CMMC Compliance Is Here. Are You Ready?
As of November 10, 2025, CMMC requirements are appearing in DoD solicitations and contracts. The final DFARS rule (48 CFR) is in full effect.
Blue Mantle Technology guides DoD contractors through every step of CMMC certification — from gap analysis to audit readiness. As a small business navigating CMMC ourselves, we understand the burden and know how to make compliance achievable.
Understanding CMMC
What Is the Cybersecurity Maturity Model Certification?
CMMC is the Department of Defense's unified standard for protecting sensitive information across the entire defense supply chain.
Protecting National Security
The U.S. loses hundreds of billions annually to data exfiltration and intellectual property theft from the Defense Industrial Base. CMMC exists to protect two categories of sensitive data: Federal Contract Information (FCI) — basic contract-related data, and Controlled Unclassified Information (CUI) — technical data, engineering drawings, and other sensitive but unclassified information critical to national defense.
From Self-Attestation to Third-Party Audit
Under the previous NIST 800-171 framework, contractors self-attested their compliance — and many fell short. CMMC changes the game by requiring independent third-party assessments conducted by certified C3PAOs (CMMC Third Party Assessment Organizations). This shift from trust to verification ensures that the companies protecting our national security data actually meet the required standards.
A Maturity Framework, Not Just a Checklist
CMMC 2.0 defines three levels of cybersecurity maturity, each building on the last. It measures not just whether security controls are in place, but whether your organization has institutionalized cybersecurity practices and processes. The DoD wants to see its industry partners grow and mature their security posture over time — not just check boxes.
Who Needs CMMC?
Every company in the Defense Industrial Base (DIB) that processes, stores, or transmits FCI or CUI on DoD contracts will need CMMC certification. This includes prime contractors and subcontractors at every tier. The required level will be specified in each Request for Proposal (RFP) and will be a go/no-go decision — no certification, no contract.
CMMC 2.0 Framework
Three Levels of Cybersecurity Maturity
CMMC 2.0 streamlined the original five levels into three, each aligned with the sensitivity of the data you handle.
Level 2 — Advanced
The majority of DoD contractors handling CUI — including engineering firms, IT service providers, manufacturers, and logistics companies working with technical data, export-controlled information, or other sensitive unclassified data.
Data Protected
Controlled Unclassified Information (CUI)
Practices Required
110 controls (NIST SP 800-171 Rev 2)
Assessment Type
C3PAO Assessment (or Self for select contracts)
Key Requirements
Aligned with all 110 controls of NIST SP 800-171 Rev 2
Requires a System Security Plan (SSP) and POA&Ms
Most contracts handling CUI will require a C3PAO assessment
Select programs may allow self-assessment (rare)
Triennial certification with annual affirmation
This is the level most DIB contractors will need
Key Milestones
The Road to CMMC Compliance
Five years in the making, CMMC is now federal regulation. Here's how we got here — and what's coming next.
January 2020
CMMC v1.0 Released
The Department of Defense publishes the first version of the Cybersecurity Maturity Model Certification, establishing five maturity levels with 171 practices.
November 2021
CMMC 2.0 Announced
DoD streamlines the framework from five levels to three, aligning more closely with existing NIST standards and reducing the compliance burden on small businesses.
December 2023
Proposed Rule Published
The proposed CMMC rule (32 CFR Part 170) is published in the Federal Register, opening a 60-day public comment period that generates thousands of responses.
October 2024
Final Rule — 32 CFR Part 170
The CMMC final rule is published, establishing the program requirements, assessment processes, and the three-level framework as federal regulation.
September 2025
DFARS Clause Published (48 CFR)
The Defense Federal Acquisition Regulation Supplement is published in the Federal Register, amending 48 CFR Parts 204, 212, 217, and 252 to include CMMC requirements in contracts.
November 10, 2025
CMMC Requirements in Effect
The DFARS rule becomes effective. CMMC level requirements begin appearing in DoD solicitations and contracts. Contractors must hold the appropriate certification level to be eligible for award.
2025 – 2028
Phased Implementation
CMMC requirements roll out across DoD acquisitions in phases. Phase 1 allows self-assessments for Level 1 and some Level 2 contracts. Subsequent phases expand third-party and government-led assessment requirements.
Self-Assessment
Do I Need CMMC Certification?
Ask yourself these questions. If you answer “yes” to any of them, CMMC compliance is in your future.
Do you have current or planned DoD contracts?
Any company bidding on or performing DoD contracts will need CMMC certification at the level specified in the solicitation.
Do you handle CUI or FCI?
If you process, store, or transmit Controlled Unclassified Information or Federal Contract Information, CMMC applies to you.
