CMMC 2.0 is active. It's in solicitations. Contracting Officers are verifying SPRS scores before making awards. And misrepresenting your cybersecurity posture in a federal contract context isn't just a compliance problem — it's a False Claims Act exposure.
If you hold a GSA Schedule and pursue Department of Defense work, or if you handle Controlled Unclassified Information (CUI) in any capacity, CMMC is now part of your contract eligibility picture. Here's what the self-assessment actually requires — and where contractors are consistently getting it wrong.
Why CMMC Exists (The Short Version)
The defense supply chain was getting compromised. Contractors were self-attesting compliance with DFARS 252.227-7012 and NIST SP 800-171 with no external verification. The results were predictable: cyber incidents, stolen technical data, compromised defense systems.
CMMC 2.0 is DoD's response. It introduces accountability into cybersecurity compliance — specifically by requiring that assessments be documented, submitted to SPRS, and affirmed by a senior official who is putting their name on the organization's security posture. That last part is the key enforcement mechanism. When a senior official signs the SPRS affirmation, misrepresentation becomes a False Claims Act issue, not just a compliance gap.
The Three Levels You Need to Know
CMMC 2.0 has three levels:
- Level 1 (Foundational): 17 practices from NIST SP 800-171. Applies to contractors handling Federal Contract Information (FCI). Annual self-assessment, no third-party required.
- Level 2 (Advanced): 110 practices from NIST SP 800-171. Applies to contractors handling CUI. Most contractors will fall here. Self-assessment allowed for some programs; C3PAO (third-party assessor) required for others.
- Level 3 (Expert): 134+ practices, government-led assessment. Applies to the highest-priority defense programs.
If you don't know which level applies to your work, start by finding out whether your contracts involve CUI. If they do, you're likely Level 2.
Self-Assessment Is Not Just an IT Project
This is where most organizations fail before they even start. They assign the CMMC assessment to their IT department and wait for a report.
The 110 NIST SP 800-171 controls touch almost every part of your organization — not just your network. They include policies (are they written down and enforced?), access management (who has access to CUI and why?), incident response (can you detect, respond to, and document a breach?), training (are your staff trained, and can you prove it?), vendor oversight (do your subs with CUI access meet the same requirements?), and physical security (who can physically access systems that store or process CUI?).
Leadership has to be involved. Cybersecurity compliance at Level 2 requires resource allocation, policy decisions, and organizational changes that IT teams can't make on their own. If your CMMC self-assessment is happening entirely below the VP level, you're setting yourself up for a failed assessment.
The SPRS Score: What It Is and Why It Matters
Your SPRS (Supplier Performance Risk System) score is where your self-assessment results live. COs access SPRS during source selection to verify cybersecurity posture. A negative or low score is a yellow flag that can affect your contract eligibility.
The NIST SP 800-171 DoD Assessment Methodology assigns point values to each of the 110 requirements. Full compliance is a score of 110. Each deficiency reduces the score by a weighted amount depending on the severity of the gap. Plans of Action and Milestones (POA&Ms) can address some deficiencies, but others have limited flexibility.
Every year, a senior official from your organization must reaffirm your SPRS score. That affirmation is not a rubber stamp. It is a formal legal representation of your cybersecurity posture. Treat it as such.
Where Contractors Consistently Get Tripped Up
Scoping errors. Organizations either scope too broadly (including systems that don't touch CUI, increasing assessment burden unnecessarily) or too narrowly (excluding shared drives, email, collaboration tools, and other places where CUI actually exists). Accurate scoping is the foundation of a defensible assessment. Spend real time on discovery before you start scoring controls.
Documentation gaps. The System Security Plan (SSP) is the central documentation artifact — it maps each of the 110 requirements to how your organization implements them. A missing or vague SSP isn't just an audit finding; it's evidence that the self-assessment may not have been conducted rigorously. The SSP needs to be current, specific, and mapped to real system configurations.
MFA coverage. Multi-factor authentication is expected across most access points to CUI systems. Many organizations implement MFA for email but not for their VPN, file shares, or cloud storage where CUI actually lives. This gap shows up consistently and is relatively straightforward to remediate — but it requires someone to map where MFA is and isn't enforced.
Cloud services. If you use cloud platforms to store or process CUI, those platforms need to meet CMMC requirements. For most use cases, that means FedRAMP Moderate authorization or equivalent. A lot of contractors are storing CUI on commercial cloud platforms that are not FedRAMP authorized. That's a Level 2 gap.
Subcontractors. If your subs handle CUI, they need to meet the same CMMC requirements you do. Passing CUI to a subcontractor and assuming they'll figure out their own compliance isn't sufficient — you need contracts with them that require compliance, and you need some form of verification that they're actually compliant.
GSA Schedule and CMMC: The Connection
Your GSA Schedule contract doesn't require CMMC compliance — the MAS program is not a DoD-specific program. But your ability to compete for DoD task orders that involve CUI absolutely does require it.
If you're marketing your GSA Schedule to DoD customers and your SPRS score is low or missing, you're creating a significant barrier to award that a strong GSA contract can't overcome. The CO who pulls up your SPRS score before making a task order award decision doesn't care about your GSA contract value or your past performance stars. They see the CMMC picture.
Get your SPRS score in order before you need it — not after you've lost a task order because a competitor was compliant and you weren't.
What to Do Next
If you haven't started your CMMC self-assessment, start with two things: (1) find your CUI — identify every system, application, and storage location where Controlled Unclassified Information flows through your organization, and (2) download NIST SP 800-171 Revision 2 and start working through the 110 requirements against your current environment.
If you have a SPRS score already, pull it up and review it. When was it last affirmed? Does it reflect your current actual posture? A score that was entered two years ago by someone who left the company is not a defensible self-assessment.
CMMC 2.0 is not going to get easier. Revision 3 of NIST SP 800-171 has already been published. Forward-looking organizations are already reviewing it. The compliance bar will keep moving. Get ahead of it.