What is CMMC 2.0 and when did it take effect?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework requiring defense contractors to demonstrate cybersecurity maturity through formal assessments. The final rule (32 CFR Part 170) went into effect on December 16, 2024, making DFARS 252.204-7021 active and enforceable. It simplifies the original five-level model into three streamlined levels aligned with NIST SP 800-171 and SP 800-172.

Who needs CMMC certification?

Any organization in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) needs CMMC certification to bid on or maintain DoD contracts. This includes prime contractors, subcontractors, and any company in the DoD supply chain that receives or generates non-public federal data.

What are the three CMMC 2.0 levels?

Level 1 (Foundational) requires 17 basic safeguarding practices from FAR 52.204-21 for organizations handling FCI. Level 2 (Advanced) requires all 110 security requirements from NIST SP 800-171 for organizations handling CUI. Level 3 (Expert) adds 24 enhanced controls from NIST SP 800-172 for critical national security programs and is assessed by DIBCAC.

How long does it take to achieve CMMC compliance?

Timeline depends on your current cybersecurity maturity, organization size, and target level. Organizations starting from scratch typically need 6 to 12 months for Level 2. With Petronella's accelerated methodology and pre-built documentation, many clients achieve Level 2 certification in as little as 6 months.

What is the difference between CMMC and NIST 800-171?

NIST SP 800-171 defines the 110 security requirements for protecting CUI in non-federal systems. CMMC is the DoD's certification framework that verifies contractors have actually implemented those requirements through formal assessments. CMMC Level 2 maps directly to the 110 NIST 800-171 controls. In short: NIST 800-171 is the 'what,' and CMMC is the 'prove it.'

What are POA&Ms and are they allowed under CMMC 2.0?

Plans of Action and Milestones (POA&Ms) allow you to address remaining control gaps on a defined timeline. Under CMMC 2.0, limited POA&M use is permitted at Levels 2 and 3 for non-critical controls, granting a conditional certification with 180 days to remediate. Critical controls like MFA and antivirus must be fully implemented at the time of audit.

How much does CMMC compliance cost?

Costs vary based on organization size, current maturity, and target level. Small businesses can expect to invest between $20,000 and $100,000 or more for Level 2 compliance, including remediation, documentation, infrastructure, and C3PAO assessment fees. Petronella reduces costs with pre-built documentation and compliant cloud infrastructure.

What is an SPRS score and why does it matter?

The Supplier Performance Risk System (SPRS) score reflects your NIST 800-171 self-assessment results, ranging from -203 to 110. Under DFARS 7019, contractors must submit their SPRS score to be considered for new DoD awards. Contracting officers check SPRS as a gate - proposals without a current score may be rejected.

Is Petronella a certified CMMC provider?

Yes. Petronella Technology Group is a CMMC Registered Provider Organization (RPO) accredited by the Cyber-AB. Our team includes Registered Practitioners (RPs) trained in the CMMC model and NIST standards. Craig Petronella is a CMMC Registered Practitioner.

What happens if I am not CMMC compliant?

Without the required CMMC certification, you will not be awarded DoD contracts that specify a CMMC requirement. You risk losing current contracts, being disqualified from future bids, and facing False Claims Act liability if you misrepresent your cybersecurity posture.

CMMC Level 1, 2 and 3 by RPO #1449.

The fastest path to CMMC Level 2 for DoD subcontractors. NIST SP 800-171 alignment, 110-control gap assessment, SSP and POA&M structure, mock C3PAO audit, delivered by an RPO-listed CMMC-RP practitioner team based in Raleigh.

CMMC-AB RPO #1449 · Team CMMC-RP · BBB A+ Since 2003

Call Penny → (919) 348-4912 CMMC Readiness Guide

New from Petronella Technology Group: CMMC Level 1 self-assessment guide for DoD subcontractors and the C3PAO selection guide for Phase 2 readiness.

24+ Years Protecting Businesses

RPO #1449 CMMC-AB Registered Provider Org

A+ BBB Accredited Since 2003

Readiness Guide Assessment Checklist SPRS Calc Alternatives Controls

What CMMC compliance actually requires

CMMC 2.0 has three levels. Level 1 is annual self-attestation against 17 basic safeguarding controls. Level 2 is the one most defense subcontractors actually need: a C3PAO-led assessment of all 110 NIST SP 800-171 controls, with a numeric SPRS score posted to the DoD's Supplier Performance Risk System. Level 3 stacks a subset of NIST SP 800-172 controls on top for contracts touching the most sensitive CUI.

If your prime contractor has flowed down a DFARS 252.204-7012 clause and you handle Controlled Unclassified Information, you need Level 2. Start with our CMMC compliance guide if you want the full lay of the land before scoping work. If you want the short version of where your gaps are right now, run the CMMC compliance checklist and the SPRS calculator in the same sitting.

Our CMMC engagement, step by step

We are a CMMC-AB Registered Practitioner Organization, RPO #1449. Every engineer assigned to your engagement is a CMMC-RP. We do not certify and we do not assess. C3PAOs do that, by design. What we do is take you from "we have a CUI flow-down clause" to "we are ready for the assessor" without burning twelve months of internal time figuring out what each control actually requires.

A typical engagement opens with a CMMC gap assessment against all 110 controls, including CUI boundary scoping and an SPRS score baseline. From there we close the technical gaps that almost always block Level 2: multifactor authentication on every required path (3.5.3), session lock and termination (3.1.10), risk assessment cadence (3.11.1), FIPS-validated encryption, audit logging that actually correlates, and the configuration management baseline. We author the System Security Plan and Plan of Action & Milestones, organize the evidence library, then run a mock C3PAO assessment against the same Conformity Assessment Procedures the real assessor will use.

If Level 2 is not the right scope for you

Not every contractor needs the full Level 2 path. Some only handle FCI and qualify for Level 1 self-attestation. Some can shrink scope dramatically by moving CUI into a separate enclave instead of certifying their whole tenant. Some are evaluating whether a managed-tenant offering is cheaper than building their own. We walk through those tradeoffs honestly in CMMC alternatives, and we do not pretend a Level 2 engagement is mandatory when it is not.

Explore

CMMC Compliance services

Pick the path that matches what you need next. Or call Penny - she'll book your free 15-minute consult.

Related pillars, defense resources, and supply-chain reading

CMMC compliance by city - North Carolina service areas

NIST 800-171 control library - all 110 controls explained

Ready to talk?

Call Penny - she answers before the third ring, asks 3 qualifying questions, then books your free 15.

Call Penny → (919) 348-4912 Level 2 Readiness Playbook

CMMC Level 1, 2 and 3 by RPO #1449.

What CMMC compliance actually requires

Our CMMC engagement, step by step

If Level 2 is not the right scope for you

CMMC Compliance services

CMMC Compliance Guide

CMMC Assessment

CMMC Compliance Checklist

SPRS Calculator

CMMC Alternatives

CMMC Compliance Services

Defense Contractor Cybersecurity

CMMC for Manufacturers

Ready to talk?