<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1732033&amp;fmt=gif">
Skip to content
Contact us

CMMC 2.0 | Cybersecurity Maturity Model Certification

CMMC 2.0 is the binding cybersecurity framework of the US Department of Defense. Every company in the DoD supply chain, including German and European suppliers, must prove compliance with defined security controls. Without certification, US defense contracts under DFARS 252.204-7021 will not be reachable from 2026 onward. ISEC7 has supported defense suppliers on this path for years, with ready-to-use IT solution modules, readiness assessment and audit preparation across all three levels.

At a glance

  • 3 levels: Level 1 (Foundational, 17 controls), Level 2 (Advanced, 110 NIST SP 800-171 controls), Level 3 (Expert, NIST SP 800-172).
  • FCI vs. CUI: Level 1 protects Federal Contract Information, Level 2 and 3 protect Controlled Unclassified Information.
  • Audit by accredited C3PAO from Level 2 onward for CUI contracts. Level 1 and parts of Level 2 via self-assessment.
  • Rollout phased from 2026 through DFARS clauses in new DoD contracts.
  • Typical Level 2 project duration: 6 to 12 months for scoping, gap closure, documentation and audit.
SUPPLIER TO THE US DEPARTMENT OF DEFENSE? TAKE ACTION NOW.
 

Why CMMC?

CMMC compliance is a hard contractual requirement: without it, US defense contracts are out of reach. Because the standard cascades across the entire supply chain, subcontractors and suppliers in DACH and the EU are directly affected. The certification protects sensitive defense data (CUI and FCI) from industrial espionage by closing critical gaps in access control, encryption, monitoring and incident response. Companies that achieve compliance secure market access in one of the largest defense markets in the world and position themselves as a credible global partner.

CMMC 2.0 Cybersecurity Maturity Model Certification logo

The three CMMC levels

The CMMC 2.0 model has three levels, each tied to the sensitivity of the data being handled. Each level builds on the previous one and adds further security controls. Which level applies to your company depends directly on your DoD contract and the type of data you process.

CMMC L1 | Foundational

CMMC Level 1 protects Federal Contract Information (FCI). It requires 17 basic cyber hygiene practices from FAR 52.204-21, including access control, authentication and media protection. Proof is by annual self-assessment and can be achieved within a few weeks.

CMMC L2 | Advanced

CMMC Level 2 applies to companies that process Controlled Unclassified Information (CUI). It requires the 110 controls of NIST SP 800-171 in 14 families. For most CUI contracts, an audit by an accredited C3PAO is mandatory; otherwise a formal self-assessment is sufficient.

CMMC L3 | Expert

CMMC Level 3 is for companies that manage CUI in highly critical defense programs. It adds selected controls from NIST SP 800-172 on top of Level 2 and targets defense against Advanced Persistent Threats (APTs). Audit by a government body (DIBCAC), not just a C3PAO.

CMMC level pyramid graphic showing L1, L2, L3
HOW DO I ACHIEVE CMMC COMPLIANCE?
 

Your path to CMMC

ISEC7 guides defense suppliers through the structured build-out of a CMMC-compliant infrastructure. We combine experience from our own ISEC7 certification with customer projects in DACH, the EU and the US. The work follows a clear phase model in which the security controls (Controls) sit at the center, with documentation, tooling and staff training running in parallel.

PHASE 1

Preparation and readiness assessment

First we define the scope: where in your organization FCI or CUI flows. A gap analysis against the controls of the target level follows, for example the 110 controls of Level 2 in 14 families such as access control, configuration management and system integrity. The output is a prioritized action plan with effort estimates.

PHASE 2

Closing the gaps

Identified gaps are systematically closed with ready-to-use IT solution modules that cover up to 90 % of the technical controls in our customer projects. For each open requirement we produce a Plan of Action and Milestones (POAM) and a System Security Plan (SSP), both mandatory documents for the C3PAO audit.

PHASE 3

Institutionalization and test run

Controls do not exist only on paper. In this phase the new security policies become part of day-to-day operations, employees are trained, and processes are validated through internal test audits. We simulate the C3PAO audit day including interview questions and evidence collection, so you go into the official audit without surprises.

PHASE 4

Certification and continuous monitoring

The final step is the official audit by an accredited C3PAO for Levels 2 and 3, or the formal self-attestation for Level 1. After successful certification, our managed services take over continuous monitoring, because CMMC requires triennial re-certification with annual self-affirmations. Your cybersecurity maturity stays measurable.

Frequently asked questions about CMMC 2.0

What is CMMC 2.0 and who needs it?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the cybersecurity framework of the US Department of Defense. Every partner in the DoD supply chain must prove compliance with defined security controls. Any company that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for a US defense contract, directly or as a subcontractor, must achieve CMMC certification at the level specified in the contract.

What is the difference between FCI and CUI?

Federal Contract Information (FCI) is non-public information provided by or generated for the US government under a contract. Controlled Unclassified Information (CUI) is more sensitive and covers information that requires safeguarding under specific laws, regulations or government-wide policies. CMMC Level 1 protects FCI; Levels 2 and 3 protect CUI.

How long does CMMC certification typically take?

Timelines vary with the target level and the organization's starting maturity. Level 1 self-assessments can be achieved within a few weeks if basic cyber hygiene is in place. Level 2 typically takes six to twelve months, covering scoping, gap closure, documentation (POAM, SSP) and the third-party audit. Level 3 engagements run longer because of the additional NIST SP 800-172 controls.

What is a C3PAO and when is it required?

A C3PAO (CMMC Third Party Assessment Organization) is an accredited body that performs the formal CMMC assessment and issues the certification. A C3PAO audit is required for Level 2 (for most CUI contracts) and Level 3. Level 1 and a subset of Level 2 contracts allow a formal self-assessment instead.

How does ISEC7 help with CMMC compliance?

ISEC7 supports defense-industry customers along the full CMMC journey: readiness assessment and scoping, gap analysis against the relevant controls, ready-to-use IT solution modules that cover up to 90 % of the technical controls, documentation support for POAM and SSP, audit preparation with C3PAO partners, and continuous monitoring after certification. See the ISEC7 CyberRisk Check as an entry point for a structured security assessment, our NIS2 Compliance Services for EU-side obligations, and our ISEC7 Managed Mobility Services for ongoing operations.

CMMC MADE STRAIGHTFORWARD
 

Secure CMMC

Infrastructures

Implement CMMC compliance now, with ISEC7 expertise drawn from our own certification and defense customer projects across DACH, the EU and the US.

  • Ready-made CMMC modules & monitoring
  • Solution components for up to 90% compliance
  • CMMC from the FedRAMP cloud