New SIEM Right Now
A Security Information and Event Management (SIEM) platform is a powerful tool for large organizations with dedicated security operations staff. For a 20-person defense contractor, deploying a SIEM before you have completed your SSP or your CUI inventory is backwards. The requirement is to have audit logs and to review them — not to have a six-figure platform that no one monitors. Microsoft 365 native audit logging, properly configured and reviewed, satisfies the audit requirement for most small organizations.
Myth 2: CMMC Requires Classified-Level Security
CMMC Level 2 does not require air-gapped systems, classified processing, or government-furnished equipment. It requires protecting CUI — which is sensitive but not classified. The controls map to enterprise commercial best practices: access control, encryption in transit and at rest, patching, logging, and physical protection of workstations. A well-managed Microsoft 365 Business Premium deployment addresses the majority of Level 2 requirements in a small organization.
Myth 3: Third-Party Assessment Is Always Required for Level 2
The CMMC 2.0 rule allows the majority of Level 2 contractors to self-assess rather than go through a C3PAO. Third-party assessment at Level 2 is required only for contractors on programs specifically identified by the DoD as requiring it — and that designation must appear in your solicitation or contract. If your contract does not specify a C3PAO assessment requirement, self-assessment with SPRS score submission is the baseline obligation.
The most expensive compliance mistake I see is organizations engaging a C3PAO before they have an SSP. An assessment organization cannot assess what has not been documented. You will pay for the assessment window, fail due to missing documentation, and then pay again. Build the SSP first.
What My DoD Background Adds to This Conversation
I am not a CMMC consultant. I am an active-duty Navy Senior Chief who has spent 18 years implementing the frameworks that CMMC is built on, in operational environments with higher stakes than contractor compliance. The difference between what I have done and what a small contractor needs to do is mostly one of scale and classification level — the underlying discipline is identical.
I know what a well-written SSP looks like because I have written them for systems that control navigation, communications, and weapons employment on submarines. I know what a credible POA&M looks like because I have defended them in front of Authorizing Officials (AOs) who have the authority to revoke network access for an operational platform. I know what assessors look for because I have been the person conducting the assessment.
That background informs the ButeraNet Intelligence product: a private, offline AI appliance designed specifically for small organizations — law firms, contractors, nonprofits — that need to process sensitive information without routing it through public cloud services. From a CMMC perspective, moving your CUI processing to an on-premises, air-isolated appliance simplifies your boundary, reduces your external attack surface, and eliminates the cloud configuration requirements that represent the most complex portion of most small contractor SSPs.
CMMC 2.0 is achievable for small contractors who approach it the same way DoD approaches RMF: document what you have, be honest about your gaps, close the highest-risk gaps first, and maintain the program as a living effort rather than a one-time checkbox. The framework does not require perfection. It requires discipline.
If you are a small contractor working through CMMC preparation and want a straight answer on whether your approach makes sense — not a consulting engagement, just a conversation — reach out at travis@buteranet.com.
— Travis D. Butera