CMMC 2.0 Compliance : What It Is and How to Get Audit-Ready

What is CMMC 2.0 compliance, and what steps does a SaaS team need to take to pass an audit?

CMMC 2.0 is the Department of Defense Cybersecurity Maturity Model Certification program—the yardstick it uses to confirm that contractors can protect CUI.

1. Implement every one of the 110 NIST SP 800-171 controls inside your defined CUI boundary.
2. Document the “how”—clear policies, procedures, and a System Security Plan that map each control to real systems and owners.
3. Collect live evidence. Gather screenshots, configuration exports, and log excerpts that prove those controls work day after day. A compliance-automation platform such as Vanta can pull these artifacts straight from your cloud and identity stack, align each one to its NIST 800-171 outcome, and automate up to half of the CMMC evidence workload.
4. Follow the DoD cadence: upload an annual self-assessment and executive affirmation to the Supplier Performance Risk System (SPRS) for non-critical CUI contracts, or earn a third-party C3PAO certificate every three years when the contract handles CUI deemed critical to national security.

Hit all four checkpoints, and your team is audit-ready.

Why did the DoD roll out CMMC 2.0?

The Department of Defense introduced CMMC 2.0 to raise the baseline for cybersecurity across the defense supply chain while making the program more practical for businesses of all sizes. Early iterations of CMMC were criticized for complexity: five maturity levels, overlapping requirements, and uneven expectations between primes and subcontractors. CMMC 2.0 streamlines this by consolidating to three levels, directly aligning Level 2 with NIST SP 800-171. That alignment matters.

NIST 800-171 has been the government’s de facto standard for protecting CUI in non-federal systems for years, and many contractors were already measuring themselves against it. By explicitly mapping Level 2 to those 110 practices, the DoD reduced ambiguity and allowed companies to leverage existing investments, training, and documentation.

Another driver was right-sizing the assessment burden. Not every contract involves the same level of risk. CMMC 2.0 acknowledges that reality by allowing self-assessments for Level 1 and for certain Level 2 contracts that handle non-critical CUI, while reserving third-party assessments conducted by a C3PAO for work tied to national security priorities. This risk-based approach lowers costs for some suppliers without weakening protection for the most sensitive programs.

The model also introduces measured flexibility through Plans of Action & Milestones (POA&Ms), enabling contract awards while lower-risk gaps are remediated on a strict timetable. That flexibility is not a loophole—high-impact controls such as multi-factor authentication, FIPS-validated encryption, and auditable logging are expected to be fully implemented—but it does recognize that most organizations improve in increments.

The net effect is a framework that is simpler, clearer, and better calibrated to real operational risk, while still raising the floor on security across tens of thousands of companies, and it has spurred a wave of automated compliance software that turns the 110 practices into continuously monitored checks.

How does CMMC 2.0 interact with FedRAMP or ISO 27001?

CMMC sits alongside FedRAMP and ISO 27001, each covering a distinct slice of federal or global security compliance.

• FedRAMP – cloud services for any federal agency. It draws on NIST SP 800-53 and, at the Moderate impact level, asks cloud providers to implement 325 controls. If your SaaS is offered directly to civilian or DoD users as a managed service, you will likely need FedRAMP in addition to CMMC.
• CMMC – defense-specific data protection. Level 2 maps one-for-one to the 110 NIST 800-171 controls that safeguard Controlled Unclassified Information inside your defined CUI boundary.
• ISO 27001 – global management-system proof. The 2022 revision trimmed Annex A down to 93 controls across four themes. ISO shows you run a disciplined information-security program; CMMC still expects to see every 800-171 technical outcome satisfied where CUI lives.

Work you have already completed for ISO, SOC 2, or FedRAMP rarely goes to waste; password policies, incident-response playbooks, and encryption settings map cleanly to many 800-171 requirements. The key difference: FedRAMP and ISO certify your overall environment, while CMMC auditors focus on the systems and people that handle DoD data.

Which companies must comply with CMMC 2.0 Level 1 vs. Level 2?

If you handle only Federal Contract Information, you fall under Level 1; the moment you work with Controlled Unclassified Information, you move to Level 2.

Your required level depends on the data you manage and the wording in your DoD contract.

Level 1: Federal Contract Information only.

If you touch nothing more sensitive than FCI, you remain at Level 1. That means putting 15 basic safeguards from FAR 52.204-21 in place, completing a self-assessment once a year, and filing an executive affirmation in the Supplier Performance Risk System (SPRS). A significant number of contractors—largely providers of commodity goods and routine services—sit in this bucket.

Level 2: Controlled Unclassified Information.

The moment you store, process, or transmit CUI—think application data, support logs, or integration payloads—you graduate to Level 2. You must implement all 110 NIST 800-171 controls and, for contracts labeled non-critical, submit a self-assessment every three years with annual affirmations.

If the CUI is critical to national security, a C3PAO audit is required on the same three-year cadence. A substantial number of contractors—including most SaaS vendors in the Defense Industrial Base—are expected to land here.

