Two Years of "Getting Ready" Just Ended
There is a machine shop in the mid-Hudson Valley—call them Precision Defense Components—that has been telling its prime contractor "we're working on CMMC" since early 2024. They bought a firewall, moved email to GCC High, and started drafting a System Security Plan on a Saturday afternoon. Then the owner got busy, the IT manager changed jobs, and the binder sat on a shelf for eighteen months.
That story is not unusual. Across Dutchess, Orange, Ulster, and Rockland counties, dozens of small and mid-size manufacturers, engineering firms, and IT service providers hold defense subcontracts or want to compete for them. Many have been aware that the Cybersecurity Maturity Model Certification was coming. Few appreciated how concrete and enforceable it became on October 15, 2024, when the Department of Defense published the final rule for 32 CFR Part 170 in the Federal Register. The CMMC program is no longer a draft, a proposed rule, or a future concern. It is the law, and DoD contracting officers will begin inserting CMMC requirements into solicitations during the phased rollout that is already underway.
This post walks through what CMMC 2.0 Levels 1 and 2 actually require, when you need a self-assessment versus a third-party assessment, what changed in the final rule, and how to build an evidence package that will hold up. If you are a Hudson Valley contractor who has been "planning to get ready," this is the plain-English version of what readiness means now.
CMMC 2.0 in Plain English: Three Levels, Two That Matter to Most of You
The original CMMC model had five levels and a labyrinth of process maturity requirements. CMMC 2.0 collapsed that down to three levels, and for the vast majority of Hudson Valley defense subcontractors, only Levels 1 and 2 are relevant.
Level 1 (Foundational) applies if your contract involves Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is essentially any information generated for or provided by the government that is not publicly available. Level 1 requires you to implement 17 practices drawn from FAR 52.204-21. These are basic cyber hygiene controls: limit system access to authorized users, authenticate users before granting access, sanitize media before disposal, and so on. Level 1 is assessed through an annual self-assessment. No third party shows up at your facility. You score yourself, enter the results in the Supplier Performance Risk System (SPRS), and a senior company official affirms the score.
Level 2 (Advanced) applies if your contract involves CUI. This is the level that covers technical drawings with distribution statements, export-controlled specifications, controlled technical information, and similar data that most defense manufacturers handle daily. Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Revision 2. Depending on the sensitivity of the CUI in your contract, Level 2 may require either a self-assessment or a certification assessment conducted by an accredited CMMC Third-Party Assessment Organization (C3PAO).
Level 3 (Expert) applies to contracts involving the most sensitive CUI and adds requirements from NIST SP 800-172. Level 3 assessments are government-led, conducted by the Defense Contract Management Agency (DCMA). Most Hudson Valley subcontractors will not encounter Level 3 requirements, so this post focuses on Levels 1 and 2.
Self-Assessment vs. C3PAO: When Each Applies and What It Costs
One of the most significant clarifications in the final rule is which contracts require a third-party assessment and which allow self-assessment at Level 2.
For Level 1, the answer is straightforward: every Level 1 contractor performs a self-assessment. There is no C3PAO option at Level 1 because the controls are basic and the risk profile is lower.
For Level 2, the DoD distinguishes between contracts based on the type and criticality of CUI involved. Contracts that involve CUI critical to national security will require a C3PAO certification assessment. Contracts that involve CUI but where the DoD determines the risk is lower may allow a Level 2 self-assessment. The specific determination is made by the requiring activity (the DoD component that owns the program), and it will be stated in the solicitation. You will not have to guess which one applies—it will be a contract requirement.
What a C3PAO Assessment Looks Like
A C3PAO assessment is conducted by an organization accredited by the CMMC Accreditation Body (the Cyber AB). The assessors review your System Security Plan, examine your evidence artifacts, interview your staff, and test controls. The assessment results in a score and a certification that is valid for three years. Between certifications, you must submit an annual affirmation confirming that you are maintaining compliance.
