CMMC 2.0 Rollout and Realities

Eric Marquette

Alright, welcome back to CMMC Unlocked. I’m Eric Marquette, and I’m here with Ruby Sturt and Paul Netopski. Today, we’re diving into the CMMC 2.0 rollout and what it really means for defense contractors. Now, if you caught our last episode, we spent a lot of time on CUI and data rights—so today, we’re building on that foundation and getting into the nuts and bolts of the new rulemaking. Paul, you want to kick us off with a quick overview of what’s changed with the DoD’s proposed DFARS updates and how CMMC 2.0 is structured?

Paul Netopski

Absolutely, Eric. So, the Department of Defense is amending the Defense Federal Acquisition Regulation Supplement—DFARS—to implement the CMMC 2.0 program. The core of CMMC 2.0 is a three-level model, and it’s all based on NIST SP 800-171 and, for the highest level, selected requirements from SP 800-172. Level 1 is about basic safeguarding for Federal Contract Information, Level 2 is for Controlled Unclassified Information—CUI—and Level 3 is for the most critical programs, with enhanced requirements. The phased rollout is a big deal here. Over three years, CMMC requirements will be gradually included in more contracts, so not everyone is hit at once. The DoD estimates only about 1,100 small entities will be impacted in the first year, which is meant to ease the burden, especially for small businesses.

Ruby Sturt

Yeah, and I think that’s a relief for a lot of folks, right? Because, let’s be honest, when you hear “new compliance framework,” most small businesses just see dollar signs and headaches. But this phased approach, it’s kind of like dipping your toe in the pool instead of being shoved in the deep end. Still, it’s a lot to take in. Eric, you’ve worked with a few small contractors—how are they reacting to this phased rollout?

Eric Marquette

Honestly, Ruby, there’s a mix of anxiety and cautious optimism. Some are grateful for the extra time, but others are worried about keeping up with the evolving requirements. And, Paul, you mentioned the NIST standards—can you clarify how those fit into the CMMC levels? I always get a bit tangled up between 800-171 and 800-172.

Paul Netopski

Sure thing. Level 1 is mapped to basic safeguarding requirements—think 48 CFR 52.204-21. Level 2 is a direct mapping to all 110 requirements in NIST SP 800-171. Level 3, which is the most stringent, adds a subset of requirements from NIST SP 800-172. So, if you’re handling CUI, you’re looking at Level 2 at a minimum, and if you’re supporting critical DoD programs, Level 3 could be on the table. The idea is to scale the requirements to the sensitivity of the information you’re handling.

Ruby Sturt

That makes sense. And, Paul, you had a story about a briefing at BAE Systems where things got a bit messy with CUI definitions, right?

Paul Netopski

Yeah, that was a memorable one. We had a company-wide briefing, and there was a lot of confusion about what actually counted as CUI. Some folks thought it was just anything marked “confidential,” others thought it was only export-controlled data. That confusion led to a full compliance overhaul—new training, new marking procedures, and a lot of process documentation. It really drove home how critical it is to get those definitions right from the start, or you end up redoing a lot of work down the line.

Eric Marquette

And that’s a perfect segue, because if you don’t have clarity on what you’re protecting, you can’t scope your compliance efforts properly. We talked about that last episode—scoping and boundary setting are everything. But with CMMC 2.0, the phased rollout gives organizations a bit of breathing room to get those basics sorted before the full weight of compliance hits.

Eric Marquette

So, let’s talk about the assessment ecosystem. There’s a lot of moving parts—self-assessments, third-party assessments, the CMMC PMO, Accreditation Body, DIBCAC. Paul, can you break down who does what in this new world?

Paul Netopski

Yeah, it’s a bit of an alphabet soup, but here’s the gist: For Level 1 and some Level 2 contracts, organizations can do self-assessments and post their results in the Supplier Performance Risk System—SPRS. For higher-risk contracts, especially those involving CUI, you’ll need a third-party assessment from a CMMC Third-Party Assessment Organization, or C3PAO. The CMMC Program Management Office, or PMO, oversees the whole program, while the Accreditation Body is responsible for authorizing and accrediting C3PAOs. DIBCAC—the Defense Industrial Base Cybersecurity Assessment Center—steps in for the highest level, Level 3, and also for oversight and appeals. It’s a layered system designed to scale the level of scrutiny to the risk involved.

