What is CMMC 2.0 and when does enforcement begin?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the DoD's framework for protecting Controlled Unclassified Information. Phase 2 enforcement — requiring Level 2 third-party assessments for most DoD contractors handling CUI — starts November 2026.

What does CMMC Level 2 require?

Level 2 maps to 110 security controls from NIST SP 800-171, spanning 14 control families including access control, audit and accountability, configuration management, incident response, and risk assessment. A third-party C3PAO assessment is required.

How does 9BRAINS help with CMMC 2.0 compliance?

9BRAINS provides end-to-end CMMC 2.0 support: gap assessment against all 110 NIST SP 800-171 controls, remediation with embedded Forward Deployed Engineers, and C3PAO audit preparation including evidence packaging, documentation review, and mock assessments.

Compliance — CMMC 2.0

CMMC 2.0 Assessment & Remediation for DoD Contractors

Level 2 third-party assessments are required for DoD contractors handling Controlled Unclassified Information (CUI). If you're in the defense industrial base, CMMC 2.0 compliance isn't optional — it's a contract requirement.

110 Controls NIST SP 800-171 Level 2 C3PAO Audit

Assess your readiness All compliance frameworks

Shield visualization representing CMMC 2.0 compliance framework

The Timeline

The clock is running.

Phase 1 (self-assessments for Level 1) is already in effect. Phase 2 brings third-party assessments for Level 2 — the level required for most DoD contracts involving CUI. If you haven't started preparation, you're behind.

Nov 2026

Phase 2 enforcement

110

Security controls

Level 2

Third-party required

Phase approach

Our Approach

Assess. Remediate. Certify.

We don't hand you a gap assessment and wish you luck. We assess your current posture, remediate the gaps with you, and prepare you for the C3PAO audit. One engagement. Three phases. No gaps between them.

Phase 01 — Assess

Gap Assessment

Map your current security posture against all 110 NIST SP 800-171 controls. Identify gaps, prioritize by risk and effort. Produce a Plan of Action and Milestones (POA&M) with realistic timelines.

→

Phase 02 — Remediate

Close the Gaps

Forward Deployed Engineers embed in your team to implement controls. Policy development, technical hardening, access management, incident response procedures, encryption, monitoring — the actual work.

→

Phase 03 — Certify

C3PAO Audit Prep

Evidence packaging, documentation review, mock assessments, staff preparation. When the C3PAO assessor arrives, your team is ready — not scrambling. We stay through the audit cycle.

Level 2 Requirements

What Level 2 actually requires.

Level 2 maps to 110 security controls from NIST SP 800-171. These span 14 control families covering every aspect of how you handle CUI.

Access Control

Limit system access to authorized users. Role-based access, remote access policies, wireless restrictions, mobile device management.

Audit & Accountability

Create, protect, and retain audit logs. Monitor and analyze events. Alert on failures. Maintain chain of custody for all CUI access.

Configuration Management

Baseline configurations. Change control. Least functionality. Software restrictions. Security impact analysis before changes.

Incident Response

Incident handling capability. Detection, analysis, containment, recovery. Report incidents to DoD within 72 hours. Test response plans.

System & Communications

Boundary protection. Encryption in transit and at rest. Network segmentation. VPN requirements. FIPS-validated cryptography.

Risk Assessment

Periodic risk assessments. Vulnerability scanning. Remediation of findings. Risk-based prioritization of security investments.

Related: ISO 42001 · ISO 27701

November 2026 is closer
than you think.

Start your gap assessment now. The remediation timeline is measured in months, not weeks. The organizations starting today will be certified on time.

Assess your readiness