Listen
Watch
DownloadCMMC 2.0 Compliance: What DoD Contractors Need to Know
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the U.S. Department of Defense (DoD)’s updated cybersecurity compliance framework and an evolution of CMMC 1.0.
UPDATE: This post, originally published on May 26, 2021, has been updated to reflect the latest developments in CMMC 2.0 compliance. It now includes refreshed guidance on audit readiness, updated control mappings, and new insights into how Tanium supports continuous compliance and operational maturity across the defense industrial base.
CMMC 2.0 is transforming how the DoD requires contractors to secure Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the defense industrial base (DIB) by introducing rigorous cybersecurity requirements that all contractors must meet.
Building on the foundation of CMMC 1.0, the updated CMMC 2.0 model reinforces the DoD’s goal of safeguarding national security by establishing robust, scalable, and enforceable cybersecurity standards. It requires contractors to demonstrate their cybersecurity maturity through a tiered, measurable, and audit-driven framework, ensuring accountability and alignment with evolving threats and compliance expectations.
However, the time to prepare for CMMC 2.0 is nearly over. With assessments now live in the Supplier Performance Risk Scoring System (SPRS), compliance is expected to become a contract requirement once CMMC is formally incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) this year. Contractors must now shift from planning to execution.
Yet even as enforcement ramps up, many organizations are still catching up.
If you’re a DoD contractor, CMMC 2.0 isn’t just another acronym—it’s your new reality. This updated cybersecurity framework is reshaping how the defense industrial base protects sensitive data, and it’s no longer optional.
Whether you’re beginning your compliance journey or preparing for a third-party assessment, this comprehensive guide will walk you through everything you need to know about CMMC 2.0—including how Tanium simplifies and helps accelerate your path to compliance.
- What is CMMC 2.0 and why it matters
- Understanding the CMMC 2.0 levels: From foundational to expert
- Key goals of CMMC 2.0
- Who needs to be CMMC compliant?
- Requirements for CMMC 2.0 compliance
- A practical 6-step CMMC 2.0 compliance checklist
- CMMC process maturity: Moving beyond point-in-time certification
- How Tanium helps organizations achieve CMMC 2.0 compliance
- Frequently asked questions about CMMC
- Additional resources
What is CMMC 2.0 and why it matters
CMMC 2.0 introduces a modernized structure with three distinct levels of cybersecurity maturity, replacing the original five-level model. Each level aligns with the sensitivity of the data being handled and defines the corresponding security expectations in greater detail.
The model emphasizes measurable progress and formal validation, requiring contractors to demonstrate compliance through self-assessments, third-party evaluations, or government-led audits depending on the level of certification required.
In practice, this means that CMMC Level 2 incorporates all 110 controls from the National Institute of Standards and Technology (NIST) SP 800-171, while Level 3 includes a subset of SP 800-172. These levels reinforce cybersecurity practices through clearly defined domains such as access control, configuration management, and awareness training, and are each designed to build a resilient security culture and ensure accountability across the supply chain.
Historically, supply chain cybersecurity has relied heavily on trust-based models and outdated tools like spreadsheets and binary questionnaires—leaving critical visibility and accountability gaps.
The CMMC program addresses these challenges by enforcing standardized, measurable cybersecurity practices across the defense industrial base. Its purpose is not only to ensure compliance but to instill a proactive, resilient security culture. By requiring contractors to demonstrate maturity through audits and continuous improvement, CMMC 2.0 helps reduce risk across the supply chain by promoting consistent, enforceable safeguards.
Navigating CMMC compliance can be challenging, but it doesn’t need to be. In this brief video, you’ll receive a clear and concise overview of what CMMC is and why it is important for organizations within the DIB. This video offers a straightforward and actionable summary to help you move forward with confidence.
CMMC 2.0 ultimately represents the evolution of security standards within the defense sector, aligning training, frameworks, and assessments to ensure that all contractors—regardless of size—can meet the DoD’s goal of protecting national security through resilient and accountable cyber defense.
Understanding the CMMC 2.0 levels: From foundational to expert
CMMC 2.0 simplifies the original five-tier model into three progressive levels, each aligned with specific federal standards and assessment requirements.
However, not every organization needs to meet the same standard. That’s where the tiered model comes in:
| CMMC Level | Scope | Requirements | Assessment type |
|---|---|---|---|
| Level 1 (Foundational) | For organizations handling only FCI | 17 basic cybersecurity practices aligned with FAR 52.204-21 | Annual self-assessment |
| Level 2 (Advanced) | For organizations managing CUI | 110 controls aligned with NIST SP 800-171 | Assessed every three years by a certified Third-Party Assessment Organization (C3PAO) |
| Level 3 (Expert) | For organizations supporting critical DoD programs | Subset of NIST SP 800-172 practices focused on enhanced requirements for threat hunting, analytics, and proactive defense | DoD-led assessments |
Each level builds upon the previous level, enhancing the organization’s ability to detect, respond to, and recover from cyber threats.