Do your contracts include DFARS 252.204-7012?
This DFARS clause requires safeguarding of covered defense information and cyber incident reporting — a strong indicator you need Level 2.
Are you a subcontractor to a DoD prime?
CMMC flows down to all tiers of the supply chain. Subcontractors handling CUI must achieve the same level as the prime contractor.
Do you plan to bid on future DoD work?
Starting now is critical. Certification can take 12–18 months, and without it you won't be eligible for contract award.
Have you only self-attested under NIST 800-171?
Self-attestation is no longer sufficient for most CUI-handling contracts. CMMC Level 2 requires independent third-party assessment by a C3PAO.
If you answered “yes” to any of these questions — you need CMMC.
The good news? We can help you get there. Start with a free, no-obligation gap assessment.
Our Approach
From Gap Analysis to Certification
A proven, step-by-step process that takes the confusion out of CMMC and puts you on the fastest path to certification.
Free Gap Assessment
Our CMMC experts sit down with you for a complimentary 1-hour preliminary gap assessment and consultation. We evaluate your current security posture against the CMMC requirements relevant to your contracts — no obligation, no pressure.
Roadmap & Remediation Plan
Based on the gap assessment, we build a prioritized remediation roadmap with realistic timelines and cost estimates. We help you understand exactly what needs to happen, in what order, and how much it will cost — so there are no surprises.
Implementation Support
We work alongside your team to close the gaps. From writing your System Security Plan (SSP) to configuring technical controls, we handle the heavy lifting so your team can stay focused on winning work.
Mock Assessment
Before the real assessment, we put you through a full mock audit that mirrors the C3PAO process. This identifies any remaining weaknesses and builds your team's confidence for the actual certification assessment.
Certification Support
When you're ready, we help you select a C3PAO and support you through the formal assessment. We remain by your side to answer questions, provide documentation, and ensure the process runs smoothly from start to finish.
Why Blue Mantle
Your Partner Through Every Step
We don't just consult — we partner with you. Here's what makes Blue Mantle different.
RPO Registered
Blue Mantle is officially registered with the CMMC Accreditation Body as a Registered Practitioner Organization — your assurance that our team meets the highest professional standards.
We Walk the Walk
As a small DoD contractor ourselves, BMT must comply with CMMC. We understand the burden first-hand — the cost, the complexity, and the anxiety. We build solutions we'd use ourselves.
No Conflicts of Interest
We don't sell security products and then audit your implementation of them. Our guidance is vendor-neutral, so the solutions we recommend are driven by your needs — not our bottom line.
15+ Years Federal Experience
Our team brings deep institutional knowledge of FAR, FISMA, NIST, and DFARS. We've supported hundreds of security assessments across DoD, civilian agencies, and Fortune 500 enterprises.
100% Audit Pass Rate
Every client we've prepared for a CMMC, NIST 800-171, or RMF assessment has passed. Our thorough preparation process and mock assessments ensure there are no surprises on audit day.
Cost-Effective for Small Business
We know you're investing in compliance on top of running a business. Our solutions are right-sized and budget-conscious — efficient enough for small businesses without cutting corners.
Regulatory Landscape
Key Frameworks & Standards
CMMC doesn't exist in isolation. It builds on — and formalizes — existing federal cybersecurity standards.
NIST Special Publication 800-171 Rev 2
The foundation of CMMC Level 2. Contains 110 security requirements for protecting CUI in nonfederal systems. If you're handling CUI on DoD contracts, this is the standard you must meet.
CMMC Mapping: Level 2 — All 110 controls
NIST Special Publication 800-172
Enhanced security requirements designed to protect CUI against Advanced Persistent Threats (APTs). A subset of these controls forms the basis for CMMC Level 3 — the highest tier.
CMMC Mapping: Level 3 — 24 selected enhanced controls
Safeguarding Covered Defense Information
The DFARS clause that requires contractors to implement NIST 800-171, report cyber incidents within 72 hours, and provide the DoD with access for forensic analysis. Predates CMMC but remains in effect.
CMMC Mapping: Prerequisite — Applies to all CUI contracts
Basic Safeguarding of Covered Contractor Information Systems
The Federal Acquisition Regulation clause defining 15 basic safeguarding requirements for FCI. These controls form the core of CMMC Level 1 — the minimum bar for any DoD contractor.
CMMC Mapping: Level 1 — 17 practices (15 FAR controls + 2 additional)
Frequently Asked Questions
Everything You Need to Know
Answers to the questions we hear most from defense contractors navigating CMMC compliance.
Stop worrying about compliance. Start winning contracts.
Our experts deliver a focused 1-hour readiness assessment that clarifies where you stand and what it takes to certify.