The three levels
Self-assessed annually, affirmed in SPRS by a company official.
Assessed every three years, by an accredited C3PAO for most CUI contracts; limited POA&M items must close within 180 days.
Assessed by the government (DIBCAC), on top of a passing Level 2.
Cloud reality: CUI handling usually points contractors to Microsoft 365 GCC or GCC High, and export-controlled (ITAR) data effectively requires GCC High. The tenant misconfigurations that fail a commercial audit fail a CMMC assessment too, which is why the evidence question below matters more than the paperwork.
The 14 domains, and what your tenant can prove today
Level 2's 110 requirements group into 14 domains. For each, an assessor wants operating evidence: configuration state, logs, and dated reports. Senserva's 672 Microsoft 365, Intune, Defender, and Entra ID checks and its patch intelligence already generate that evidence for the domains marked below; the rest arrive with the per-requirement CMMC mapping in the next Siemserva release.
EVIDENCE TODAY means Senserva reports already produce assessor-ready artifacts for requirements in that domain. NEXT RELEASE means the per-requirement mapping, arriving in the next Siemserva release, will state exactly which requirements are covered, partially covered, or out of scan scope.
What is coming in the next release
CMMC support is in active development for the next Siemserva release: every check mapped to the Level 2 requirements it evidences, a CMMC view in reports so an assessor sees findings organized by requirement, and gap output that reads like a POA&M starting point. The 672 checks and the patch intelligence above are the foundation; the release adds the CMMC lens over them.
Preparing now is not wasted work: every misconfiguration fixed and every patch gap closed today is a requirement you will not fail later.
CMMC questions, answered
The Cybersecurity Maturity Model Certification is the Department of Defense's framework for verifying that contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It is now phasing into DoD contracts: if you sell to the DoD, directly or as a subcontractor, a CMMC level will appear in your contracts.
Level 1 covers 15 basic safeguarding requirements from FAR 52.204-21 for FCI, verified by annual self-assessment. Level 2 is the 110 security requirements of NIST SP 800-171 for CUI, verified every three years, by a C3PAO third-party assessment for most contracts. Level 3 adds selected requirements from NIST SP 800-172 for the highest-risk programs, assessed by the government.
CMMC itself does not mandate a cloud, but CUI handling usually points defense contractors to Microsoft 365 GCC or GCC High, and export-controlled data (ITAR) effectively requires GCC High. The same tenant misconfigurations that fail commercial audits fail CMMC assessments too.
Assessors want proof that a requirement is implemented and operating: configuration state, screenshots or reports of settings, audit logs, and vulnerability and patch records. A dated, repeatable report showing MFA enforcement, audit log health, or patch state on every device is exactly the artifact an assessor asks for.
Yes, for many Level 2 requirements. Senserva's 672 checks and patch intelligence already produce dated, audit-ready reports covering access control, identification and authentication, audit and accountability, configuration management, risk assessment, and system and information integrity. Per-requirement CMMC mapping ships in the next Siemserva release.