As of April 2026, the Department of Defense is actively including DFARS clause 252.204-7021 — the Cybersecurity Maturity Model Certification (CMMC) requirement — in new solicitations and contract awards involving Controlled Unclassified Information (CUI). The final CMMC 2.0 rule took effect December 16, 2024; DoD's phased rollout means Level 2 requirements are now appearing in contracts across all military departments, per DoD's CMMC program office.
What Level 2 requires
CMMC Level 2 maps to the 110 security practices in NIST SP 800-171. Contractors handling CUI on DoD programs must:
- Complete a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO)
- Achieve a passing score (110/110 or an accepted Plan of Action and Milestones for minor gaps)
- Upload their assessment results to the Supplier Performance Risk System (SPRS)
- Renew certification every three years
What's catching firms off-guard
The most common gap contractors are discovering mid-assessment:
- Multi-factor authentication: Required for all privileged and non-privileged accounts accessing CUI — many firms still have single-factor VPN or email access
- System Security Plan quality: Assessors are rejecting vague or boilerplate SSPs — each control must be documented with specific implementation details
- Enclave boundaries: Firms that process CUI on shared networks (mixed CUI/non-CUI) face the most remediation work
Action items
- If your SPRS score is below 110 and you have a current DoD contract, consult with your Contracting Officer about your POA&M timeline before the next option exercise
- Confirm your C3PAO is listed on the Cyber AB marketplace — unauthorized assessors' results are not accepted
- Level 1 (17 practices, annual self-attestation) applies to contracts with only Federal Contract Information — know which level applies to each of your contracts