Cost varies. For a small company with a well-scoped environment (say, 25 users and a single enclave), C3PAO assessment fees have been estimated in the range of $25,000 to $75,000, depending on the assessor, scope, and complexity. Larger or more complex environments can run significantly higher. The real cost, though, is the remediation work that precedes the assessment. If you have not implemented multifactor authentication, encrypted CUI at rest and in transit, maintained audit logs, or built an incident response plan, the technology and labor costs to get there will dwarf the assessment fee.
What a Self-Assessment Looks Like
A self-assessment—at either Level 1 or Level 2—means your organization evaluates itself against the required practices, calculates an SPRS score (for Level 2), and enters the results into SPRS. The critical addition in the final rule is the affirmation requirement: a senior official of the company must sign an affirmation statement confirming that the assessment is accurate and that the organization is meeting (or will meet, via a Plan of Action and Milestones) all applicable requirements. This is not a formality. False affirmation can trigger the False Claims Act, which carries civil penalties up to three times the government's damages plus $11,000 or more per false claim.
POA&Ms: What the Final Rule Actually Allows
A Plan of Action and Milestones (POA&M) is a formal document that identifies security requirements you have not yet fully met, along with the resources and timeline for closing each gap. Under CMMC 2.0, POA&Ms are permitted at Level 2 but with strict guardrails that the final rule made explicit.
First, you must achieve a minimum SPRS score of 80 out of 110 to be eligible for a conditional certification with POA&Ms. If your score is below 80, you do not qualify for certification at all, and you cannot bid on contracts requiring CMMC Level 2.
Second, all POA&M items must be closed within 180 days of the conditional certification. There is no extension. If you fail to close them, your conditional status is revoked, and you lose your certification.
Third, and this is critical for planning purposes, certain controls cannot have POA&Ms. The final rule identifies a set of requirements that are so fundamental that they must be fully implemented at the time of assessment. These include controls related to FIPS-validated cryptography (SC.L2-3.13.11), multifactor authentication (IA.L2-3.5.3), incident reporting (IR.L2-3.6.1), and several others. If you are not meeting these controls, a POA&M will not save you—you must remediate before you can be assessed.
For Level 1, POA&Ms are not permitted at all. You must meet all 17 practices before you affirm compliance.
The Affirmation Requirement: Personal Accountability
Every version of CMMC discussed some form of accountability, but the final rule codified the affirmation requirement in a way that should get the attention of every company owner and executive in the Hudson Valley defense supply chain.
After each assessment (whether self-assessment or C3PAO), a senior official of the organization—typically the CEO, president, or a comparable executive—must submit an affirmation in SPRS. The affirmation states that the organization's assessment results are accurate and that the organization is implementing and will maintain the required security practices. This affirmation must be renewed annually.
The personal dimension matters. If a senior official affirms compliance knowing that the organization has not actually implemented the controls, that official and the organization face potential liability under the False Claims Act and related statutes. The Department of Justice has made clear through its Civil Cyber-Fraud Initiative, launched in 2021, that it intends to pursue companies and individuals who misrepresent their cybersecurity posture to the federal government. This is not theoretical—enforcement actions are already happening in the federal contracting space.
For a small Hudson Valley manufacturer where the owner is both the CEO and the person signing the affirmation, this creates a direct line of personal risk. The practical takeaway: do not sign what you cannot prove.
Building Your Evidence Pack
Whether you are self-assessing or preparing for a C3PAO visit, the quality of your evidence determines the quality of your outcome. The following table outlines the core artifacts you should be assembling now.
