CMMC 2.0 makes cybersecurity a condition of doing business with the US Department of Defense. Level 2 - the tier most contractors need - requires demonstrable implementation of all 110 NIST SP 800-171 controls, verified by an accredited C3PAO. CyberFortify's network, application and cloud pen testing reports produce the technical assessment evidence those controls demand.
// 01 What CMMC 2.0 actually is
The Cybersecurity Maturity Model Certification is a US DoD program that verifies a defense contractor's cybersecurity maturity before contract award. It is codified in 32 CFR Part 170, with the acquisition rule (48 CFR) phasing certification requirements into DoD solicitations.
CMMC governs the protection of two data types: Federal Contract Information (FCI) and the more sensitive Controlled Unclassified Information (CUI). The required level is written into each contract - no certificate, no award.
CMMC does not invent new controls. It is an enforcement wrapper around existing NIST publications: Level 1 draws on the 15 basic safeguarding requirements of FAR 52.204-21, Level 2 on the 110 controls of NIST SP 800-171, and Level 3 on a subset of the enhanced requirements in NIST SP 800-172. What CMMC adds is teeth - independent assessment and a certificate that expires.
// 02 The three levels explained
CMMC 2.0 collapsed the original five-level model into three. The level you need is dictated by the sensitivity of the information you handle under contract.
Level 1 · FCI
17 basic safeguarding practices for contractors handling Federal Contract Information. Self-assessed and affirmed annually in SPRS. Pen testing is not mandated but sharpens the basic access-control and boundary-protection practices.
Level 2 · CUI
All 110 NIST SP 800-171 controls. Prioritized contracts require a triennial C3PAO third-party assessment. This is where CyberFortify testing evidence carries the most weight - the 3.11 and 3.12 control families expect real assessment output.
Level 3 · High-value CUI
Level 2 plus a subset of NIST SP 800-172 enhanced requirements, assessed by the DoD's DIBCAC. 800-172 explicitly calls for penetration testing (3.12.1e) - a direct CyberFortify deliverable.
// 03 How CyberFortify maps findings to CMMC
CMMC assessors verify the NIST SP 800-171 / 800-172 control families beneath each level. Every CyberFortify finding is mapped to the specific control an assessor references, so your remediation and your C3PAO evidence pack line up.
Data type
FCI or CUI - establishes the required CMMC level and assessment path.
FCI / CUIControl family
e.g., 3.11 Risk Assessment, 3.12 Security Assessment, 3.13 System & Communications Protection.
14 familiesControl reference
e.g., 3.11.2 Scan for vulnerabilities, 3.12.1 Periodically assess security controls.
110 controls800-172 enhancement
For Level 3: e.g., 3.12.1e Conduct penetration testing leveraging automated and manual tools.
Level 3Evidence & POA&M
Assessment output, retest attestation and remediation input for your Plan of Action & Milestones.
C3PAO-ready// 04 Why CMMC matters in 2026
With the CMMC Program rule now in effect, certification requirements are being written into DoD solicitations on a phased schedule. For the roughly 220,000 companies in the Defense Industrial Base, CMMC has shifted from a future concern to a live gate on revenue: a lapsed or missing certificate removes you from the eligible bidder pool. Prime contractors are already flowing requirements down to subcontractors ahead of the DoD deadlines.
CMMC is where a self-attested SPRS score meets an assessor who wants proof. A manual penetration test is the most defensible evidence that your 800-171 controls actually hold under attack - not just on paper.
CyberFortify reporting practice// 05 Frequently asked questions
Does CMMC require a penetration test?
Level 1 and Level 2 do not explicitly mandate penetration testing, but the 800-171 assessment (3.12.1) and vulnerability-scanning (3.11.2) controls are far stronger with real offensive evidence. Level 3, built on NIST SP 800-172, does call for penetration testing directly (3.12.1e).
What is the difference between CMMC and NIST SP 800-171?
800-171 is the control catalogue; CMMC is the certification and enforcement mechanism that verifies you have implemented it. CMMC Level 2 is the 110 controls of 800-171, plus an independent C3PAO assessment and a certificate.
Who needs Level 2 versus Level 3?
Most contractors handling CUI need Level 2. Level 3 is reserved for the highest-priority programs where CUI faces advanced persistent threats; it adds enhanced 800-172 requirements assessed by the government's DIBCAC.
Can one CyberFortify engagement support CMMC and other frameworks?
Yes. Because CMMC rests on NIST controls, the same engagement evidence cross-maps to NIST CSF 2.0 and FedRAMP. Our reports carry multi-framework mappings on every finding.