Defense contractors have spent the last three years watching the Cybersecurity Maturity Model Certification (CMMC) program move from proposal to enforceable rule. As of December 16, 2024, the CMMC final rule (32 CFR Part 170) is in effect, and the Department of Defense has begun inserting CMMC requirements into new solicitations through a four-phase rollout that runs into 2028. For the roughly 220,000 companies in the Defense Industrial Base, the question is no longer "will CMMC apply to us" — it's "which of the three levels applies, and what does it actually take to get there." Compliance automation vendors like Vanta market themselves as a shortcut through that question, bundling policy templates and continuous-monitoring dashboards under a compliance label. But CMMC isn't a checkbox framework — it's a controlled-unclassified-information (CUI) protection regime built on NIST SP 800-171, verified in most cases by an independent third-party assessor. Here's what each level actually requires.
What Are the Three CMMC Compliance Levels?
CMMC has three levels, each mapped to a different sensitivity of information a contractor handles. Level 1 (Foundational) covers companies that only handle Federal Contract Information (FCI) and requires an annual self-assessment against 15 basic safeguarding requirements drawn from FAR 52.204-21. Level 2 (Advanced) applies to companies handling Controlled Unclassified Information (CUI) and requires implementation of all 110 security requirements in NIST SP 800-171 Rev 2, organized across 320 assessment objectives in NIST SP 800-171A. Most Level 2 contracts require a third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO) every three years, though a subset of Level 2 contracts allow annual self-assessment when designated by the program office. Level 3 (Expert) is reserved for the highest-priority programs — think programs facing nation-state-level threats — and adds roughly 24 additional controls from NIST SP 800-172 on top of the full Level 2 baseline, with assessments conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Roughly 80,000 of the 220,000 companies in the DIB are expected to need Level 2 or higher because they touch CUI.
Which CMMC Level Does Your Defense Contract Require?
Your required level is set by the contracting officer based on the sensitivity of the information flowing through your contract, not by your company's size or preference. If a Statement of Work never shares CUI — for example, you're supplying a commercial off-the-shelf part with no technical data package — Level 1 typically applies. The moment a contract includes a DD Form 254 or references DFARS 252.204-7012 marking, you're almost certainly a Level 2 candidate, because that clause has required NIST SP 800-171 compliance since 2017 — CMMC just adds independent verification on top of what was previously a self-attestation. Subcontractors inherit the requirement too: if a prime is told Level 2 applies and CUI flows down to a sub building a single component, that sub needs the same level for the portion of its environment that touches CUI, which is why enclave-based scoping (isolating CUI to a dedicated network segment) has become the most common way small and mid-size contractors control assessment cost.
When Do CMMC Requirements Actually Show Up in Contracts?
CMMC is being phased into contracts over four phases running from 2025 through 2028, not applied all at once. Phase 1, which began in 2025 following the rule's effective date, allows contracting officers to include CMMC Level 1 or Level 2 self-assessment requirements in new solicitations. Phase 2, expected roughly one year later, introduces the requirement for Level 2 certification assessments (the third-party C3PAO audits) and Level 3 assessments in applicable contracts. Phase 3 extends CMMC requirements to option periods on existing contracts, and Phase 4, targeted for 2028, makes CMMC a mandatory condition of contract award and option-period exercise across all applicable DoD contracts and subcontracts. In practice this means a contractor could see a CMMC clause appear in a routine contract modification well before the "final" 2028 deadline, so waiting until a Phase 4 mandate to start remediation leaves little runway — a Level 2 gap assessment and C3PAO scheduling alone commonly takes several months.
How Is CMMC Different From Self-Attested NIST SP 800-171 Compliance?
The core difference is verification, not the underlying controls. DFARS 252.204-7012 has required compliance with NIST SP 800-171's 110 controls since 2017, and DFARS 252.204-7020 has required contractors to post a Supplier Performance Risk System (SPRS) self-assessment score since 2020 — but both relied on contractors grading their own homework, and DoD's own reviews found scores were frequently overstated or stale. CMMC Level 2 keeps the same 110 controls but replaces the honor system with recurring, evidence-based verification: a C3PAO assessor reviews artifacts against all 320 objectives in SP 800-171A, and the resulting certification is valid for three years, with an annual affirmation required in between. CMMC also formalizes Plans of Action and Milestones (POA&Ms): a contractor can achieve conditional certification with certain unmet controls open, but those items must be closed within 180 days or the certification lapses. That 180-day clock, and the requirement that some controls (like FIPS-validated cryptography) can never be POA&M'd, is a level of enforcement rigor that self-attestation never had.
Can Vanta's Compliance Automation Platform Get You CMMC Certified?
No single software platform can certify you — Vanta and similar GRC tools automate evidence collection and control tracking, but Level 2 certification itself must be performed by an accredited C3PAO, not a SaaS vendor. Vanta built its reputation on SOC 2 and ISO 27001 automation, where continuous control monitoring against relatively generic, cloud-centric controls maps well to API-based evidence pulls from tools like AWS, Okta, and GitHub. NIST SP 800-171's 110 requirements are different in kind: many map to physical and procedural controls (media sanitization, visitor logs, CUI marking, FIPS-validated cryptographic modules, boundary protection for on-prem and OT environments) that don't have a clean API to poll, and defense contractors frequently run mixed environments spanning cloud, on-prem ERP/PLM systems, and shop-floor equipment that generic GRC connectors weren't built to reach. Vanta added a CMMC framework template to its platform, but customers still need to build System Security Plans (SSPs), scope CUI enclaves, and prepare C3PAO evidence largely outside the tool — the platform tracks that a control is marked "done," not whether the underlying architecture would survive an assessor's technical review of, say, your boundary protection or your CUI flow diagrams.
How Safeguard Helps
Safeguard is built around the software supply chain and infrastructure evidence that actually drives CMMC Level 2 outcomes, rather than treating defense compliance as a generic GRC checklist. For contractors mapping NIST SP 800-171's 110 controls, a large share touch the software build and delivery pipeline directly — configuration management (CM family), system and information integrity (SI family), and access control for the systems that produce and ship CUI-adjacent artifacts. Safeguard continuously inventories your software bill of materials, build provenance, and dependency risk across the actual pipelines your engineers use, generating the artifact-level evidence — signed builds, vulnerability remediation timelines, SBOM history — that a C3PAO assessor will ask for when validating configuration and integrity controls, instead of a static screenshot uploaded once and never refreshed.
Because Safeguard tracks findings against real infrastructure rather than a generic control library, it maps naturally to CMMC's POA&M model: when a control gap is identified, Safeguard shows the specific asset, the remediation owner, and an aging clock that lines up with the 180-day POA&M closeout window CMMC assessors enforce, so nothing quietly ages past the deadline and jeopardizes certification. For contractors currently on Vanta or a similar generic GRC tool for SOC 2, Safeguard is designed to sit alongside it rather than replace it — Vanta can continue handling policy attestations and HR-style controls, while Safeguard supplies the deep supply-chain and infrastructure evidence that CMMC Level 2 and Level 3 assessments actually scrutinize, closing the gap between "control marked complete" and "control an assessor will accept." That combination is what turns a CMMC self-assessment into a certification a C3PAO will sign off on.