If your business supports defense-related federal work, CMMC 2.0 for GSA contractors is a requirement you need to understand now. The Cybersecurity Maturity Model Certification program defines the cybersecurity standards defense contractors must meet to win and keep Department of Defense work. For many companies holding or pursuing GSA schedule contracts, CMMC 2.0 adds a compliance layer on top of existing NIST 800-171 requirements.
What CMMC 2.0 Is
CMMC stands for Cybersecurity Maturity Model Certification. It is a DoD framework that establishes cybersecurity requirements for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Version 2.0, now being phased into contracts, simplified the original five-level model down to three levels and aligned more closely with existing NIST standards.
Unlike NIST 800-171, which relies on self-attestation for most contractors, CMMC 2.0 at Level 2 and above requires third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). This makes CMMC a more rigorous, externally verified standard.
How CMMC Relates to NIST 800-171
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171. If you are already working toward NIST 800-171 Rev 3 compliance, you are also building the foundation for CMMC Level 2. The key difference is verification: NIST 800-171 allows you to self-assess and submit your score through SPRS, while CMMC Level 2 requires a C3PAO to assess and certify you.
For a detailed look at the NIST 800-171 Rev 3 requirements themselves, our guide on NIST 800-171 Rev 3 compliance covers the framework step by step.
Which GSA Contractors Are Affected
Not every GSA schedule contractor needs CMMC certification. The requirement applies when your contract performance involves FCI or CUI:
- Defense contractors and subcontractors handling DoD-related CUI need CMMC Level 2 or Level 3
- Contractors handling only FCI (lower sensitivity data) may qualify for Level 1, which is a self-assessment
- Commercial item contracts with no CUI handling are generally exempt
- If your GSA schedule work supports DoD task orders, check the solicitation for CMMC language. It is increasingly appearing as a required contractor representation
The Three CMMC Levels
- 1
Level 1: Foundational
Requires 17 basic cybersecurity practices aligned with FAR 52.204-21. Annual self-assessment and affirmation are sufficient. Applies to contractors handling FCI but not CUI.
- 2
Level 2: Advanced
Requires all 110 NIST 800-171 controls. Most defense contractors handling CUI fall here. Triennial third-party assessment by a C3PAO is required, with annual self-affirmations in between.
- 3
Level 3: Expert
Requires 110+ controls plus a subset of NIST 800-172 requirements. Reserved for contractors on the most sensitive DoD programs. Government-led assessments by the Defense Contract Management Agency (DCMA) are required.
Steps to Get Started
If CMMC applies to your work, the preparation path is clear but takes time. Start well before the requirement appears in a solicitation:
- 1
Determine your required CMMC level
Review your current and anticipated contracts. If you are unsure whether your work involves CUI, consult your contracting officer or legal counsel before proceeding.
- 2
Complete a gap assessment
Compare your current security posture against the applicable CMMC level requirements. The free GSA readiness assessment can help you identify gaps quickly and build your remediation priority list.
- 3
Build your System Security Plan
Document your implemented controls and your plan to close gaps. The SSP is a key artifact that C3PAOs review during assessment, and it must be complete and current.
- 4
Select a C3PAO early
Certified Third-Party Assessment Organizations book far in advance. If you are targeting Level 2 certification, identify and engage a C3PAO 6 to 12 months before you need the certification.
- 5
Build continuous compliance into your operations
CMMC is not a one-time certification. Annual self-affirmations and triennial assessments require ongoing security operations, monitoring, and documentation.
CMMC preparation starts with understanding where your gaps are. A free GSA readiness assessment helps you evaluate your current security posture before you engage a C3PAO.
Start Your Free Readiness AssessmentConclusion
CMMC 2.0 is becoming a standard fixture in defense-related federal contracts. For GSA contractors whose work touches DoD programs, building toward CMMC Level 2 certification alongside NIST 800-171 compliance is the right long-term strategy. Start with a gap assessment, document your current controls, and engage a C3PAO well in advance of your first requirement. The contractors who act early will be the ones winning defense-related task orders as CMMC becomes fully embedded in solicitations.