What is CMMC 2.0?
CMMC — Cybersecurity Maturity Model Certification — is the DoD's framework for ensuring defense contractors adequately protect Controlled Unclassified Information (CUI). Version 2.0, finalized in late 2024, streamlines the original five-level model into three levels:
- Level 1 (Foundational): 17 basic safeguarding practices from FAR 52.204-21. Annual self-assessment.
- Level 2 (Advanced): All 110 practices from NIST SP 800-171. Third-party C3PAO assessment required for most DoD contracts.
- Level 3 (Expert): NIST SP 800-172 practices. Government-led assessment. Required for the most sensitive programs.
The vast majority of Ohio manufacturers in the defense supply chain fall into Level 2 — and that's where the heavy lifting is.
Who Needs CMMC Level 2?
If your company handles Controlled Unclassified Information (CUI) as a prime or subcontractor on DoD contracts, you need CMMC Level 2. This includes:
- Tier-1 and Tier-2 defense suppliers handling technical drawings, specifications, or design data
- Manufacturers producing components under export-controlled or ITAR programs
- Subcontractors whose scope includes access to CUI — even if they don't have a direct DoD contract
- IT service providers (like MSPs) who touch CUI environments
The 110 NIST 800-171 Controls: What They Cover
CMMC Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 domains:
- Access Control (22 requirements)
- Audit and Accountability (9 requirements)
- Awareness and Training (3 requirements)
- Configuration Management (9 requirements)
- Identification and Authentication (11 requirements)
- Incident Response (3 requirements)
- Maintenance (6 requirements)
- Media Protection (9 requirements)
- Personnel Security (2 requirements)
- Physical Protection (6 requirements)
- Risk Assessment (3 requirements)
- Security Assessment (4 requirements)
- System and Communications Protection (16 requirements)
- System and Information Integrity (7 requirements)
What Does a C3PAO Assessment Look Like?
A C3PAO (Certified Third-Party Assessment Organization) conducts the formal CMMC Level 2 assessment. The process typically involves:
- Documentation review: Your System Security Plan (SSP), policies, and evidence packages are reviewed against all 110 requirements
- Interview: Key personnel are interviewed about security practices and procedures
- Technical examination: Systems, configurations, and controls are tested
- Scoring: Each of the 110 requirements is scored MET or NOT MET
All 110 requirements must score MET for a Level 2 certification. POA&Ms (Plans of Action and Milestones) are allowed for a limited number of requirements in some circumstances, but the bar has tightened significantly.
Timeline: When Do You Need to Be Ready?
CMMC 2.0 is being phased into DoD contracts on a rolling basis. Key milestones:
- 2024: CMMC requirements began appearing in new DoD contracts as a phased rollout
- 2025: Significant expansion — many contracts now include CMMC Level 2 requirements
- 2026: Full implementation expected across DoD supply chain
Given that CMMC Level 2 preparation typically takes 6–18 months depending on your starting point, any Ohio manufacturer not already in progress is running behind. The earlier you begin, the more competitive advantage you can build.
FAQ: CMMC 2.0 for Ohio Manufacturers
CMMC 2.0 is a DoD requirement for defense contractors handling Controlled Unclassified Information (CUI). Level 2 requires all 110 NIST SP 800-171 controls and a third-party C3PAO assessment. It applies to prime contractors and all subcontractors who access CUI.
Most Ohio manufacturers need 6–18 months for CMMC Level 2 preparation, depending on their current security posture gap. Securafy recommends a gap assessment immediately to understand your starting point and timeline.
Yes. Securafy is qualified to help Ohio manufacturers implement all 110 NIST 800-171 controls, prepare your System Security Plan (SSP), and build your evidence package for C3PAO assessment. Our COMPLY-CARE tier includes CMMC readiness as a core deliverable.