Symmetry Network Management
Back to Blog
Compliance

CMMC 2.0 Requirements for Defense Contractors

December 10, 2025 10 min read

If you're an aerospace or defense contractor, CMMC 2.0 (Cybersecurity Maturity Model Certification) is no longer optional—it's becoming a requirement for doing business with the Department of Defense. Here's what you need to know about the updated framework and how to prepare for certification.

What is CMMC 2.0?

CMMC 2.0 is the Department of Defense's framework for ensuring contractors adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The updated version, released in November 2021, streamlines the original five-level model into three levels with clearer requirements.

By 2026, CMMC certification will be required in all DoD contracts. If you manufacture aerospace components, provide defense-related services, or are part of the defense supply chain, you'll need to comply.

The Three CMMC 2.0 Levels

Level 1: Foundational (17 practices)

Who needs it: Contractors handling Federal Contract Information (FCI) only—basic contract info that's not sensitive.

Requirements: Basic cyber hygiene practices derived from FAR 52.204-21

Assessment: Annual self-assessment (no third-party audit required)

Examples: Access controls, media protection, physical security, system monitoring

Level 2: Advanced (110 practices)

Who needs it: Contractors handling Controlled Unclassified Information (CUI)—the majority of defense contractors

Requirements: All 110 practices from NIST SP 800-171

Assessment: Triennial third-party assessment by C3PAO (Certified Third-Party Assessment Organization)

Key additions beyond Level 1: Multi-factor authentication, encryption, incident response, security awareness training, system and information integrity controls

Level 3: Expert (110+ practices)

Who needs it: Contractors supporting high-priority programs with advanced persistent threats (APTs)

Requirements: NIST 800-171 plus additional practices from NIST 800-172

Assessment: Triennial government-led assessment

Focus: Advanced threat detection, threat hunting, enhanced security measures

Most Common Level 2 Requirements

Since most defense contractors will need Level 2, here are the most critical requirements:

Access Control (22 practices)

  • Multi-factor authentication for all users
  • Least privilege access (users only get access they need)
  • Session lock after 15 minutes of inactivity
  • Regular review and removal of unnecessary accounts
  • Separate admin accounts from regular user accounts

Identification and Authentication (11 practices)

  • Unique user identification for all users
  • Multi-factor authentication required
  • Password complexity requirements
  • Prevent password reuse
  • Manage authenticators (tokens, certificates, etc.)

Media Protection (9 practices)

  • Sanitize or destroy media before disposal
  • Control access to CUI on removable media
  • Mark media containing CUI
  • Encrypt CUI on mobile devices
  • Prohibit use of portable storage devices when risks exist

System and Communications Protection (17 practices)

  • Monitor and control communications at external boundaries
  • Implement network segmentation for CUI
  • Encrypt CUI in transit and at rest
  • Deny network communications by default (whitelist approach)
  • Establish and manage cryptographic keys

Incident Response (8 practices)

  • Establish incident handling capability
  • Detect, report, and respond to security incidents
  • Report incidents to DoD within 72 hours
  • Track, document, and report incidents
  • Test incident response capability

Documentation Requirements

CMMC 2.0 requires documented evidence of your security practices. You'll need:

  • System Security Plan (SSP): Describes how you protect CUI
  • Plan of Action and Milestones (POA&M): Documents any gaps and remediation timeline
  • Policies and Procedures: Written documentation for each security practice
  • Configuration Management: Baseline configurations for systems processing CUI
  • Incident Response Plan: Procedures for detecting and responding to incidents
  • Training Records: Evidence that users completed security awareness training
  • Asset Inventory: Complete list of hardware and software in your environment

Preparation Timeline

Getting ready for CMMC Level 2 typically takes 6-18 months depending on your current state:

Months 1-3: Assessment

  • Identify what CUI you handle and where it resides
  • Conduct gap analysis against NIST 800-171
  • Prioritize remediation efforts
  • Develop project plan and budget

Months 4-12: Implementation

  • Deploy technical controls (MFA, encryption, logging, etc.)
  • Implement network segmentation
  • Develop policies and procedures
  • Deploy endpoint protection and monitoring
  • Configure backup and recovery systems
  • Establish incident response capability

Months 13-15: Documentation & Training

  • Complete System Security Plan
  • Document all policies and procedures
  • Conduct security awareness training
  • Create evidence packages
  • Document POA&M for any remaining gaps

Months 16-18: Assessment Preparation

  • Conduct internal assessment
  • Address any findings
  • Select C3PAO assessor
  • Schedule formal assessment

Common Mistakes to Avoid

1. Assuming compliance equals cybersecurity
CMMC is a minimum baseline. Don't stop at compliance—implement defense-in-depth.

2. Treating it as an IT-only project
CMMC requires organization-wide participation. Executive leadership, operations, and HR all play roles.

3. Poor scoping
Trying to apply all 110 controls to your entire organization is expensive and complex. Segment your network and create a defined CUI enclave.

4. Inadequate documentation
"If it's not documented, it doesn't exist" is the assessor's mantra. Document everything.

5. Last-minute preparation
Don't wait until you see CMMC in a contract. Start preparing now—certification will take time.

6. DIY approach without expertise
While small contractors can self-implement, most benefit from experienced guidance to avoid costly mistakes.

Cost Considerations

CMMC Level 2 compliance costs vary widely based on company size and current security posture:

  • Small contractors (5-20 employees): $50,000-$150,000
  • Medium contractors (20-50 employees): $150,000-$500,000
  • Larger contractors (50+ employees): $500,000+

Costs include technology (hardware/software), consulting services, assessment fees, training, and ongoing maintenance. Many contractors find managed IT services more cost-effective than building internal capabilities.

The Bottom Line

CMMC 2.0 is complex, but it's manageable with proper planning and the right partners. The key is starting early—don't wait for it to appear in your contracts. Aerospace and defense contractors who proactively achieve certification will have a competitive advantage in the market.

For California manufacturers working in the aerospace supply chain, CMMC compliance is quickly becoming table stakes for doing business. The investment in cybersecurity not only enables you to bid on DoD contracts but also protects your intellectual property, customer data, and business operations from increasingly sophisticated threats.

Need Help with CMMC Compliance?

We specialize in helping aerospace and defense contractors achieve CMMC Level 2 certification. Schedule a free gap assessment to understand your current state and next steps.

Schedule Gap Assessment