CMMC 2.0: How Varonis Ensures Certification for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense’s mandatory cybersecurity program for organizations that work within the defense industrial base (DIB). The DIB is responsible for military weapons systems, subsystems, and components or parts. After several years of refinement, CMMC 2.0 is now finalized, enforceable, and being phased into Department of Defense (DoD) contracts. In order to win DoD contracts, organizations must demonstrate the appropriate CMMC level before contract award and maintain it throughout contract performance.

This blog explains the concept of the maturity model in the context of cybersecurity, what organizations must do to comply, and how Varonis helps organizations meet CMMC requirements through a datacentric approach.

What is CMMC?

Cybersecurity Maturity Model Certification is a program initiated by the U.S. Department of Defense (DOD) to measure and standardize defense contractors’ capabilities, readiness, and sophistication around cybersecurity. CMMC 2.0 is a streamlined update to the original 2020 CMMC program, and rather than policy guidance, CMMC a binding federal regulation.

At a high level, this framework is a collection of processes and inputs from existing cybersecurity standards, such as NIST, FAR, and DFARS, designed to protect DIB security. The goal of the program is to improve the security of federal contract information (FCI) and controlled unclassified information (CUI).

CMMC requirements are incorporated into DoD contracts through the Defense Federal Acquisition Regulation Supplement (DFARS). Any organization that wants to do business with the DoD must adhere to the appropriate CMMC level.

The three CMMC 2.0 levels

CMMC 2.0 simplifies the original five level model into three tiers aligned with existing federal standards:

Level 1 (Foundational)
Applies to organizations handling Federal Contract Information (FCI) only. Requires basic safeguarding practices aligned with FAR 52.20421 and an annual selfassessment.
Level 2 (Advanced)
Applies to organizations handling Controlled Unclassified Information (CUI). Requires implementation of all NIST SP 800171 controls. Most Level 2 contracts require assessment by a certified third-partyassessment organization (C3PAO).
Level 3 (Expert)
Applies to the most sensitive DoD programs. Builds on NIST SP 800172 and requires government led assessments.

The certification is applicable to both “prime” contractors who engage directly with DOD, and to subcontractors who contract with those primes to provide the fulfillment and execution of contracts. Although some level of certification is a requirement as of 2025, the DOD issues contract opportunities at all levels of the maturity model, meaning there are some requests issued that require only a low level of certification and some that require higher levels of certification.

The CMMC domains

CMMCv2.0 consists of 14 core domains, primarily based on NIST SP 800-171, that categorize cybersecurity practices for defense contractors. Level 1 focuses on 6 key domains (FCI), while Level 2 and Level 3 cover all 14 domains (CUI), ensuring comprehensive protection.

Access Control (AC): Limiting system access to authorized users and devices.
Audit and Accountability (AU): Recording and examining system activities.
Awareness and Training (AT): Educating users on security risks.
Configuration Management (CM): Maintaining baseline settings and managing changes.
Identification and Authentication (IA): Identifying users and authenticating identities.
Incident Response (IR): Detecting, reporting, and responding to events.
Maintenance (MA): Performing repairs and maintenance on systems.
Media Protection (MP): Protecting and sanitizing physical/digital media.
Personnel Security (PS): Ensuring employees are trustworthy and vetted.
Physical Protection (PE): Restricting physical access to facilities and systems.
Risk Assessment (RA): Assessing operational, asset, and organizational risk.
Security Assessment (CA): Evaluating, testing, and managing security controls.
System and Communications Protection (SC): Protecting data in transit and at boundaries.
System and Information Integrity (SI): Detecting and fixing system flaws and malware

Get started with our world-famous data risk assessment.

Get your assessment

How organizations comply with CMMC 2.0

Complying with CMMC 2.0 is not a single task or one-time certification. Instead, it’s an ongoing process that requires organizations to understand their data, secure it appropriately, and continuously demonstratethat required protections are in place.

While the specific requirements vary by CMMC level, the compliance journey follows a common path for all organizations in the defense supply chain.

Understand what data you handle
CMMC requirements are driven by the type of information an organization processes, stores, or transmits. Organizations must first determine whether they handle FCI, CUI, or both. This distinction is critical because it determines the required CMMC level and the depth of security controls that must be implemented. In practice, this step is often more complex than it appears. FCI and CUI are frequently distributed across cloud platforms, SaaS applications, file shares, and collaboration tools. Without a clear understanding of where regulated data resides, organizations risk under scoping—or over scoping—their compliance efforts.
Implement the required security controls
Once the required CMMC level is known, organizations must implement the appropriate security controls aligned with that level.Importantly, CMMC does not allow organizations to rely on partially implemented controls at the time of certification. For most levels, controls must be fully in place and operational—not planned or documented for future remediation.
Validate compliance through assessment
CMMC compliance must be formally validated through the appropriate assessment mechanism. Depending on the required level and contract type, this may involve a self-assessment conducted by the organization, a third-party assessment performed by a certified C3PAO, or a government-led assessment (for the highest-risk environments). Assessment results must be submitted to the Supplier Performance Risk System (SPRS) and must be current at the time of contract award. Organizations that cannot demonstrate a valid CMMC status are ineligible for applicable DoD contracts.
Maintain compliance over time
One of the most significant shifts introduced by CMMC 2.0 is the emphasis on continuous compliance. Certification is not permanent. Organizations are required to maintain their security controls throughout the life of the contract, submit annual affirmations of continuous compliance, and renew certifications on a defined cadence (typically one or three years, depending on level). Any lapse in compliance can jeopardize an organization’s CMMC status, even after certification is achieved.
Extend compliance across the supply chain
CMMC requirements do not stop at the prime contractor. Organizations must ensure that subcontractors and partners handling FCI or CUI meet the appropriate CMMC level as well. These requirements must be flowed down contractually, and prime contractors are responsible for verifying compliance across their supply chain.

