NOC LIVE · 24/7/365 ⬢ MICROSOFT PARTNER · MPN 3318934 📍 NASHVILLE TN · NATIONWIDE SERVICE ⚡ EST. 2003 · 23+ YEARS NOC LIVE · 24/7/365 ⬢ MICROSOFT PARTNER · MPN 3318934 📍 NASHVILLE TN · NATIONWIDE SERVICE ⚡ EST. 2003 · 23+ YEARS
Home/ Blog/ Compliance
Compliance

CMMC 2.0: The Clock Is Running.

CMMC requirements are appearing in Department of Defense solicitations. For Tennessee defense contractors and the subcontractors in their supply chain, "we will deal with it later" is becoming "we just lost a contract we could not bid."

By James Hackford · April 28, 2026 · 7 min read
The Short Version

CMMC 2.0 has three levels. Most contractors handling Controlled Unclassified Information (CUI) need Level 2, which requires meeting all 110 controls of NIST SP 800-171 and passing a third-party (C3PAO) assessment. Preparation takes months — gap assessment, remediation, documentation (SSP and POA&M), and often a move to a compliant environment like Microsoft GCC High. Start now; the assessment backlog is real.

01Why this is urgent now

CMMC requirements are being written into DoD contracts. Once a solicitation requires a given CMMC level, you cannot bid without it. There is no "we are working on it" exception at award time. For prime contractors and the subcontractors in their supply chains, this means the businesses that prepared early can bid on work the unprepared ones simply cannot touch.

02Which level you need

  • Level 1 — for Federal Contract Information (FCI) only. 15 basic safeguarding requirements. Self-assessment.
  • Level 2 — for Controlled Unclassified Information (CUI). All 110 controls of NIST SP 800-171. Most require a third-party (C3PAO) assessment.
  • Level 3 — for the highest-priority programs. Level 2 plus additional controls, government-led assessment.

Most Tennessee contractors handling CUI land at Level 2. If you are unsure which you handle, that determination is itself the first step.

03What Level 2 actually takes

Meeting 110 controls is not a weekend project. The realistic path:

  • Gap assessment against all 110 controls — where you actually stand today
  • Remediation — closing the gaps, often the longest phase
  • Documentation — a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
  • Environment — many contractors must move CUI workloads to a compliant enclave like Microsoft GCC High
  • Assessment — scheduling and passing a C3PAO assessment, and the assessor backlog is real

04The GCC High question

If you handle CUI in Microsoft 365, standard commercial M365 generally is not sufficient. Microsoft GCC High is the FedRAMP-High-equivalent environment built for this. Migrating to GCC High is a project in itself — licensing, data migration, reconfiguration — and another reason the timeline is longer than people expect.

05What to do this quarter

Determine your required level. Run a gap assessment against NIST SP 800-171. Start remediation on the biggest gaps. Begin the SSP and POA&M documentation. If GCC High is in your future, scope that migration now. The contractors who win DoD work over the next few years are the ones who treated this as a present-tense problem.

We help Tennessee defense contractors through this process end to end — gap assessment through assessment readiness. The first conversation is free.

Start your CMMC readiness conversation

23+ years, 700+ certifications, Microsoft Partner. Real engineers who answer the phone.

Get in Touch 615-274-9555