Definition

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the U.S. Department of Defense’s mandatory cybersecurity framework for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It differs from NIST 800-171 self-attestation because CMMC 2.0 Level 2 requires third-party C3PAO assessment every three years, with pass/fail stakes for contract eligibility. The framework applies to all Defense Industrial Base (DIB) contractors, subcontractors, and suppliers — approximately 200,000 organizations — ranging from small manufacturers to major primes. Successful certification requires a System Security Plan (SSP), Plan of Action & Milestones (POA&M), implemented NIST 800-171 controls, continuous monitoring, and SPRS score reporting. Armorstack guides defense contractors nationwide through the full CMMC 2.0 lifecycle: gap analysis, control implementation, SSP authoring, C3PAO coordination, and continuous monitoring — typically achieving Level 2 assessor-readiness within 90 days for mid-market contractors.

CMMC 2.0 Compliance

Compliance Without the Consulting Tax.

A managed CMMC program built for defense contractors and DoD subcontractors who need to clear the assessment, keep contracts flowing, and stop paying $400/hour for a binder that goes stale the day it’s delivered.

Schedule CMMC Readiness Call Download CMMC Checklist

The Framework

What CMMC 2.0 Actually Requires

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s mechanism for verifying that contractors and subcontractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) have implemented prescribed security controls. The final rule (32 CFR Part 170) took effect December 16, 2024, and contractual flow-down through DFARS clause 252.204-7021 began phased enforcement on November 10, 2025. If CMMC language appears in a solicitation, you cannot be awarded the contract without the corresponding certification on file.

CMMC 2.0 collapses the original five-level model into three. Level 1 (Foundational) covers the 17 basic safeguarding controls in FAR 52.204-21 and is satisfied by annual self-attestation. Level 2 (Advanced) requires implementation of all 110 controls in NIST SP 800-171 Rev. 2 across 14 control families; most Level 2 contracts require a triennial third-party assessment by a Certified Third-Party Assessor Organization (C3PAO), with a narrow self-assessment carve-out for non-prioritized acquisitions. Level 3 (Expert) layers a subset of NIST SP 800-172 enhanced controls on top and is assessed directly by the Defense Contract Management Agency’s DIBCAC.

The practical difference between self-attestation and assessment is liability. A signed self-attestation in the Supplier Performance Risk System (SPRS) by a senior official invokes the False Claims Act — the DOJ’s Civil Cyber-Fraud Initiative has already produced multi-million-dollar settlements against contractors who misrepresented their score. Assessment is more rigorous but transfers the verification burden off your senior official’s signature line.

Service Tiers

Three Levels. Three Managed Packages.

Pick the tier that matches your contract requirements. Each is a continuous managed service — not a one-time project.

Level 1 Foundational

Foundational Hygiene Package

17 basic safeguarding controls (FAR 52.204-21). Annual self-attestation in SPRS.

•Scope: Contractors handling Federal Contract Information (FCI) only — no CUI.
•Who needs it: Subs and primes on basic federal acquisitions without CUI markings.
•Includes: Access control, identification & authentication, media protection, physical safeguards, system integrity, baseline configuration management.
•Deliverable: SPRS-ready attestation packet, annual recertification.

Starting at

from $X,XXX/mo

MOST CONTRACTS

Level 2 Advanced

Advanced Compliance Package

110 controls across NIST SP 800-171 Rev. 2. Triennial C3PAO assessment for prioritized contracts.

•Scope: Any contractor that creates, processes, stores, or transmits CUI.
•Who needs it: The vast majority of DoD primes, subs, and supply-chain participants. If your contract references DFARS 252.204-7012, you almost certainly need Level 2.
•Includes: All 14 NIST 800-171 families — Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity.
•Deliverable: Implemented control baseline, full SSP, POA&M, audit evidence repository, C3PAO prep, and on-site sit-in support during assessment.

Starting at

from $X,XXX/mo

Level 3 Expert

Expert Defense Package

All 110 NIST 800-171 controls plus a selected subset of NIST SP 800-172 enhanced controls. DIBCAC-led government assessment.

•Scope: Programs handling CUI tied to the most sensitive DoD priorities and Advanced Persistent Threat (APT) protection.
•Who needs it: Contractors on critical programs designated by the DoD program office — typically a small percentage of the DIB.
•Includes: Level 2 baseline plus advanced threat-hunting, deception technology, segmentation, dual-authorization controls, and 24×7 SOC monitoring against APT TTPs.
•Deliverable: DIBCAC-ready evidence package, continuous control validation, advanced security operations.

Starting at

from $X,XXX/mo

The Delivery Model

What Armorstack Actually Delivers

A managed program — not a binder. Every control is implemented in your environment, monitored by our SOC, and audit-ready on demand.

SSP Generation & Maintenance

A System Security Plan that mirrors the actual environment, mapped control-by-control to NIST SP 800-171 Rev. 2. Living document — updated every quarter and on every material system change. No copy-paste templates.

POA&M Tracking

Plan of Action & Milestones management for every “Other Than Satisfied” control. Owners, target close dates, evidence of progress, and routine remediation reviews — managed inside the same workflow we use for SOC ticketing.

110-Control Implementation

Hands-on engineering across all 14 NIST 800-171 families — MFA rollouts, FIPS 140-validated cryptography, audit logging, CUI segmentation, incident response runbooks, and the policy stack to back it up. We build it and we operate it.