How Varonis helps fast-track CMMC 2.0 compliance

CMMC 2.0 is ultimately about protecting sensitive government data wherever it lives and however it’s accessed.

While the framework spans dozens of practices across multiple domains, many of its most critical requirements converge around visibility, control, and continuous oversight of data and user behavior. Varonis takes a datacentric approach to CMMC compliance, helping organizations operationalize security controls across key domains for audits.

Enforcing access controls for CUI and FCI

CMMC places significant emphasis on access control, requiring organizations to ensure that only authorized users can access sensitive data and only to the extent necessary.

Varonis continuously maps permissions across the entire data environments, including cloud data stores, SaaS applications, and file systems, providing a clear view of who can access CUI and FCI.

Rather than relying on static access reviews, Varonis continuously monitors identities and data to identify excessive, risky, and unused permissions and enforce least privilege access at scale with automated policies. Varonis reduces the blast radius of sensitive data while supporting requirements around separation of duties, privileged account use, and controlled data flow—key elements of CMMC’s Access Control domain.

Providing auditability and accountability

CMMC requires organizations to generate, retain, and protect audit records that support investigation, reporting, and accountability.

Varonis delivers a searchable audit trail that ties every data access event back to a specific user, device, or service account. By centralizing audit data across multiple platforms, Varonis makes it easier for security teams and auditors to trace user actions, correlate events, and investigate suspicious behavior.

With this comprehensive audit trail, Varonis supports CMMC requirements for user accountability, audit correlation, log protection, and controlled access to audit systems without requiring manual log aggregation or complex tooling. ‌

Strengthening identification and authentication controls

Accurately identifying users, service accounts, and devices—and verifying that their behavior matches expectations—is foundational to CMMC compliance.

Varonis maintains a comprehensive inventory of users and accounts, including privileged users and service accounts, and continuously analyzes authentication and access behavior. Behavioral baselining allows Varonis to flag unusual or suspicious activity, such as credential misuse or anomalous access patterns.

With the combination of user and account mapping and user entity behavior analytics enables, Varonis supports CMMC requirements for authentication integrity, inactive account handling, and protection against credential-based attacks.

Enabling effective incident response

CMMC requires organizations to demonstrate the ability to detect, analyze, contain, and respond to incidents affecting sensitive data.

Varonis continuously monitors access to CUI and FCI, using behavioral analytics to detect insider threats, compromised accounts, and data exfiltration attempts. When suspicious activity is detected, security teams can quickly investigate using enriched context around the data, user, and activity involved. Automated response options—such as disabling accounts or reducing permissions—help organizations containincidents efficiently while maintaining detailed records to support incident reporting and post-incident review.

Supporting ongoing risk assessment

Risk assessment under CMMC is not a one-time exercise. Organizations must continuously assess risk to their systems, data, and operations. Varonis provides ongoing visibility into where sensitive data resides, its exposure, and potential attack vectors.

Dashboards and reports highlight high-risk data stores, overexposed permissions, and anomalous access patterns, helping organizations prioritize remediation efforts and demonstrate that risk assessments are informed by real-world data access conditions.

Protecting systems and environments that handle CUI

System and communication protection requirements focus on preventing unauthorized data movement, securing data in transit and at rest, and maintaining clear boundaries between systems.

Varonis monitors how sensitive data is accessed, shared, and transmitted across environments, including SaaS apps, cloud infrastructure, databases, collaboration platforms and shared resources.

By detecting unauthorized data transfers, risky sharing links, and abnormal communication patterns, Varonis helps organizations enforce CMMC expectations around boundary protection, role separation, and encryption of CUI.

Turning compliance into sustainable security

CMMC 2.0 represents a fundamental shift in how the DoD evaluates cybersecurity readiness across the DIB, and a necessity for doing business with the DoD.

Compliance management for CMMC demands continuous visibility into sensitive data, disciplined access controls, defensible audit trails, and the ability to detect and respond to risk as environments evolve. Organizations that approach CMMC as an ongoing operational discipline—not a checkbox exercise—will be best positioned to meet DoD expectations while strengthening their overall security posture.

By focusing on the data CMMC is designed to protect, Varonis helps organizations translate complex requirements into measurable, actionable security outcomes. With continuous insight into where sensitive data lives, who can access it, and how it’s being used, organizations can reduce risk, support audits with confidence, and stay compliant as CMMC requirements continue to roll out across the defense supply chain.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Meagan Huebner Meagan Huebner is a member of Varonis' Product Marketing team. She brings five years of cybersecurity experience focused on enterprise security and risk management.