Key goals of CMMC 2.0
So, what exactly is CMMC 2.0 trying to accomplish?
At its core, it’s about raising the bar for cybersecurity across the defense supply chain. Here’s what it’s aiming to do:
- Protect sensitive information (CUI/FCI)
- Align with existing cybersecurity standards (e.g., NIST SP 800-171)
- Create a tried, scalable model
- Enforce accountability through assessments
- Drive implementation maturity and transparency
Who needs to be CMMC compliant?
Any organization—commercial, academic, or otherwise—that handles FCI or CUI as part of a DoD contract, including prime contractors and subcontractors, must achieve the appropriate level of CMMC 2.0.
Learn how Tanium supports your CMMC journey
—from readiness to resilience
Requirements for CMMC 2.0 compliance
Organizations seeking compliance must demonstrate:
- Real-time asset discovery and inventory
- Vulnerability and patch management
- Identity and access control
- System integrity enforcement
- Secure baseline configurations
- Continuous monitoring and incident response
…all of which must be documented, auditable, and continuously maintained.
These operational requirements map directly to the CMMC 2.0 framework, which is built around 14 domains (down from 17 in version 1.0) and 110 practices aligned with NIST SP 800-171. Each domain, from access control to awareness training, contains specific requirements designed to build a resilient cybersecurity culture.
Between shifting requirements, evolving threats, and the pressure to get it right before an audit, many organizations struggle to move from planning to execution. That’s why we’ve broken the process into a practical, 6-step checklist—to help you get started, stay focused, and move forward with confidence.
A practical 6-step CMMC 2.0 compliance checklist
No matter where you are in your compliance journey—just getting started or preparing for a third-party assessment—this streamlined, actionable checklist can help guide your organization toward CMMC 2.0 readiness:
- Know your level
- Assess where you stand
- Map your environment
- Evaluate and prioritize risk
- Operationalize monitoring and response
- Document and validate
Quick readiness check
Ask yourself:
✓ How many computers are on your network
—and are they authorized to be there?✓ What applications are installed—and are they all up to date?
✓ What are users doing—and is it authorized?
✓ How comfortable are you with your patch, vulnerability,
and risk posture?These questions help surface blind spots early and guide
your remediation priorities. If you can’t answer them confidently,
your auditors won’t be able to either.
Clear, well-organized evidence is essential for both self-assessments and third-party evaluations. It shows that your cybersecurity practices aren’t ad hoc, but consistent, repeatable, and built to last. That kind of operational maturity is what auditors look for and what sets resilient organizations apart.
And that’s the point. Maturity isn’t just about passing a test—it’s about proving you can sustain it. That’s why audit readiness isn’t a one-time event. It’s a mindset.
CMMC process maturity: Moving beyond point-in-time certification
Compliance is no longer just about passing a one-time audit. Instead, it emphasizes the ongoing maturity of cybersecurity processes—how well those processes are documented, institutionalized, and continuously improved over time.
However, contractors often address cybersecurity vulnerabilities with an intricate patchwork of point products that don’t work together, are hard to manage, and don’t provide them with visibility into cyber threats in the network.
If contractors continue to use these point products instead of a unified platform to remediate individual vulnerabilities, they will simultaneously increase cost, complexity, and risk, and may be unable to fully meet the CMMC requirements without making significant changes.
[Read also: Compliance vs. risk management – Definition and differences]
CMMC isn’t just about passing an audit—it’s about institutionalizing cybersecurity best practices.
Tanium empowers this shift through:
- A single-pane-of-glass view for IT hygiene and compliance workflows
- Measurable configuration and vulnerability benchmarks
- Automated, audit-ready compliance reporting
- Integration with tools like Microsoft, ServiceNow, and more
By continuously improving processes, organizations can advance from “Performed” to “Optimizing” maturity levels, showing that they’re not just compliant but also resilient and proactive.
How Tanium helps organizations achieve CMMC 2.0 compliance
Although Tanium is not a C3PAO assessor, we equip customers with high-fidelity insights into the cyber hygiene required to help stand up a CMMC-compliant IT infrastructure. With Tanium, contractors have a single, unified platform that aligns endpoint management and security, helping to compile data from endpoints.
Our platform offers extensive threat monitoring accompanied by detailed incident analysis, enabling contractors to identify, isolate, and mitigate threats in real time. This simplifies the management of hybrid environments, enhances contractors’ understanding of their surroundings, and allows the DoD community to achieve its ultimate goal of stronger resilience against cyber risks.
From asset discovery to audit-ready reporting, Tanium supports your ability to build a defensible, data-driven compliance posture.
