Skip to content Skip to content
Regulatory Framework

CMMC 2.0

Protect the Defense Industrial Base. Starting with Network Visibility.

CMMC 2.0 is now a contractual requirement for 300,000+ defense contractors. Phase 2 C3PAO assessments are active. IoT Secure helps organizations achieve and maintain the device inventory, network segmentation, monitoring, and evidence collection required across all three CMMC levels.

Discuss CMMC Readiness Download CMMC Case Study
300K+
defense contractors in the DIB required to achieve CMMC compliance
110
security practices required for Level 2 (CUI protection)
Phase 2
C3PAO assessment mandates now active as of Q1 2026

Background

What Is CMMC 2.0 and Who Needs It?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the U.S. Department of Defense's framework for ensuring that defense contractors maintain adequate cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC 2.0 replaced the original five-level CMMC 1.0 model with a streamlined three-level structure that aligns directly with NIST SP 800-171 and NIST SP 800-172. It applies to all organizations in the Defense Industrial Base (DIB) — any company that handles, processes, stores, or transmits DoD-related information, including primes, subcontractors, and suppliers.

Phase 1 of implementation began in late 2024 with self-assessment for Level 1 contracts. Phase 2, which began in Q1 2026, requires third-party C3PAO assessments for organizations handling CUI. The consequences of non-compliance include contract loss and potential suspension from DoD contracting.

  • Applies to all DoD contractors who handle FCI or CUI
  • Required in all new DoD contracts as of Phase 2 implementation
  • Replaces the prior DFARS 252.204-7012 self-attestation approach for Level 2+
  • Non-compliance can result in contract suspension or termination
  • Self-assessment still available for Level 1 (basic safeguarding of FCI)

The Framework

CMMC 2.0 Three-Level Structure

Level 1

Foundational

17 practices

Protects Federal Contract Information (FCI). Based on FAR 52.204-21 basic safeguarding requirements. Organizations self-assess annually using the DoD Assessment Methodology.

  • Basic safeguarding of federal contract information
  • 17 practices aligned with FAR 52.204-21
  • Annual self-assessment with senior official affirmation
  • No third-party assessment required
  • SPRS score submission required
Level 2

Advanced

110 practices

Protects Controlled Unclassified Information (CUI). Aligns with all 110 practices from NIST SP 800-171. Required C3PAO assessment for most contracts. Self-assessment permitted for non-prioritized programs.

  • Protection of CUI in non-federal systems
  • 110 practices from NIST SP 800-171 r2
  • Triennial C3PAO assessment for most programs
  • 14 practice domains including AC, IA, SC, SI, AU
  • Plan of Action & Milestones (POA&M) required for gaps
Level 3

Expert

110+ practices

Protects CUI associated with DoD's highest priority programs. Includes all NIST SP 800-171 practices plus additional requirements from NIST SP 800-172. Government-led assessments.

  • High value assets and critical program information
  • All 110 NIST SP 800-171 practices plus enhanced controls
  • Government-led DCSA assessments
  • Advanced persistent threat (APT) defense capabilities
  • Reserved for organizations handling the most sensitive programs

How IoT Secure Helps

Automate the Technical Evidence CMMC Requires

  • Asset Inventory & Identification (AC.1.001, CM.2.061) Continuously discover and inventory all systems, IoT, OT, and connected devices — including those outside traditional endpoint management tools.
  • Unauthorized Device Detection (CM.2.062, SC.3.177) Detect and alert on unauthorized devices connecting to your network in real time. Generate evidence of monitoring activity for audit review.
  • Network Segmentation (SC.3.177, SC.1.175) Enforce network segmentation that separates CUI systems from other network zones. Generate segmentation evidence for assessors.
  • Audit Logging & Monitoring (AU.2.041, AU.2.042) Maintain comprehensive device activity logs, alert histories, and communication records. Support audit log review requirements with searchable, exportable data.
  • System Monitoring (SI.2.216, SI.3.219) Continuously monitor network behavior for anomalies, unauthorized connections, and indicators of compromise. Document monitoring activity for evidence packages.
  • Boundary Protection (SC.1.175, SC.3.180) Control communications at the network boundary. Monitor and control traffic between CUI and non-CUI network zones with enforced policy.
  • Vulnerability Management (RM.2.142) Identify CVEs across all network devices including unmanaged IoT and OT that traditional vulnerability scanners miss. Maintain a current vulnerability assessment.
  • Compliance Reporting & Evidence Generate audit-ready reports documenting device inventory, network segmentation, monitoring activity, vulnerability findings, and remediation timelines.

Implementation Timeline

CMMC 2.0 Key Milestones

CMMC 2.0 implementation is following a phased rollout. Phase 1 requirements for Level 1 self-assessment have been active since late 2024. Phase 2, which adds C3PAO assessment requirements for contracts involving CUI, went into effect in Q1 2026.

If your organization handles CUI and has not yet conducted a NIST SP 800-171 gap assessment, or if your SPRS score has not been updated to reflect your current security posture, the time to act is now. IoT Secure can help you establish the foundational visibility and evidence collection that CMMC assessors will require.

  • Phase 1 (Active): Level 1 self-assessment for FCI contracts
  • Phase 2 (Active Q1 2026): C3PAO assessments for CUI contracts
  • SPRS score submission required — reflect accurate, current posture
  • POA&Ms accepted for identified gaps with defined milestones
  • Non-compliant organizations risk contract loss on new awards
Assess Your CMMC Readiness

Important Note

What IoT Secure Is — and Isn't

IoT Secure supports readiness. Certification requires a C3PAO.

IoT Secure is a cybersecurity platform that provides the technical visibility, monitoring, and evidence collection capabilities that CMMC assessors evaluate. We are not a Certified Third-Party Assessment Organization (C3PAO) and we do not issue CMMC certifications.

CMMC certification requires a formal assessment by an authorized C3PAO (for Level 2) or a government-led DCSA assessment (for Level 3). Organizations also need policies, procedures, workforce training, physical security controls, and administrative safeguards that are outside the scope of any technology platform.

IoT Secure dramatically reduces the time and effort required to prepare for a CMMC assessment — but it is one component of a comprehensive compliance program.

Start your CMMC 2.0 readiness journey.

Complete device visibility and evidence collection — ready for your C3PAO assessment.

Discuss CMMC Readiness Download CMMC Case Study