Skip to main content
CMMC 2.0 Final Rule · Effective December 16, 2024

CMMC Level 2 Compliance Without Hiring a Security Team

The CMMC final rule is in effect. DoD contracts with CMMC requirements are appearing now and will scale across the entire defense industrial base. Our CUI-protected enclave inherits the infrastructure-layer NIST 800-171 requirements so your organization can reach Level 2 readiness in 60–90 days, not 12 months.

110
NIST 800-171 Requirements
14
Security Requirement Families
60–90
Days to Level 2 Readiness
220K+
DIB Contractors in Scope
CMMC Level 2 Ready
NIST 800-171 Rev 2
DFARS 252.204-7012
FIPS 140-2 Encrypted
US Persons Only
Why It Matters

What NIST 800-171 / CMMC Means for Your Organization

If your organization handles Federal Contract Information or Controlled Unclassified Information for the Department of Defense, the Cybersecurity Maturity Model Certification program now governs your eligibility to bid, win, and perform on DoD contracts. CMMC 2.0 builds on NIST SP 800-171 — its 110 security requirements form the entire content of CMMC Level 2.

Final Rule in Effect

The CMMC Program Final Rule (32 CFR Part 170) became effective December 16, 2024. The companion DFARS rule (48 CFR) makes CMMC contractually binding through DFARS 252.204-7021, with phased rollout across 2025.

SPRS Score Required Today

Even before CMMC enforcement, DFARS 252.204-7019 already requires contractors handling CUI to submit a self-assessed SPRS score. The maximum score of 110 reflects full NIST 800-171 implementation.

Flow-Down to Subcontractors

Prime contractors must flow CMMC requirements down to subcontractors handling FCI or CUI in performance of the contract. A small subcontractor with no CUI exposure may stay at Level 1; anyone touching CUI needs Level 2.

C3PAO Assessment Required

Level 2 assessments are conducted by Certified Third-Party Assessment Organizations accredited by the Cyber AB. Limited contracts allow annual self-assessment; most contracts require triennial third-party certification.

CMMC 2.0 Final Rule Effective Dec 16, 2024

Three Maturity Levels Aligned to Contract Sensitivity

The Cybersecurity Maturity Model Certification 2.0 program collapsed the original five levels into three. Your required level is determined by the type of information your contract handles: Federal Contract Information (FCI) at Level 1, Controlled Unclassified Information (CUI) at Level 2, and the most sensitive CUI at Level 3.

Foundational

CMMC Level 1

17 practices · Annual self-assessment · FCI only
  • Aligned to FAR 52.204-21 basic safeguards
  • Self-assessment with annual affirmation
  • SPRS submission required
  • Federal Contract Information only — no CUI
  • Lowest cost path; broadest applicability
Expert

CMMC Level 3

110+ practices · DIBCAC assessment · Critical CUI
  • Full Level 2 plus subset of NIST 800-172
  • Government-led DIBCAC assessment
  • Reserved for highest-priority programs
  • Advanced Persistent Threat protections
  • Triennial reassessment cadence
NIST 800-171 Rev 2 — 14 Security Requirement Families

110 Security Requirements Across 14 Families

NIST 800-171 codifies the security requirements for protecting Controlled Unclassified Information when it lives on non-federal information systems. The framework — 110 requirements organized into 14 families — forms the entire technical content of CMMC Level 2.

3.1 Access Control22 requirements: limit access to authorized users, processes, and devices.
3.2 Awareness & Training3 requirements: ensure staff are trained to handle CUI and recognize threats.
3.3 Audit & Accountability9 requirements: log security-relevant events and trace user actions.
3.4 Configuration Management9 requirements: establish baselines and enforce secure configurations.
3.5 Identification & Authentication11 requirements: verify identity of users, processes, and devices.
3.6 Incident Response3 requirements: prepare for, detect, and respond to security incidents.
3.7 Maintenance6 requirements: control system maintenance activities and tools.
3.8 Media Protection9 requirements: protect CUI on system media throughout its lifecycle.
3.9 Personnel Security2 requirements: screen personnel and protect CUI during personnel actions.
3.10 Physical Protection6 requirements: limit physical access to CUI environments.
3.11 Risk Assessment3 requirements: periodically assess organizational risk.
3.12 Security Assessment4 requirements: assess controls, develop plans, and monitor effectiveness.
3.13 System & Communications Protection16 requirements: monitor and control communications at boundaries.
3.14 System & Information Integrity7 requirements: identify, report, and correct flaws and malicious code.
Built for Defense Contractors

How GovDataHosting Accelerates CMMC Level 2

Our CUI-protected enclave is engineered to inherit infrastructure-layer NIST 800-171 requirements directly. Defense contractors using our platform shift the documentation and evidence burden for environment-level requirements onto us — focusing your team’s effort on application and process controls.