Level 3 (rare but real).

A small slice of suppliers that handle the most sensitive CUI will need Level 3, which adds selected NIST 800-172 controls and a government-led audit. Unless your customer states otherwise, plan for Level 2 and build from there.

In practice, Level 2 is more than “Level 1 plus extra boxes.” You will define a tight CUI boundary, harden the systems inside it, and keep real-time evidence ready for the moment an auditor or a prime contractor starts asking questions.

Do subcontractors also need Level 2 certification?

Yes. CMMC requirements cascade through the entire supply chain. DFARS 252.204-7021(c) tells primes to insert “the substance of this clause…in all subcontracts” and to confirm that each sub holds a current certificate at the correct level before award.

Primes now run CMMC checks during vendor onboarding because bringing in a non-compliant sub can stall a program. Even if you are two or three tiers away from the DoD customer, handling CUI means you still need the same Level 2 badge.

What are the core requirements of CMMC 2.0 Level 2?

CMMC Level 2 requires all 110 NIST 800-171 controls, clear documentation, and a defined assessment schedule.

Level 2 aligns with the 110 security controls in NIST SP 800-171, grouped into 14 control families such as Access Control, Identification & Authentication, Configuration Management, and Incident Response. For a SaaS environment, that usually translates to:

• Strong identity management: company-wide multi-factor authentication and least-privilege roles.
• Validated encryption: FIPS-approved algorithms for data at rest and in transit.
• Centralized, tamper-protected logging: long-term retention plus alerting.
• Patch and vulnerability management: documented timelines and proof of closure.
• Secure SDLC: code review, dependency scanning, and change tracking.
• Incident response drills: roles, runbooks, and post-mortem evidence.
• Security awareness training: annual sessions with recorded attendance.

Controls alone are not enough. Documentation guides the assessor.

• System Security Plan (SSP): defines your CUI boundary, data flows, and inherited cloud controls.
• Policies and procedures: the step-by-step rules your team follows.
• Evidence artifacts: screenshots, configuration exports, and ticket trails kept current rather than captured only during “audit week.”

Cadence also matters. Under the final CMMC rule:

• Every three years: a C3PAO audit for critical CUI or a self-assessment for non-critical CUI.
• Every year: an executive affirmation uploaded to the Supplier Performance Risk System (SPRS).
• Within 180 days: close any lower-impact gaps listed in an approved Plan of Action and Milestones (POA&M). High-impact items such as MFA and encryption must already be live.

Meet these checkpoints and you can show an assessor that each of the 110 outcomes works inside the scope you defined.

How do you scope your environment for a CMMC 2.0 audit?

You scope by mapping every CUI data flow, pulling all related systems into a documented boundary, and locking that boundary before the audit.

Scoping is where most CMMC programs succeed or fail. Your goal is to draw a CUI boundary tight enough to manage yet broad enough to cover every system, user, and vendor that touches DoD data.

1. Map the data first.
   • Label each data type as FCI or CUI.
   • Trace where that data enters, moves, and exits (production app, database, support tools, CI/CD, backups, monitoring, identity provider). Unclear data-flow diagrams are a common cause of failed scoping reviews.
2. Look for CUI hiding in plain sight.
   Support tickets, debug logs, and developer snapshots often store snippets of CUI. If a system can expose sensitive content, pull it inside the boundary.
3. Shrink with an enclave.
   Create a dedicated cloud account or tenant hardened for CUI. This approach lets you apply the 110 controls to a smaller set of resources and makes shared-responsibility mapping with AWS, Azure, or GCP easier to document.
4. Record and stick to the boundary.
   Lock your decisions into the System Security Plan (SSP). Frequent scope changes erode assessor confidence and multiply evidence work.
5. Decide early on assessment type.
   Determine whether the contract allows a self-assessment or requires a C3PAO audit. That choice drives budget, timelines, and when to book an assessor; appointment slots fill up months in advance.

A quick visual helps: create a simple diagram showing the CUI enclave (app, database, logging, identity, CI/CD, backups, vendor integrations) with arrows for data flows.

Get the scope right from the start and you will cut cost, reduce risk, and give your assessor a clear story to validate.

Step-by-step gap-analysis checklist

A simple five-step checklist helps you spot gaps, rate risk, and lock a closure plan before auditors arrive.

1. Pull the source material.
   Download the official NIST SP 800-171 control list and the DoD Assessment Guide. These documents are the yardsticks your assessor will use.
2. Walk the environment, control by control.
   Confirm MFA on every account, check encryption settings, verify log retention, scan for unpatched hosts, and review secure-dev-ops practices. Capture evidence (screenshots with timestamps, configuration exports, ticket IDs) as you go. The running log will save you from a last-minute push.
3. Score yourself in SPRS.
   Start at 110 points. For every control not met, subtract 5, 3, or 1 point depending on impact; a few gaps can push the score as low as ‑203. Record the number in the Supplier Performance Risk System; many RFPs require it.
4. Build a Plan of Action & Milestones (POA&M).
   List each gap, the owner, the fix, and a realistic due date. Remember that high-impact controls such as MFA and FIPS-validated encryption cannot sit on a POA&M.
5. Rehearse.
   Four to six weeks before the audit, run a readiness review. Walk through every control, show the evidence, and resolve anything that feels shaky.

