← Back to Resources
📰 Industry News

CMMC 2.0 Is Here: What Defense Contractors Need to Know

✍️ By Able Computer Solutions 📅 May 2026 ⏱️ 7 min read

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now being enforced across Department of Defense contracts. If your business works with the DoD — directly or as a subcontractor — this affects you. Here's a plain-English breakdown of what you need to know.

What Is CMMC?

CMMC is the DoD's framework for ensuring that defense contractors adequately protect sensitive government information, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Version 2.0 simplified the original five-level model into three levels.

The Three CMMC 2.0 Levels

Level 1 — Foundational

17 basic cybersecurity practices aligned with FAR 52.204-21. Self-assessment is allowed. Covers basic cyber hygiene like antivirus, password policies, and access controls. Required for companies handling FCI.

Level 2 — Advanced

110 practices aligned with NIST SP 800-171. Third-party assessment required for most contracts involving CUI. This is where most defense contractors fall — and where the most work is required.

Level 3 — Expert

Based on NIST SP 800-172 with additional practices. Government-led assessments. Required for the most critical DoD programs.

What You Need to Do Now

  1. Determine your level — review your contracts and identify whether you handle CUI or FCI
  2. Conduct a gap assessment — compare your current security posture against NIST 800-171 requirements
  3. Create a System Security Plan (SSP) — document your current controls
  4. Develop a Plan of Action & Milestones (POA&M) — document gaps and how you'll fix them
  5. Implement missing controls — this takes time, budget accordingly
  6. Schedule your assessment — for Level 2, find a C3PAO (Certified Third-Party Assessment Organization)

💡 Important: CMMC compliance cannot be faked or rushed. Starting early gives you time to fix gaps properly. Companies found misrepresenting their compliance status face False Claims Act liability.

How Able Computer Solutions Can Help

We provide CMMC readiness assessments, gap analysis, SSP development, and technical implementation of the required controls. Our founder's academic background in cybersecurity combined with practical MSP experience makes us uniquely positioned to guide small defense contractors through this process.

Is Your Business Protected?

Get a free, no-obligation IT and security assessment from our team. We'll identify your risks and show you exactly how to fix them.

Get My Free Assessment →