What Is Required for CMMC Compliance? The Post-Implementation Guide

If you are reading this, you likely felt the tremors on November 10, 2025. That was the day the Department of Defense (DoD) stopped asking nicely for better security and started demanding it. The   Phase 1   rollout of the Cybersecurity Maturity Model Certification (CMMC) is officially live.

For years, contractors treated security requirements like a speed limit, a suggestion everyone ignored until they saw a cop. That era is over. The   cop   is here, and they are armed with the False Claims Act.

So, what is required for CMMC compliance right now?

It isn't just buying a firewall. It isn't just installing antivirus software. It is a forensic, documented proof of cyber hygiene.

If you want to keep your Defense Industrial Base (DIB) contracts, you need a score in the Supplier Performance Risk System (SPRS). Today. If you don't have one, you are invisible to contracting officers.

This guide strips away the marketing fluff. We will look at the raw legal requirements, the missing paperwork that fails audits, and the exact steps you must take to survive the new regime.

The Core Requirement: Assessment vs. Implementation  

Here is where 90% of business owners get confused.

You might think,   I use Microsoft Office and have strong passwords, so I am compliant.  

Wrong.

Being secure and being compliant are two different beasts. You can have the most secure network in the world, but if you haven't documented it according to NIST SP 800-171 Rev 2, you will fail.

The core requirement of CMMC is Objective Evidence.

An auditor does not care that you say you do background checks. They want to see the policy that mandates it, the ticket where HR requested it, and the log showing it happened. If it isn't written down, it didn't happen.

Determining Your Requirement Level (FCI vs. CUI)

You cannot build a house if you don't know how many bedrooms you need. Similarly, you cannot budget for compliance until you know your data type. The DoD groups you into three buckets, but we only care about the first two because that’s where 99% of the industry lives.

Level 1 Requirements (FCI)

This is the basement. If you have a federal contract, you have Federal Contract Information (FCI). This is data not intended for the public, like the contract itself or simple emails from the government.

The Requirement:

• 17 Controls: These come from FAR 52.204-21. They are basic. Limit access to authorized users. Sanitize media before disposal. Scan for viruses.

• Assessment: You perform an Annual Self-Assessment.

• The Kicker: There is no   Plan of Action   allowed here. You pass or you fail. You must affirm your score annually in SPRS.

If you are unsure if you meet these basics, check our CMMC Level 1 compliance checklist before you sign anything.

Level 2 Requirements (CUI)

This is the main event.

If you handle Controlled Unclassified Information (CUI) think blueprints, engineering specs, or technical drawings you are in the deep end.

The Requirement:

• 110 Controls: You must implement every single control in NIST SP 800-171.

• Assessment:

  • Non-Prioritized Data: You can do a Self-Assessment (for now).

  • Prioritized Data: You need a C3PAO Audit. A certified third-party assessor will physically visit your office.

This jump from Level 1 to Level 2 is massive. It’s the difference between riding a bike and flying a helicopter.

The Big 6- Missing Artifacts (Why Companies Fail)

Most IT providers will sell you software. They love selling software because the margins are high. But software is only half the battle.

I have analyzed dozens of failed mock audits. They almost never fail because the firewall was too weak. They fail because the paperwork was nonexistent. To meet what is required for CMMC compliance, you must produce these six specific artifacts.

1. System Security Plan (SSP)

This is your bible. The SSP describes your environment. It lists every server, every laptop, and every piece of software. More importantly, it explains how you meet each of the 110 controls. No SSP? Automatic failure.

2. Plan of Action & Milestones (POA&M)

You aren't perfect. The government knows that. A POA&M is a   fix-it   list. It tracks the security gaps you haven't closed yet.

• Critical Note: You cannot put high-risk items on a POA&M. You can't say,   We will install antivirus next year.   That won't fly.

3. Shared Responsibility Matrix (SRM)

If you use an MSP or a cloud provider (like Microsoft), you need an SRM. It draws a line in the sand.

• Who patches the server? (Them).

• Who adds the user? (You).

• Who reviews the logs? (Usually nobody, which is a problem).

4. Incident Response Plan (IRP)

When not if hackers attack, what do you do? The CMMC requires a tested plan. You need evidence that you ran a   tabletop exercise   (a simulation) in the last 12 months.

