News & Insights | Merek Security Solutions

The Cybersecurity Maturity Model Certification has undergone significant evolution since its initial introduction, and CMMC 2.0 represents the framework that defense contractors must now navigate. For organizations in the Defense Industrial Base, understanding these changes is not optional — it is a contract requirement that will determine your ability to compete for and retain Department of Defense work.

The most significant structural change in CMMC 2.0 is the consolidation from five maturity levels down to three. Level 1 covers basic safeguarding of Federal Contract Information with 17 practices. Level 2 aligns directly with the 110 security requirements in NIST SP 800-171 and applies to organizations handling Controlled Unclassified Information. Level 3 addresses advanced persistent threats with requirements drawn from NIST SP 800-172.

For most defense contractors, Level 2 is the target. This is where the operational reality gets serious.

Self-assessment remains an option for certain Level 1 and some Level 2 contracts, but the higher-priority programs will require third-party assessment by a CMMC Third Party Assessment Organization (C3PAO). The distinction between self-assessment and third-party assessment eligibility is determined by the sensitivity of the CUI involved — a determination made by the contracting agency, not the contractor.

What this means practically: you cannot wait to find out which assessment type applies to you. Your security posture needs to be at the Level 2 standard regardless, because any contract modification or new solicitation could require the third-party assessment path.

The Plan of Action and Milestones (POA&M) process has been refined under CMMC 2.0. Organizations can now achieve conditional certification with certain requirements listed as POA&M items, provided they are closed within 180 days. However, there are critical requirements that cannot be placed on a POA&M — they must be fully implemented at the time of assessment. Understanding which requirements fall into each category is essential for planning your remediation timeline.

The System Security Plan (SSP) remains the foundational document for any assessment. Your SSP must accurately describe your environment, your boundaries, your information flows, and how each of the 110 NIST 800-171 requirements is implemented. Assessors will compare what your SSP says against what they observe. Gaps between documentation and reality are findings.

Supply chain implications are significant. Prime contractors will increasingly flow CMMC requirements down to subcontractors. If you handle CUI as part of a larger defense program — even as a small IT provider or engineering subcontractor — you will need to demonstrate compliance at the level your prime requires.

Our approach at Merek starts with an honest gap analysis. We assess where you actually are against the 110 requirements — not where you think you are. From there, we develop a remediation roadmap with realistic timelines, build or refine your SSP, prepare your POA&M strategy, and conduct assessment readiness reviews so there are no surprises when the C3PAO arrives.

The organizations that will navigate CMMC 2.0 successfully are the ones that treat it as a security improvement program, not a paperwork exercise. The controls exist because the threats are real. When implementation is done right, compliance is a byproduct of genuine security — not the other way around.

If you are a defense contractor that has not yet begun your CMMC preparation, the window for comfortable timelines is closing. Start now.

Michael Davis

Founder & CEO, Merek Security Solutions. 22 years of cybersecurity leadership in the U.S. Navy and private sector. CyberAB Registered Practitioner, CISSP, CISM.

More Insights

Continue Reading

Cyberpsychology

Why Cybersecurity Is a Human Problem First

The industry spends billions on technical controls while 95% of breaches start with a human decision. It's time for a different approach.

March 2026Read More →

Education

MindfulBytes Launches Pilot Program in New Mexico Schools

Our K-5 digital wellness curriculum enters its first classroom pilot, bringing cyberpsychology-informed education to young learners.

January 2026Read More →

Cyberpsychology

The Psychology Behind Phishing: Why Smart People Click

Understanding the cognitive biases that make phishing effective is the first step to building training that actually works.

December 2025Read More →

Let’s Talk

Ready to Elevate
Your Cybersecurity Posture?

Whether you need compliance readiness, a virtual CISO, or a partner who understands that security is a human problem first — Merek is here.

Schedule a Consultation Call (800) 479-1741