By Framework · CMMC 2.0
Self-attestation is ending for the defense supply chain
The Cybersecurity Maturity Model Certification is now live. As of November 2025 it is being written into Department of Defense contracts on a phased schedule, and for the contractors who handle controlled unclassified information it replaces the honor-system self-score with a third-party assessment.
The landscape
The clock has started, in phases
CMMC 2.0 sorts defense contractors into levels by the sensitivity of the information they hold. Level 1 covers basic federal contract information with an annual self-assessment; Level 2 covers CUI and is built directly on the 110 controls of NIST 800-171, verified by an accredited third party; Level 3 adds the most stringent requirements for the highest-priority programs. The rollout is deliberately staged, phasing in through the DoD contract stream over the next several years until it applies everywhere.
The change that matters is who checks the work. For years a contractor could self-attest to its 800-171 score. Under CMMC Level 2 an accredited assessor verifies it, so the gap between the score on paper and the state of the network becomes a pass or a fail.
Why it is hard
Someone else is grading it now
CMMC does not invent new controls so much as it removes the benefit of the doubt. The 110 NIST 800-171 requirements have to be genuinely in place, documented, and evidenced, because an assessor will look, and a single unmet requirement can hold up a certification. Primes must also confirm that the subcontractors they flow CUI to are certified at the right level.
Managed in spreadsheets, that becomes a System Security Plan that does not survive contact with an assessor, and a supply chain whose readiness no one can vouch for.
How SimpleRisk fits
One control library, every obligation
SimpleRisk gets you assessment-ready and keeps you there: the 800-171 controls behind CMMC, owned and evidenced, for you and the suppliers you flow CUI to.
- Be ready for the assessor. Track all 110 Level 2 requirements, keep the SSP current, and close POA&M items before a C3PAO ever arrives.
- Map once, satisfy many. The Secure Controls Framework maps the same controls across CMMC, NIST 800-171, NIST CSF, ISO 27001, and 250-plus frameworks, so nothing is done twice.
- Vouch for the supply chain. Track subcontractor certification levels against the same requirements, so flowing down CUI does not flow down risk you cannot see.
- Prove it on demand. Produce the plan, the score, and the evidence a third-party assessment or a DIBCAC review requires.
Walk into your CMMC assessment already able to prove it
Start a free trial or book a demo, and see how SimpleRisk keeps your Level 2 controls and evidence ready for the assessor.
Start a free trial