5. Acceptable Use Policies (AUP)

Every employee must sign this. It tells them they cannot plug in a USB drive they found in the parking lot.

6. Network Topology Diagram

You cannot secure what you cannot map. You are required to have a current diagram showing how data flows through your network.

The Technical Requirements (Domain Breakdown)

The NIST 800-171 standard is broken into 14 families. I won't bore you with all of them, but here are the   widow-makers   the technical requirements that trip up almost everyone.

Access Control (AC)

You must limit system access to authorized users. This means Multi-Factor Authentication (MFA) is mandatory. Not just for remote access, but for local admin access too. If your sysadmin logs into the server without a token, you fail.

Audit & Accountability (AU)

This is the most expensive requirement. You must collect logs from firewalls, servers, and computers.

• The Catch: You can't just collect them; you have to review them. The requirement says you must look for   unlawful or unauthorized activity.  

Identification & Authentication (IA)

Passwords must be complex. But more importantly, you need FIPS 140-2 Validated Encryption. This is a specific government standard for cryptography. If your VPN uses standard encryption that isn't FIPS-validated, it is non-compliant.

Media Protection (MP)

Do you use USB drives? If yes, they must be encrypted. Or better yet, ban them entirely.

If you are drowning in these acronyms, you might need professional cyber security compliance services to translate this into English for your IT team.

The   People   Requirements

Technology breaks, but people are the weakest link. The CMMC has strict requirements for the humans in your building.

Screening: You must screen individuals before granting access to CUI. This usually means a background check. Are your IT staff US citizens? If you outsource IT to an offshore team, you have a major problem. Foreign nationals generally cannot handle export-controlled data (ITAR).

Training: Every single employee must undergo security awareness training.

• They must be trained on Insider Threats.

• They must be trained on how to spot a phishing email.

• Evidence: You need a sign-in sheet or a certificate showing they took the class.

The Assessment Process: What to Expect

So, you built the network. You wrote the SSP. Now what?

First, you score yourself. You log into SPRS and enter your score. The perfect score is 110.

• You start at 110.

• You subtract points (usually -3 or -5) for every control you miss.

• Be honest. If the DoD audits you and finds you lied, the Department of Justice gets involved.

For Level 2 assessments involving critical data, you must hire a C3PAO (Certified Third-Party Assessment Organization).

They will send a team to your facility. They will interview your receptionist. They will ask your engineer to show them the firewall configurations. It is invasive. It is stressful. But it is the only way to get the certification.

Cost of Compliance Requirements

Let’s address the elephant in the room. This is expensive.

For a small business (under 50 employees) aiming for Level 2, the costs are significant.

• Consulting: Expect to pay for a Gap Analysis and help writing the SSP.

• Technology: You will likely need to migrate to Microsoft 365 GCC High (the government cloud). That license cost is about 40% higher than the commercial version.

• Hardware: You might need new firewalls that support FIPS encryption.

For a detailed look at the numbers, read our full CMMC compliance cost breakdown. It helps you explain the budget to your CFO.

FAQ: CMMC Requirements

Does this apply to subcontractors? Yes. The requirements   flow down.   If a Prime Contractor hands you CUI, you must protect it with the same rigor they do.

Can I use a standard Gmail account? Absolutely not. Standard free email services do not meet the encryption or data sovereignty requirements for CUI.

What happens if I just ignore this? You won't go to jail immediately, but you will lose revenue. Contracting officers are now checking SPRS scores before awarding contracts. No score? No deal.

Do I need an external consultant? Technically, no. You can do it all in-house. But unless you have a dedicated compliance officer, it is incredibly difficult to interpret the legal nuance of NIST 800-171 alone. Many companies look for cmmc compliance services to speed up the process.

Conclusion: The   Show Me   Era

The time for debate is over. The time for action is now.

The Department of Defense has moved into the   Show Me   era. They don't trust your word; they trust your evidence. What is required for CMMC compliance is simply the proof that you are a safe partner.

You can view this as a bureaucratic nightmare, or you can view it as a barrier to entry that protects your business. When your competitors fail to get their SPRS score, you will be the last one standing to take the contract.

Don't let a missing document destroy your eligibility. Start your Gap Analysis today.

If you need help navigating the maze of artifacts and controls, Defend My Business is ready to help. We turn   compliance anxiety   into   audit readiness.