| Artifact | Purpose | Key Details |
|---|---|---|
| System Security Plan (SSP) | Documents your in-scope environment, how each NIST 800-171 requirement is met, and who is responsible for each control. | Use the NIST SP 800-171A assessment objectives as your outline. Map every control to a specific technology, policy, or process. Avoid vague statements like "we use encryption"—specify the product, configuration, and scope. The DoD provides an SSP template through NIST, and many C3PAOs publish guidance on expected content. |
| SPRS Score Calculation | Quantifies your compliance posture on a scale of -203 to 110 for Level 2. | Each of the 110 requirements in NIST 800-171 has a weighted value of 1, 3, or 5 points. A perfect score is 110. For each unmet requirement, you subtract the weighted value. You must achieve at least 80 to qualify for conditional certification with POA&Ms. Document how you scored each control and retain the evidence that supports each "MET" determination. |
| Plan of Action & Milestones (POA&M) | Identifies unmet requirements, assigns remediation owners, and sets deadlines. | Format: one row per unmet requirement, with columns for the control ID, current status, remediation steps, responsible party, resources required, and target completion date. All items must be closable within 180 days. Do not include controls that are on the "no POA&M" list—those must be remediated before assessment. |
| Network and Data Flow Diagrams | Define your CUI boundary and demonstrate that CUI is isolated, encrypted, and controlled. | Show where CUI enters your environment, where it is stored and processed, where it exits, and how it is protected at each point. Include cloud services (GCC, GCC High), VPN tunnels, and any connections to subcontractors. |
| Policy and Procedure Documents | Demonstrate that your security practices are formalized, not ad hoc. | At minimum, you need policies covering access control, incident response, media protection, system and communications protection, and configuration management. Procedures should describe how staff actually perform the tasks the policy requires. Assessors will interview employees to verify that policies are followed in practice. |
| C3PAO Selection Criteria | Ensure your assessor is accredited and appropriate for your scope. | Verify the C3PAO is listed on the Cyber AB marketplace. Confirm they have experience assessing organizations of similar size and industry. Ask for references. Clarify pricing, timeline, pre-assessment support (if any), and what happens if you do not pass. Get the engagement terms in writing before you start. |
| Annual Affirmation Record | Proves that the senior official reviewed the assessment results and affirmed compliance. | Maintain an internal record of who affirmed, when, and what the SPRS score was at the time. Store a copy of the affirmation submission alongside your SSP. This protects you if there is ever a dispute about what was known and when. |
Timeline: When CMMC Hits Your Contracts
The final rule established a phased implementation timeline. CMMC requirements will not appear in every defense contract overnight, but they will appear, and the pace will accelerate.
Phase 1 began when the 48 CFR rule takes effect. During this phase, the DoD may include CMMC Level 1 self-assessment or Level 2 self-assessment requirements in new solicitations and contracts. This is already happening. If you are bidding on new work in 2026, check the solicitation for CMMC clauses.
Phase 2 begins one year after Phase 1. During Phase 2, the DoD may begin requiring Level 2 C3PAO certification assessments in applicable contracts. This is the phase where companies handling critical CUI will need to have their third-party certification in hand.
Phase 3 begins one year after Phase 2 and introduces Level 3 requirements for applicable contracts.
Phase 4 represents full implementation, where CMMC requirements will be included in all applicable DoD solicitations and contracts requiring the appropriate level.
The practical implication for Hudson Valley contractors: if you are bidding on new defense work in 2026, you should already have your Level 1 self-assessment completed and entered in SPRS. If you handle CUI, you should be deep into your Level 2 preparation—ideally with an SSP finalized, your SPRS score calculated, and remediation underway for any gaps. Waiting until a specific contract requires it means you are competing against firms that are already certified, and you will lose those bids.
What This Means for Your Shop
If you are a five-person machine shop in Newburgh subcontracting to a Tier 2 supplier, or a 40-person engineering firm in Poughkeepsie with three active DoD contracts, or an IT services company in Middletown that manages infrastructure for defense clients, the path forward is the same. You need to determine what type of information you handle, identify which CMMC level applies, scope your environment, implement the controls, document everything, and prepare for assessment.
The Hudson Valley has a long history in defense manufacturing and technology. Companies here have been building components for military systems for decades. CMMC does not change what you do—it formalizes how you protect the information that comes with doing it. The contractors who treat this as a business enabler rather than a bureaucratic burden will be the ones who keep winning work as the defense industrial base raises its cybersecurity floor.
The final rule is final. The phased rollout is underway. The time to act is not next quarter.