When does CMMC become mandatory?

CMMC is being phased into DoD contracts starting in 2025. By 2028, all applicable contracts will require CMMC certification. Early certification gives you a competitive advantage in DoD bidding.

What CMMC level do I need?

Level 1 if you only handle Federal Contract Information (FCI). Level 2 if you handle Controlled Unclassified Information (CUI) — this applies to most defense contractors. Level 3 for the most sensitive CUI requiring enhanced protections.

What is a SPRS score and why does it matter?

The Supplier Performance Risk System (SPRS) score measures your NIST 800-171 compliance on a scale of -203 to +110. DoD uses this score to evaluate contractor cybersecurity posture. You must submit your score to the SPRS portal and maintain it above contract-specified thresholds.

Framework · Compliance Enablers

CMMC2.0

CMMC 2.0 — Win DoD Contracts with Confidence

CMMC certification is mandatory for Defense Industrial Base contractors handling Controlled Unclassified Information (CUI). Our platform maps all 124 practices across 14 domains and 3 maturity levels.

Who needs it: Defense Industrial Base (DIB) contractors handling CUI who need DoD contracts.

Start Free Trial

Book a Demo

Maturity Levels

110

Level 2 Practices

300K+

DIB Companies Affected

8-16

Weeks to Assessment-Ready

The framework

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's framework for ensuring that Defense Industrial Base (DIB) contractors adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC 2.0 streamlined the original 5-level model to 3 levels: Level 1 (Foundational, 17 practices), Level 2 (Advanced, 110 practices aligned to NIST SP 800-171), and Level 3 (Expert, 134+ practices aligned to NIST SP 800-172).

Starting in 2025, CMMC certification is being phased into DoD contracts. Without certification at the appropriate level, contractors cannot bid on or maintain DoD contracts. For the 300,000+ companies in the Defense Industrial Base, CMMC compliance is not optional — it is a business survival requirement.

The requirements

What you'll need to satisfy.

The core categories CMMC 2.0 auditors evaluate — and what we ship to cover each one.

Level 1 — Foundational (17 Practices)

Access control basics
Identification and authentication
Media protection
Physical protection
System and communications protection
System and information integrity

Level 2 — Advanced (110 Practices)

All Level 1 practices plus NIST SP 800-171 requirements
Audit and accountability
Awareness and training
Configuration management
Incident response
Maintenance
Personnel security
Risk assessment
Security assessment

Level 3 — Expert (134+ Practices)

All Level 2 practices plus NIST SP 800-172 requirements
Advanced persistent threat protections
Enhanced security requirements
Supply chain risk management

Assessment Requirements

Level 1: Annual self-assessment
Level 2: Triennial third-party assessment (C3PAO)
Level 3: Government-led assessment
SPRS score submission and maintenance
POA&M management for incomplete practices

Before → After

The problem we solve.

Why teams pick Compliance Enablers for CMMC 2.0 compliance.

Common challenges

No CMMC certification = no DoD contracts
124 practices across 14 domains is overwhelming
SPRS score calculation requires precise documentation

What we provide

All 124 practices across 14 domains and 3 maturity levels mapped
Level 1 (17 practices), Level 2 (110 practices), Level 3 support
SPRS score calculation and tracking
System Security Plan (SSP) generation
POA&M tracking with remediation workflows
Cross-mapping to NIST 800-171 and NIST 800-53

Your journey

From kickoff to
audit-ready.

Step-by-step, exactly how we'll get you there.

Level Determination

Determine your required CMMC level based on the type of information you handle (FCI vs. CUI) and contract requirements. Guided assessment with clear recommendations.

SPRS Scoring

Calculate your current SPRS score against NIST 800-171 requirements. Identify exactly which practices are missing and their point impact.

SSP Generation

Auto-generate your System Security Plan documenting how each practice is implemented. Version-controlled and assessment-ready.

Practice Implementation

Implement missing practices using our template library. Each practice maps to specific evidence requirements and testing procedures.

POA&M Management

Track Plans of Action and Milestones for practices not yet fully implemented. Automated milestone tracking and remediation workflows.

Assessment Preparation

Organize evidence packages for C3PAO assessment. Practice-by-practice evidence mapping with completeness scoring.

Time to value

8-16 weeks to assessment-ready

CMMC is the price of entry for DoD contracts worth millions. No certification = no revenue.

How we're different

General GRC platforms offer basic NIST 800-171 mapping but miss CMMC-specific requirements: SPRS scoring, SSP generation, C3PAO assessment preparation, and POA&M lifecycle management. Compliance Enablers is purpose-built for the defense industrial base with full CMMC 2.0 support across all three levels.

Key modules for CMMC 2.0.

Everything these modules ship, included in every tier.

Compliance & StandardsControls LibraryEvidence CollectionDocument ManagementImplementation

CMMC 2.0 FAQ

14-day free trial · no card required

Get CMMC 2.0
audit-ready.

8-16 weeks to assessment-ready. 513 pre-generated policies. 50+ evidence collectors. Everything you need to pass CMMC 2.0, out of the box.