CMMC 2.0 became enforceable for DoD contracts in December 2024 when the final rule took effect. Level 2 — covering Controlled Unclassified Information and applying to the majority of the defense industrial base — requires assessment against all 110 practices from NIST SP 800-171 Rev 2. There are two paths: self-assessment (for contracts not involving critical programs or technologies) and C3PAO third-party assessment (for contracts the DoD designates as requiring it). Neither path relieves the engineering team of actually implementing the controls.
The gap between what defense contractors document and what they implement is the core examination risk. The Defense Contract Audit Agency (DCAA) and Defense Contract Management Agency (DCMA) have been conducting spot checks since 2021. The CMMC assessment methodology scores against SPRS (Supplier Performance Risk System) — and the False Claims Act exposure for contractors who knowingly misrepresent their compliance posture has already been invoked in enforcement actions.
The 110 Controls: Where Engineering Teams Consistently Fail
NIST SP 800-171 Rev 2 organizes the 110 practices across 14 families. The families where implementation gaps are most common: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), and System and Communications Protection (SC). Access Control family (22 practices): AC.1.001 through AC.3.022 cover everything from limiting system access to authorized users to controlling the flow of CUI. The failure mode: contractors implement role-based access control at the application layer but leave the underlying infrastructure accessible without the same controls. An engineer with direct database access or cloud console access who is not listed as an authorized CUI user is an AC violation regardless of application-layer controls.
AU.2.041 through AU.3.045 — the Audit and Accountability practices — require that systems create, protect, and retain system audit logs sufficient to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Logs must be protected from unauthorized access or modification, retained for three years, and reviewed regularly. CloudTrail or Azure Monitor configured with default retention settings do not satisfy AU.3.045.
Multi-Factor Authentication: IA.3.083
IA.3.083 requires multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. The scope of "network access" is broader than most contractors implement — it includes any access to systems processing CUI over a network connection, including VPN-connected remote access. MFA at the identity provider level satisfies this for user access. The failure mode: service accounts, API credentials, and CI/CD pipeline access that authenticates with a single factor. Every automated access to CUI systems needs to be evaluated against IA.3.083.
Configuration Management: CM.2.061 through CM.3.068
The CM family requires establishing and maintaining baseline configurations (CM.2.061), configuration settings that reflect the most restrictive mode consistent with operational requirements (CM.2.062), and tracking, reviewing, approving, and logging changes to organizational systems (CM.3.068). In practice: infrastructure-as-code with drift detection, not manual configuration documentation. A system where an engineer can SSH into a production instance and make configuration changes without that change being logged, reviewed, and approved fails CM.3.068.
Self-Assessment vs. C3PAO: The Decision Framework
The DoD determines which assessment path applies at the contract level — contractors do not choose. But the implementation requirements are identical. If you are on the self-assessment path for current contracts but expect to pursue DoD prime contracts, conduct your own assessment with C3PAO methodology before your score goes to SPRS. The System Security Plan (SSP) is the assessment target — assessors are evaluating whether the implementation described in the SSP is the implementation that actually exists.
- Map your CUI data flows — CMMC controls apply to systems that process, store, or transmit CUI, not to all systems
- Implement AU family controls with explicit retention policies and log integrity protection — default cloud logging settings do not suffice for AU.3.045
- Audit all authentication mechanisms for IA.3.083 coverage — service accounts and CI/CD pipelines are common gaps
- Implement infrastructure-as-code with drift detection to satisfy CM family requirements
- Conduct a SPRS scoring exercise using NIST SP 800-171A assessment procedures before any external assessment
- Review SSP documentation against actual implementation — the SSP is what assessors test against
EU AI Act: What CTOs Actually Need to Do Before August 2026
DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase
FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.