NIST 800-171 / CMMC Activity
GovDataHosting Handles
You Handle
CUI Boundary & Enclave
Pre-built CUI enclave with FIPS 140-2 encryption
Application-level CUI handling rules
3.1 Access Control (22 reqs)
Infrastructure RBAC, MFA, privileged access
Application user roles & access reviews
3.3 Audit & Accountability (9 reqs)
SIEM, log retention, alert correlation
Application-level audit events
3.4 Configuration Management (9 reqs)
DISA STIG hardened images, change control
Application configuration baselines
3.10 Physical Protection (6 reqs)
Fully inherited from US datacenters
Nothing — we own the physical layer
3.13 System & Comms Protection (16 reqs)
FIPS-validated crypto, network segmentation
Application TLS configuration
3.14 System Integrity (7 reqs)
OS patching, vulnerability scanning, IDS
Application code scanning
SPRS Score & SSP Support
Inheritance language & documentation templates
Final SSP authorship & SPRS submission
The GovDataHosting Process

Your Path to NIST 800-171 / CMMC Compliance

Our proven methodology shortens timelines and reduces risk by combining inheritable controls, dedicated compliance staff, and direct experience with CMMC-aligned authorizations.

Step 1

Scope & Boundary

Identify where CUI lives, how it moves, and who touches it. Define the CMMC assessment boundary — the smaller, the better.

Step 2

Migrate to Enclave

Move CUI workloads into our pre-hardened CUI enclave. Inherit infrastructure controls; configure application-layer responsibilities.

Step 3

SSP & SPRS Score

Author the System Security Plan with inheritance language. Submit SPRS score reflecting your real implementation status.

Step 4

C3PAO Assessment

Engage a C3PAO for Level 2 certification. We provide evidence packages, support assessment activities, and remediate findings.

Frequently Asked Questions

NIST 800-171 / CMMC FAQs

When will CMMC actually start appearing in my contracts?

The DFARS rule implementing CMMC contract clauses is on a phased rollout that begins in 2025 and ramps up over three years. Phase 1 introduces Level 1 and Level 2 self-assessment requirements in select contracts. Phase 2 expands to Level 2 third-party certification. Phase 3 adds Level 3, and Phase 4 makes CMMC requirements universal across applicable DoD contracts. Contracting officers can include CMMC requirements at their discretion now — many already are.

What is the difference between FCI and CUI, and why does it matter for my CMMC level?

Federal Contract Information is non-public information provided by or generated for the government under a contract. CUI is a specific category of more sensitive information requiring safeguarding under Executive Order 13556 and the National Archives CUI Registry. If you only handle FCI, Level 1 is your floor. If you handle CUI of any kind, Level 2 is mandatory. The presence of CUI is the trip wire.

Can I just self-assess for Level 2?

Most Level 2 contracts require triennial certification by a C3PAO. A subset of less-sensitive Level 2 contracts may permit annual self-assessment with company officer affirmation. Your contracting officer determines which assessment type applies to a given contract. Plan and budget for third-party certification — it is the more conservative assumption.

Does using GovDataHosting’s enclave automatically make me CMMC Level 2 certified?

No — CMMC certification applies to your organization, not your hosting provider. However, our enclave dramatically reduces the certification effort. Roughly 60–70 of the 110 NIST 800-171 requirements have significant infrastructure inheritance through our platform. You still need policies, training, personnel screening, and process controls — but the technical environment is largely solved.

Ready to Reach CMMC Level 2 Readiness?

Schedule a free CMMC scoping session. We will identify your CUI footprint, map inheritable requirements, and project a realistic 60–90 day path to assessment-readiness.