CMMC 2.0 (Cybersecurity Maturity Model Certification) establishes cybersecurity practice requirements for organizations in the Defense Industrial Base (DIB) — any organization that handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) under a DoD contract. Illinois has a significant defense industrial base: manufacturers, aerospace suppliers, technology firms, research institutions, and service companies throughout the Chicago metro and downstate who hold or seek DoD contracts. For those organizations, CMMC is not a future concern — it is a current requirement that affects contract eligibility.
The Three CMMC 2.0 Levels
CMMC 2.0 simplified the original five-tier model into three levels:
Level 1 — Foundational - 17 practices derived from FAR 52.204-21 - Annual self-assessment allowed - Applies to organizations handling FCI but not CUI - The 17 practices are basic cyber hygiene: asset inventory, access control basics, patch management, malware protection, configuration management basics
Level 2 — Advanced - 110 practices aligned to NIST SP 800-171 - Third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) required for most contractors (self-assessment allowed for a limited subset of contracts) - Applies to organizations handling CUI - This is where the majority of DIB contractors fall
Level 3 — Expert - Based on NIST SP 800-172 practices (more stringent than Level 2) - Government-led assessment required - Reserved for highest-priority programs and most sensitive CUI
For most Illinois defense contractors, Level 2 is the relevant target.
How to Determine Which Level Applies
The applicable level is determined by your contract — specifically, by whether your contract involves FCI, CUI, or neither:
- FCI (Federal Contract Information) — Information provided by or generated for the Government under a contract to develop or deliver a product or service. If you handle FCI, Level 1 is the minimum. - CUI (Controlled Unclassified Information) — Information the Government creates or possesses that requires safeguarding under law, regulation, or Government-wide policy. Technical drawings, design specifications, export-controlled data, and many categories of government-generated information qualify as CUI. If you handle CUI, Level 2 is the minimum.
If you are a prime contractor with a DoD contract, your contract likely already specifies the applicable DFARS clauses (DFARS 252.204-7012 for CUI; DFARS 252.204-7021 for CMMC certification requirements). If you are a subcontractor, your prime contractor will flow down the applicable requirements.
If you are unsure whether CUI flows to your organization, that uncertainty needs to be resolved — not assumed in your favor.
The System Security Plan and Plan of Action and Milestones
Level 2 CMMC compliance requires two primary documentation deliverables:
System Security Plan (SSP) — A comprehensive document describing your information system, the boundaries of the CUI environment, and how your organization implements each of the 110 NIST SP 800-171 practices. The SSP is the core documentation artifact for CMMC Level 2. A C3PAO assessment evaluates whether your actual practices match what your SSP describes.
Plan of Action and Milestones (POA&M) — Documentation of any practices that are not yet fully implemented, with timelines and milestones for completion. A POA&M is not an excuse for non-compliance; it is documentation of a realistic path to full implementation. The acceptability of a POA&M in an assessment context depends on the nature and severity of the gaps.
Producing an accurate, credible SSP requires a thorough understanding of your IT environment, your data flows, and how each of the 110 NIST SP 800-171 practices applies to your specific situation. This is not a documentation exercise — it is a security posture documentation exercise. Your SSP has to accurately describe what you actually do, not what you wish you did.
The C3PAO Assessment Process and Timeline
For Level 2 contractors requiring a third-party assessment (as opposed to self-assessment), the assessment is conducted by a CMMC Third Party Assessment Organization (C3PAO) certified by the Cyber AB (the CMMC Accreditation Body).
The assessment process:
1. Readiness assessment (often conducted by a Registered Practitioner Organization like SecureNext before the formal C3PAO engagement) — Evaluates current posture against all 110 practices and identifies gaps. 2. Remediation — Addressing the gaps identified in the readiness assessment. 3. C3PAO Assessment — The formal assessment conducted by an accredited C3PAO. This is not a documentation review; assessors will verify that controls are actually in place. 4. CMMC Certification — If the assessment demonstrates compliance, the certification is issued and recorded in the Supplier Performance Risk System (SPRS).
Timeline from "we need to get started" to "we have CMMC certification" typically ranges from 6 to 18 months, depending on the size of the organization, the current security posture, and the complexity of the environment. Organizations that wait until a contract requires certification before beginning preparation will face timeline pressure.
Common Gaps in Illinois Contractor Environments
Based on NIST SP 800-171 assessment experience, the gaps that most commonly appear in defense contractor environments:
Network documentation — Many organizations cannot accurately describe their network topology, the boundaries of their CUI environment, or what systems process or store CUI. The SSP cannot be written without this documentation, and the assessor will verify it.
Access control — Multi-factor authentication for all accounts with CUI access; least-privilege implementation; privileged account management; access reviews and timely de-provisioning.
Configuration management — Documented baseline configurations for systems in the CUI environment; change management processes; software inventory and control.
Incident response planning — A documented, tested incident response plan that covers CUI breach notification requirements (including notification to the DoD within 72 hours for CUI incidents under DFARS 252.204-7012).
Security awareness training — Documentation of training for all personnel with CUI access.
How to Start a CMMC Readiness Program
The starting point is a gap assessment against NIST SP 800-171 — evaluating your current controls against each of the 110 practices, documenting the findings, and producing a gap analysis with remediation priorities.
Request a CMMC readiness assessment from SecureNext — we will assess your current posture, help you understand which practices apply, and develop a realistic remediation plan and documentation roadmap.