Technical capabilities
Tanium Autonomous Endpoint Management (AEM) addresses numerous CMMC 2.0 compliance requirements by providing:
- Real-time visibility: Continuous endpoint monitoring delivers real-time visibility into the IT environment, enabling strong asset management and security controls aligned with CMMC 2.0.
- Proactive security hygiene: Ongoing assessment and enhancement of endpoint security posture help organizations uphold strong cybersecurity hygiene—an essential component of meeting CMMC 2.0 foundational requirements.
- Automated endpoint management: Automation of patching and configuration tasks to keep systems secure and compliant, which directly supports CMMC 2.0 configuration management and maintenance mandates.
- Intelligent incident response: Rapid detection and mitigation tools enable fast threat resolution, supporting CMMC 2.0 requirements for incident response and risk management.
- Continuous compliance reporting: Generate automated audit-ready reports and trails that satisfy accountability requirements and streamline CMMC assessment readiness.
Control coverage
| Control family | Percent coverage* |
|---|---|
| Risk assessment | 100% |
| Configuration management | 75% |
| Incident response | 65% |
*Percentages of product coverage is based on current product capabilities relevant to Tanium product offerings and is subject to change as product offerings evolve.
Level 3 controls supported
| Control ID | Description |
|---|---|
| CM.L3-3.4.2e | Automated remediation of unauthorized systems |
| CM.L3-3.4.3e | Continuous component inventory |
| IA.L3-3.5.3e | Trusted system access policy enforcement |
| RA.L3-3.11.3e | Risk analytics and threat prediction |
| SI.L3-3.14.6e | Proactive threat intelligence integration |
Strategic benefits
Beyond technical controls, Tanium enables organizations to accelerate CMMC readiness and expand their compliance efforts with:
- SPRS optimization: Continuously monitor compliance posture, pinpoint gaps, and resolve Plan of Action and Milestones (POA&M) items within required timeframes.
- Supply chain compliance enforcement: Monitor subcontractor compliance to ensure fulfillment of critical flow-down requirements.
- Assessment readiness enablement: Deliver the evidence needed to streamline C3PAO and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) evaluations, helping organizations stay certification-ready.
Tanium helps contractors confidently advance their CMMC compliance journey by aligning with key capability guidelines, enabling continuous reporting, and supporting measurable progress through the model’s maturity tiers.
Frequently asked questions about CMMC
Still wrapping your head around CMMC? We’ve got you covered. These quick-hit answers break down the most common questions and are ideal for getting up to speed without slowing down.
How much does CMMC certification cost?
Costs vary based on level, organization size, and pre-existing controls, from $3,000 to over $100,000 depending on scope, level, and readiness.
How long does the CMMC certification process take?
Between 3 and 12 months, depending on readiness.
Who must be CMMC certified?
All prime and subcontractors who handle CUI or FCI in the DoD supply chain.
What’s the difference between CMMC 2.0, NIST, and FedRAMP?
Here’s how CMMC 2.0 compares to other major federal cybersecurity frameworks:
| Framework | Scope | Required by | Assessment type |
|---|---|---|---|
| CMMC 2.0 | CI/CUI + implementation maturity | DoD contractors | 3PAO/Government-led |
| NIST 800-171 | CUI protection | Civilian agencies | Self-assessment |
| FedRAMP | Cloud provider security | Federal agencies | Third-party + FedRAMP Program Management Office (PMO) oversight |
CMMC 2.0 builds directly on the foundation of NIST SP 800-171, incorporating its 110 controls at Level 2 and adding a subset of NIST SP 800-172 at Level 3. If your organization is already aligned with NIST standards, you’re on the right path—but CMMC adds a maturity model and formal assessment requirements that go beyond self-attestation.
As for FedRAMP, while it focuses on cloud service provider security for federal agencies, there is some overlap in control requirements. Discussions around potential reciprocity between CMMC and FedRAMP have occurred, but as of 2025, no formal agreement exists. Organizations navigating both frameworks may benefit from shared documentation and should monitor updates from the DoD and FedRAMP program offices.
What level is required for CUI?
CMMC Level 2 (Advanced) compliance is required.
Additional resources
- What is compliance management?
- How we track critical compliance metrics
- PCI DSS compliance checklist
CMMC 2.0 is not just a regulation—it’s a mandate for national security and operational excellence, driven by evolving rulemaking and compliance expectations. Tanium supports you through every step, from initial assessment to continuous improvement.
Tanium empowers defense contractors and subcontractors to meet and exceed CMMC 2.0 requirements with confidence. By combining real-time visibility, automated endpoint management, and proactive risk mitigation, Tanium helps secure sensitive data, reduce IT risk, and sustain long-term operational resilience.
Request a personalized demo to see how Tanium can support your CMMC journey.
Tanium Subscription Center
Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.
SUBSCRIBE NOW
