CMMC 2.0 Is No Longer a Future Problem. Here’s What Sacramento-Area Contractors Need to Do Right Now.

CMMC 2.0 is not a new concept, but it is a new operational reality. For years, contractors treated it as a future requirement, something to prepare for eventually. The DoD’s phased rollout and the slow pace of rulemaking gave organizations room to delay. That room is gone. CMMC requirements are now appearing in DoD solicitations as a condition of contract award, not a future add-on. The contractors who have not prepared are finding this out the hard way. This post explains what CMMC 2.0 actually requires, who it applies to (it is broader than most contractors assume) and what Sacramento-area firms need to do right now if they want to stay on the bid list.

CMMC 2.0 defines three levels of cybersecurity maturity tied to different types of DoD data. Level 1 requires 17 practices, annual self-assessment, and applies to Federal Contract Information. Level 2 requires 110 practices mapped to NIST SP 800-171 and applies to Controlled Unclassified Information. Level 3 is the most advanced, requires DIBCAC assessment, and applies to the highest-priority CUI programs. Most construction contractors touching DoD work fall into Level 2. Level 2 was initially split, some contracts allowed self-assessment, but priority acquisitions required C3PAO assessment. The C3PAO requirement is now expanding.

Primary applicability is clear: DoD prime contractors handling CUI. But flow-down applicability is broader. Subcontractors who receive CUI from the prime (including MEP subs, structural engineers, and specialty contractors on federal projects) fall under CMMC scope. Not just defense manufacturing either. Federal facilities construction, military housing, and infrastructure on DoD installations all qualify. If your teaming agreement requires you to handle project documents marked CUI, CMMC applies to you whether or not you consider yourself a defense contractor.

CMMC Level 2 specifies 110 security requirements across 14 practice domains, all mapped to NIST SP 800-171 Rev 2. You need a System Security Plan documenting your entire environment (what systems exist, what CUI they process, what controls are in place. You need a Plan of Action and Milestones for any gaps) not every control needs to be implemented immediately, but deficiencies must be documented with remediation timelines. For C3PAO-assessed contracts, a Certified Third-Party Assessment Organization authorized by the Cyber AB conducts the formal audit.

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

Step 1 is scoping, determine what systems process, store, or transmit CUI. This is harder than it sounds. Email, file shares, project management platforms, and collaboration tools all need to be evaluated. Step 2 is SSP development (document the environment and your current control implementation. Step 3 is gap assessment) score yourself against all 110 controls and identify deficiencies. Step 4 is remediation (implement missing controls, build documentation, and test procedures. Step 5 is C3PAO assessment where required) formal third-party audit. Most organizations underestimate timeline. A firm starting from scratch with reasonable existing security can realistically expect 6-12 months to assessment-ready status.