What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data - not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI - only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata - control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200-$400/hr, and most assessments require 80-200 hours ($16K-$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

NIST SP 800-171 Rev 3: What Changed and What It Means for CMMC

NIST SP 800-171 Rev 3 Is Published: Should You Panic?

No. But you should pay attention.

NIST published SP 800-171 Revision 3 in May 2024, replacing the Rev 2 standard that has governed CUI protection since 2020. Rev 3 is a significant structural overhaul: more controls, new families, and tighter alignment with the broader NIST SP 800-53 framework.

However, CMMC Level 2 assessments still reference Rev 2 as of early 2026. The DOD has not yet updated DFARS or the CMMC assessment methodology to require Rev 3. Your immediate priority remains certifying against the 110 Rev 2 controls before the November 2026 Phase 2 deadline.

That said, Rev 3 is coming. Here's what changed and how to prepare.

What Changed in Rev 3

More Requirements

Rev 2 had 110 controls across 14 families. Rev 3 consolidates and reorganizes these into 97 requirements across 17 families. While some controls were split into more granular requirements and new requirements were added, the overall structure was streamlined. It's a reduction in requirement count, not an expansion.

Three New Control Families

Rev 3 adds three families that didn't exist in Rev 2:

Planning (PL): Requires documented security plans describing system boundaries, operational environments, and control implementations. If you're building an SSP for CMMC today, you're already doing most of this.
System and Services Acquisition (SA): Addresses secure system acquisition, developer security testing requirements, and supply chain security safeguards at the acquisition level. Organizations procuring systems with CUI implications will need formal acquisition security requirements.
Supply Chain Risk Management (SR): Addresses ICT/OT supply chain risks component authenticity, supplier assessments, provenance tracking, and acquisition strategies. This is the biggest net-new area for most contractors.

Zero Trust and Cloud

Rev 3 significantly strengthens network security requirements. New requirements address:

Zero-trust architecture principles and microsegmentation
Cloud service provider oversight and shared responsibility documentation
FedRAMP alignment for cloud-hosted CUI environments
Software supply chain integrity including SBOM requirements

Alignment with SP 800-53 Rev 5

Rev 3 control identifiers now map directly to NIST SP 800-53 Rev 5. If your organization also follows FedRAMP or FISMA, this simplifies cross-framework compliance significantly.

The Transition Timeline

Here's what we know about the DOD's path from Rev 2 to Rev 3:

Date	Event
May 2024	NIST publishes SP 800-171 Rev 3 (final)
December 2024	CMMC 32 CFR Final Rule takes effect; references Rev 2
November 10, 2025	Phase 1 begins. Select contracts require CMMC self-assessments; Phase 2 (C3PAO assessments) may be required at CO discretion
November 10, 2026	Phase 2 begins. C3PAO Level 2 assessments more broadly required in DoD solicitations
November 10, 2027	Phase 3 begins. Level 2 and Level 3 broadly required across applicable solicitations
November 10, 2028	Phase 4. Full CMMC implementation complete
~2027-2028	Expected: DOD begins DFARS rulemaking to adopt Rev 3
~2028+	Expected: CMMC assessments updated to reference Rev 3

The key takeaway: you have roughly 2+ years after your Rev 2 certification before Rev 3 becomes mandatory. That's enough time to prepare if you start tracking the changes now.

What Should You Do Now?

1. Certify Against Rev 2 First

This is non-negotiable. The November 10, 2026 Phase 2 deadline is real, and CMMC assessors will evaluate you against Rev 2's 110 controls. Don't get distracted by Rev 3 at the expense of your current certification.

2. Understand the Gap

Once you're Rev 2 compliant, the jump to Rev 3 is incremental, not a restart. Most of the 97 Rev 3 requirements map to existing Rev 2 controls. The net-new areas are primarily:

Supply chain risk management
Formal security planning documentation
System and services acquisition security
Enhanced zero-trust and cloud controls

3. Start Building Supply Chain Practices

The Supply Chain Risk Management (SR) family is the biggest new area and the hardest to implement quickly. Start by:

Inventorying your critical ICT/OT suppliers
Documenting your acquisition and procurement processes
Establishing supplier assessment criteria

4. Document Your Cloud Architecture

If you use cloud services for CUI processing (and most contractors do), start documenting:

Which cloud services handle CUI
FedRAMP authorization status of each provider
Shared responsibility matrix for each service
Data flow diagrams showing CUI boundaries

5. Follow the DOD Rulemaking

When DOD begins the DFARS rulemaking process to adopt Rev 3, there will be a public comment period. This is when the actual transition timeline will become clear.

How CMMC Command Is Preparing

We're tracking the Rev 3 transition closely. Our roadmap includes:

Rev 3 control mapping: showing exactly how your current Rev 2 controls map to Rev 3 requirements
Gap identification: highlighting the net-new Rev 3 requirements you'll need to address
Updated SPRS scoring: when DOD publishes Rev 3 weights, we'll implement the new scoring model
Transition planning tools: helping you prioritize the new requirements by effort and impact

In the meantime, every hour you invest in Rev 2 compliance pays forward. The controls don't disappear in Rev 3; they get restructured and expanded. A strong Rev 2 foundation makes Rev 3 transition straightforward.

Start your free CMMC assessment. Get Rev 2 certified first, and we'll guide you through Rev 3 when the time comes.