Continuous Monitoring & Evidence-on-Demand

SENTRY SOC monitors control effectiveness 24×7. Audit evidence — logs, screenshots, configuration baselines, training records — is queryable on demand. When the C3PAO asks for proof, we hand it over the same day.

C3PAO Assessment Prep & Sit-In Support

A pre-assessment dry run against the CMMC Assessment Process (CAP), an interview prep cycle for your senior official and system owners, and a senior Armorstack engineer in the room (or on the call) for every day of the C3PAO assessment. We answer the technical questions so your team can run the business.

The Comparison

Why Armorstack vs. a CMMC Consultant

Consultants leave the binder. We operate the program.

Dimension	Traditional CMMC Consultant	Armorstack Managed CMMC
Pricing model	$250–$500/hour, billable, scope creep is the business model	Fixed monthly subscription tied to your level and CUI scope
Engagement model	Point-in-time gap assessment + binder hand-off, then they’re gone	Continuous program — the controls are operated, not just documented
SSP/POA&M ownership	Drafted, delivered, then your team owns updates forever	Maintained by Armorstack as part of the subscription, every quarter
SOC integration	None — they don’t operate a SOC. You buy that separately.	SENTRY SOC enforces controls 24×7 and produces the audit evidence
Evidence on assessment day	You scramble to assemble logs, screenshots, training records	Queryable evidence repository — pulled on demand, in front of the C3PAO
Engineering depth	GRC analysts who write policies but don’t touch infrastructure	24+ years of infrastructure operations behind every control
Reassessment cycle	Quote a new project every three years	Triennial recertification included — no re-engagement fee

Frequently Asked

CMMC, answered straight.

Do I need CMMC if I’m a subcontractor? +

Yes, in most cases. DFARS clause 252.204-7021 flows down through the supply chain. If you receive FCI or CUI from a prime — or from another sub upstream of you — the same CMMC level applies to your environment. The prime is contractually obligated to verify your certification before sharing covered information. There is no “small business exemption.”

How long does CMMC implementation take? +

For Level 1, four to eight weeks. For Level 2 starting from a typical commercial environment, six to twelve months from kickoff to a defensible C3PAO assessment — driven primarily by remediation work (MFA everywhere, FIPS-validated encryption, CUI segmentation, audit logging, policy buildout). Environments already running mature security programs can compress to four to six months.

What’s the difference between CMMC Level 1 and Level 2? +

Level 1 covers the 17 basic safeguarding requirements in FAR 52.204-21 and applies only to FCI. It is satisfied by an annual self-attestation submitted to SPRS. Level 2 covers all 110 NIST SP 800-171 controls and applies to environments handling CUI. Most Level 2 contracts require a triennial third-party assessment by a C3PAO. The control surface and the rigor of verification both step up significantly.

Will my existing IT environment need to change? +

Almost certainly, for Level 2. Common gaps in commercial environments include: lack of FIPS 140-validated cryptographic modules, missing or weak MFA on privileged accounts, absent audit logging at the host and application layer, no formal CUI enclave or segmentation, and incomplete configuration baselines. Microsoft 365 Commercial does not meet CMMC Level 2 for CUI — you need GCC High or an equivalent compliant boundary. We scope the gaps in the readiness assessment.

Can Armorstack act as our External Service Provider for CUI? +

Yes. As a managed services provider whose offerings touch CUI, Armorstack is itself in scope as an External Service Provider (ESP) under the CMMC Assessment Process. Our ESP controls inherit into your assessment boundary, reducing what your team has to build and document. We operate against the same 110 controls we implement for you.

What happens during a C3PAO assessment? +

A C3PAO assessment runs against the CMMC Assessment Process (CAP) and typically lasts one to two weeks for a Level 2 environment. The assessment team examines artifacts (your SSP, policies, evidence), interviews personnel (senior official, system owners, end users), and tests controls (configurations, log samples, MFA enforcement). Each of the 110 controls is scored MET, NOT MET, or NOT APPLICABLE. You need a passing score and any deficiencies must be closeable inside the POA&M window. Armorstack participates as your technical lead throughout.

How does CMMC interact with FedRAMP? +

They are distinct frameworks that frequently overlap. Cloud services that store, process, or transmit CUI must be FedRAMP Moderate authorized (or equivalent) per DFARS 252.204-7012. CMMC then assesses how you use those cloud services — your configuration, your access controls, your data handling. FedRAMP authorizes the cloud platform; CMMC certifies your operating environment on top of it. Microsoft 365 GCC High and Azure Government are common building blocks; AWS GovCloud is another.

What’s the cost of getting it wrong? +

Three failure modes, each with real money attached. First, contract loss: no certification, no award — full stop. Second, False Claims Act exposure: a knowingly inflated SPRS self-attestation is now a routine DOJ Civil Cyber-Fraud Initiative target, with treble damages and per-claim penalties. Recent settlements have run from $300K to $9M. Third, contract termination and debarment: a failed C3PAO assessment on an active contract can trigger cure notices, stop-work orders, and suspension from future awards. The downside dwarfs the program cost.

Live Enforcement

CMMC 2.0 enforcement is live.

Get a no-cost CMMC readiness assessment in 30 days. We’ll scope your CUI boundary, score you against all 110 NIST 800-171 controls, and deliver a defensible POA&M with a fixed-price path to certification.

Start My CMMC Readiness Assessment

CMMC compliance by metro

Read the complete guide →

CMMC Dallas-Fort Worth →CMMC Houston →CMMC San Antonio →CMMC Dayton →CMMC Indianapolis →CMMC Augusta →CMMC Warner Robins →CMMC Warren / Detroit →