By Framework · CMMC 2.0

Self-attestation is ending for the defense supply chain

The Cybersecurity Maturity Model Certification is now live. As of November 2025 it is being written into Department of Defense contracts on a phased schedule, and for the contractors who handle controlled unclassified information it replaces the honor-system self-score with a third-party assessment.

The landscape

The clock has started, in phases

CMMC 2.0 sorts defense contractors into levels by the sensitivity of the information they hold. Level 1 covers basic federal contract information with an annual self-assessment; Level 2 covers CUI and is built directly on the 110 controls of NIST 800-171, verified by an accredited third party; Level 3 adds the most stringent requirements for the highest-priority programs. The rollout is deliberately staged, phasing in through the DoD contract stream over the next several years until it applies everywhere.

CMMC 2.0 Level 1 Level 2 NIST 800-171 C3PAO CUI DFARS 7021
Nov 2025
the CMMC rule took effect and phased rollout began. Contractors handling CUI are on the clock for a third-party Level 2 assessment, and by the final phase CMMC applies to every applicable DoD contract.

The change that matters is who checks the work. For years a contractor could self-attest to its 800-171 score. Under CMMC Level 2 an accredited assessor verifies it, so the gap between the score on paper and the state of the network becomes a pass or a fail.

Why it is hard

Someone else is grading it now

CMMC does not invent new controls so much as it removes the benefit of the doubt. The 110 NIST 800-171 requirements have to be genuinely in place, documented, and evidenced, because an assessor will look, and a single unmet requirement can hold up a certification. Primes must also confirm that the subcontractors they flow CUI to are certified at the right level.

Managed in spreadsheets, that becomes a System Security Plan that does not survive contact with an assessor, and a supply chain whose readiness no one can vouch for.

How SimpleRisk fits

One control library, every obligation

SimpleRisk gets you assessment-ready and keeps you there: the 800-171 controls behind CMMC, owned and evidenced, for you and the suppliers you flow CUI to.

  • Be ready for the assessor. Track all 110 Level 2 requirements, keep the SSP current, and close POA&M items before a C3PAO ever arrives.
  • Map once, satisfy many. The Secure Controls Framework maps the same controls across CMMC, NIST 800-171, NIST CSF, ISO 27001, and 250-plus frameworks, so nothing is done twice.
  • Vouch for the supply chain. Track subcontractor certification levels against the same requirements, so flowing down CUI does not flow down risk you cannot see.
  • Prove it on demand. Produce the plan, the score, and the evidence a third-party assessment or a DIBCAC review requires.

Walk into your CMMC assessment already able to prove it

Start a free trial or book a demo, and see how SimpleRisk keeps your Level 2 controls and evidence ready for the assessor.

Start a free trial