Ruby Sturt

And, just to add, the Accreditation Body has to meet some pretty strict standards—ISO/IEC 17011, 17020, and 17024, if you want to get technical. They’re the gatekeepers for who can actually perform these assessments. But, for a lot of small businesses, the first hurdle is just figuring out how to do a self-assessment and get it into SPRS. I actually spoke with a small business owner last month—she was totally overwhelmed by the SPRS process. She thought she had to hire a consultant just to log in! But once she found the official CMMC guides, it started to click. The guides walk you through the Level 1 and Level 2 requirements, and there’s even a scoping guide to help you figure out what’s in and out of scope. It’s not easy, but it’s doable if you take it step by step.

Eric Marquette

That’s a great point, Ruby. And it’s not just about getting through the initial assessment, right? Organizations have to manage ongoing compliance—especially if they’re working with subcontractors or using cloud service providers. Paul, what’s your advice for organizations trying to keep their whole supply chain in line?

Paul Netopski

It’s a challenge, no doubt. The CMMC requirements have to flow down to all subcontractors at every tier if they’re processing FCI or CUI. That means primes need to verify their subs’ compliance, and there’s not a centralized tool for that yet. It’s a lot of coordination—think regular check-ins, documentation, and making sure everyone’s on the same page about what level applies. For cloud service providers, you need to make sure they’re FedRAMP authorized at the right baseline, or at least meet equivalent security requirements. And don’t forget, evidence retention is key—artifacts from assessments have to be kept for six years. That’s a long time, but it’s non-negotiable if you want to stay eligible for contracts.

Ruby Sturt

Yeah, and I’ll just say—don’t underestimate the value of those official guides. The CMMC Assessment Guides and Scoping Guides are lifesavers. They’re all on the DoD’s CMMC website, and they break down what you need to do at each level. If you’re stuck, start there before you panic or shell out for a consultant.

Eric Marquette

And for anyone listening who’s still feeling lost, remember, you’re not alone. The ecosystem is designed to support organizations of all sizes, but you have to take the first step and engage with the resources out there.

Eric Marquette

Alright, let’s get real about the costs and paperwork. The DoD estimates that, once fully rolled out, nearly 30,000 entities—most of them small businesses—will be impacted by CMMC requirements each year. That’s a lot of organizations juggling compliance, documentation, and evidence retention. Paul, what are the main cost drivers here?

Paul Netopski

The biggest costs are usually in documentation, ongoing evidence retention, and the time it takes to prepare for and undergo assessments. For self-assessments, the paperwork burden is estimated at about 5 minutes per response, but that doesn’t capture the prep work—gathering artifacts, updating your system security plan, and making sure your controls are actually implemented. For third-party assessments, you’re looking at more time and, of course, the cost of the assessment itself. And don’t forget, you have to keep all your evidence for six years. That’s a significant administrative load, especially for small businesses.

Ruby Sturt

Yeah, and it’s not just the direct costs. There’s the opportunity cost of pulling your IT folks off their day jobs to focus on compliance. But there are some practical strategies to lighten the load. For example, the DoD and NIST have published a ton of guidance—assessment guides, scoping guides, even a hashing guide for artifact integrity. If you use those resources, you can avoid a lot of wheel-spinning. And, Eric, didn’t you test out an AI-driven documentation tool recently?

Eric Marquette

I did, actually. I tried out a tool that automates compliance recordkeeping for a mid-sized defense supplier. It wasn’t perfect, but it did help organize evidence, track assessment dates, and even flag when annual affirmations were due. For organizations that don’t have a dedicated compliance team, tools like that can be a game-changer. But, as always, you have to make sure the tool itself is secure and that you’re not just automating bad processes.

Paul Netopski

That’s a good point, Eric. Automation can help, but you still need to understand the requirements. The CMMC is all about demonstrating that you’re actually implementing the controls—not just checking boxes. So, whether you’re using a tool or doing it manually, make sure your documentation is accurate and your evidence is solid. And don’t forget to leverage the official DoD and NIST resources—they’re there for a reason.

Ruby Sturt

And if you’re feeling overwhelmed, remember, the phased rollout is designed to give you time to get your house in order. Start with the basics—scope your environment, document your processes, and use the guides. It’s a marathon, not a sprint.

Eric Marquette

Well said, Ruby. That’s all we’ve got for today. Thanks for joining us as we unpacked the CMMC 2.0 rollout and the realities of compliance. Paul, Ruby—always a pleasure. We’ll be back soon with more insights and, I’m sure, a few more war stories from the field. Take care, everyone.

Ruby Sturt

Thanks, Eric. Thanks, Paul. Catch you next time!

Paul Netopski

Thanks, both. Looking forward to the next one. Stay secure out there.