If your business works with the Department of Defense, CMMC 2.0 compliance is no longer optional. The final rule is in effect, and the DoD is beginning to include CMMC requirements in new contracts. Here is what you need to know.
What Changed from CMMC 1.0 to 2.0
The biggest change is simplification. CMMC 2.0 reduced the five levels to three. Level 1 covers basic cyber hygiene (17 practices) with self-assessment. Level 2 maps directly to NIST SP 800-171 (110 controls) and requires third-party assessment for most contractors. Level 3 adds advanced practices from NIST SP 800-172 with government-led assessments.
Most small and mid-sized defense contractors in New Jersey will need Level 2 certification. This means implementing all 110 NIST 800-171 controls and passing a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
Where Most Contractors Fall Short
After assessing dozens of defense contractors across New Jersey, these are the gaps we see most frequently.
CUI identification and marking. Many contractors do not know exactly where their Controlled Unclassified Information lives, how it flows, and who has access to it. You cannot protect what you cannot find.
System Security Plan (SSP) deficiencies. Your SSP must accurately describe every control implementation. Generic templates do not pass C3PAO assessments. Each control description must reflect your actual environment.
Inadequate Plan of Action and Milestones (POA&M). If you have controls that are not fully implemented, your POA&M must document what is missing, what you are doing about it, and when it will be complete. Vague timelines and missing details are audit failures.
Critical timeline: If you have not started CMMC preparation, you are behind. The assessment process alone takes 3-6 months, and most organizations need 6-12 months of preparation before they are ready for assessment. Start now.
We provide comprehensive CMMC compliance services for defense contractors in New Jersey, including gap assessments, remediation planning, SSP development, and C3PAO preparation.
How much does CMMC Level 2 compliance cost?
For a typical 25-50 person defense contractor, expect to invest $50,000 to $150,000 in technology, consulting, and assessment fees over 12-18 months. The exact cost depends on your current security posture and IT infrastructure.
Can we self-assess for CMMC Level 2?
Only for contracts that do not involve critical national security information. Most DoD contracts involving CUI will require third-party assessment. Check your specific contract requirements.