CMMC compliance means meeting the cybersecurity requirements of the DoD's Cybersecurity Maturity Model Certification (CMMC) program.
The distinction between certification (a third-party assessment event) and compliance (an ongoing operational state) is where many contractors stumble. Passing a C3PAO assessment and then letting controls degrade is a compliance failure. Annual affirmations under CMMC are legally significant, where signing one when your controls have eroded is a potential False Claims Act (FCA) violation.
Level 2 compliance requires meeting all 110 NIST SP 800-171 Rev. 2 security requirements as assessed against NIST SP 800-171A Assessment Objectives. In operational terms, this means maintaining a current and accurate System Security Plan that reflects your actual environment, a POA&M tracking unresolved deficiencies with realistic timelines and evidence that controls are actually operating (e.g., logs, access reviews, patch reports and training records tied to the systems in scope).
Sustaining compliance is harder than achieving it. Personnel changes, system changes, new contract requirements and vendor substitutions all create compliance gaps if they're not managed through documented change control. A compliance program that activates only in the months before an assessment will not produce the kind of continuous evidence trail that holds up under scrutiny.
Supply chain compliance is also part of the picture. CMMC requires organizations to flow down CMMC requirements to subcontractors who handle CUI on your behalf. Knowing which subcontractors are in scope and tracking their compliance posture is an ongoing obligation, not a one-time assessment.