A structured gap analysis—score, plan, rehearse—keeps the project on schedule and gives leadership hard data to fund the remaining work.

Where can automation reduce CMMC workload?

Automation keeps controls running daily, supplies fresh evidence, and frees your team for real security work.

1. Continuous guardrails.
   Connect your cloud accounts, identity provider, and endpoints to an automation platform. The software checks, on a schedule you set, that MFA is still enforced, encryption is still on, and logs are still flowing. When something drifts it opens a ticket, tracks closure, and gives you an auditable trail. National initiatives like Australia’s 2030 cyber vision already view this form of continuous compliance as a baseline expectation.
2. Evidence on autopilot.
   Instead of capturing dashboard screenshots every quarter, let the platform export dated reports that map directly to each of the 110 controls. Automated evidence collection can significantly cut audit-prep time and trim compliance overhead.
3. Shift-left checks in CI/CD.
   Add policy tests to your build pipeline or Terraform plans. A commit that disables encryption or opens a public port fails the build, so poor configuration never reaches production.
4. Fewer urgent scrambles, more focus.
   Teams that automate report saving significant staff-hours a month on manual tracking. That time can fund real security improvements instead of screenshot management.

Bottom line: continuous automation keeps you compliant between audits, slashes prep time, and produces fresh evidence on demand, so your next C3PAO review feels routine rather than rushed.

Timeline: 30-day action plan to reach audit-readiness

A focused first 30 days sets a solid foundation and keeps your program on schedule.

Most Level 2 programs take six months or more, but hitting these early milestones proves momentum to leadership and primes.

Week 1 (Days 1–7) – Draw the map.

• Finalize the CUI boundary and decide whether the contract requires a self-assessment or a C3PAO audit.
• Build a master inventory of in-scope systems and identities.
• Spin up a version-controlled evidence repository keyed to the 110 controls so every screenshot lands in the right folder the moment you take it.

Week 2 (Days 8–14) – Close the biggest risks.

• Enforce multi-factor authentication for every user, including break-glass and service accounts.
• Turn on validated encryption for data at rest and in transit; document key-management settings.
• Centralize logs, set retention to at least 90 days hot plus 365 days cold, and turn on tamper protection.
  These three moves alone can raise an SPRS score by +25 points according to DoD weighting tables.

Week 3 (Days 15–21) – Put it on paper.

• Publish concise, role-based policies (access control, incident response, change management, secure dev-ops).
• Draft or update the System Security Plan so it mirrors the real boundary.
• Run a tabletop incident drill; capture minutes and action items as evidence.

Week 4 (Days 22–30) – Test and book the audit.

• Calculate your SPRS score and lock a POA&M with owners and funded due dates.
• Conduct a readiness review against the DoD Assessment Guide; patch any lingering gaps.
• If you need a C3PAO, start scheduling now; 2025 assessor lead times average 60–90 days. Holding a tentative date signals maturity to primes and contracting officers.

After Day 30 you will not be “done,” but you will have a working evidence engine, a high-impact control baseline, and a clear path to full certification.

Common pitfalls and how to dodge them

Avoid five repeat offenders that inflate cost, drain time, and delay certification.

1. Scoping blind spots.
   Underscope and an assessor will force you to add systems mid-audit—a mistake that can significantly raise costs and delay certification. Over scope, and you pay to secure assets that never touch CUI. Map data flows first, then lock the boundary in your SSP.
2. Screenshot fatigue.
   One-off screen grabs age quickly. Automate evidence exports and time-stamp them; firms that adopt automation often report a significant reduction in prep time.
3. Late start on long-lead items.
   MFA licenses, endpoint agents, and C3PAO bookings all take time. C3PAO lead times can be extensive, with wait times often stretching 3-6 months, so start the scheduling conversation while you are still closing gaps.
4. Policy-culture mismatch.
   If the written rulebook does not match how your engineers work, auditors will notice. Write concise, role-based policies, then embed them into pull-request templates and agile ceremonies so practice matches paper.

Mini FAQ

Conclusion

CMMC 2.0 raises the bar for cybersecurity across the defense supply chain while simplifying expectations. For most SaaS vendors, Level 2 is the destination, grounded in the 110 controls of NIST SP 800-171. Success hinges on a well-defined CUI boundary, disciplined implementation of controls, clear documentation, and reliable evidence that those controls operate as intended.

Start early, build momentum with a strong first month, and treat automation as a way to maintain posture between assessments so that audits become a formality rather than a scramble. With a realistic plan and sustained execution, CMMC compliance enables you to bid confidently, meet customer expectations, and safeguard the data that underpins national security.

Ready to dive deeper? Explore more step-by-step SaaS security guides on Spotsaas.