CMMC 2.0 Compliance: What Federal Security Teams Must Know

Key takeaways

• CMMC definition: The Cybersecurity Maturity Model Certification is a DoD-mandated framework requiring federal contractors to achieve specific cybersecurity maturity levels before bidding on or maintaining defense contracts.
• Applicability: Federal contractors handling controlled unclassified information (CUI) or federal contract information (FCI) must achieve CMMC certification at the appropriate level.
• Physical security connection: Video surveillance, access control, and other physical security systems fall within CMMC scope if they process, store, or transmit CUI or connect to assessed networks.
• Readiness focus: Achieving CMMC readiness involves gap assessments, remediation, documentation, and pre-assessment activities before formal CMMC evaluation.

What is CMMC readiness?

CMMC readiness is the state of being prepared to pass a CMMC assessment at your required level. This means you have identified gaps in your security controls, fixed those gaps, documented everything properly, and tested your systems before the official evaluation.

Readiness is not the same as certification. Certification is the official credential you receive after passing an authorized assessment. Readiness is the preparation work that gets you there.

Organizations that skip thorough readiness planning often fail their first assessment. They then face remediation costs, reassessment fees, and potential loss of contract eligibility. Federal security teams that invest time in readiness build stronger security postures while positioning themselves for successful certification.

CMMC 2.0 levels and federal contractor requirements

CMMC 2.0 uses three levels instead of the original five. Each level matches the sensitivity of information you handle. Your first step toward readiness is understanding which level applies to your organization.

Level 1 — Foundational cyber hygiene for FCI

Level 1 applies when you handle federal contract information but not controlled unclassified information. FCI is information the government provides or generates under a contract that is not intended for public release.

This level focuses on basic security practices. You need password management, antivirus protection, and fundamental access controls. Physical security at this level includes basic visitor management and secure storage of FCI materials.

Level 2 — Advanced protection for CUI

Level 2 is the most common requirement for defense contractors, though only 8% had obtained certification as of February 2026. It applies when you handle controlled unclassified information. CUI is sensitive information that requires safeguarding but is not classified.

You must comply with all 110 NIST SP 800-171 controls at this level. These controls cover access management, encryption, audit logging, incident response, and continuous monitoring. Physical security requirements include secure facilities, surveillance systems, badge access, and secure CUI storage. You also need comprehensive documentation including system security plans, policies, and procedures.

Level 3 — Expert-level security for critical programs

Level 3 applies to contractors supporting critical DoD programs like weapons systems, space programs, or intelligence operations. This level requires advanced security practices beyond NIST SP 800-171.

You need sophisticated threat detection, insider threat programs, and supply chain risk management. Real-time security monitoring and rapid incident response are mandatory. Few contractors require Level 3, but those who do face the most rigorous assessment process.

Why CMMC readiness matters for federal security teams

You cannot bid on or maintain contracts requiring CMMC certification without achieving the required level. This makes readiness a business necessity, not just a compliance exercise.

• Contract eligibility: Without certification, you lose access to defense contracts requiring CMMC compliance. This directly impacts your revenue and business continuity.
• Risk mitigation: Readiness activities reduce cyber risk and strengthen your overall security posture beyond what compliance requires — 80% of defense organizations experienced breaches in the past year alone.
• Cost avoidance: Preparing thoroughly before assessment costs far less than failing, remediating, and paying for reassessment.
• Competitive advantage: CMMC certification shows federal customers you take security seriously. It differentiates you in competitive procurements.
• Supply chain accountability: You must ensure your subcontractors and vendors also achieve CMMC readiness. Compliance requirements cascade throughout your supply chain.

How physical security systems fit into CMMC scope

CMMC applies to all systems that process, store, or transmit CUI or connect to networks within your assessment boundary. This includes physical security systems that many organizations overlook.

Video surveillance systems fall within CMMC scope if they connect to your network, store footage containing CUI, or link to assessed infrastructure. Badge readers, electronic door locks, and other access control systems are in scope if they manage access to CUI or assessed facilities.

Standalone systems with no network connectivity or CUI involvement are typically out of scope. A locked filing cabinet, for example, would not require CMMC controls. Your system security plan defines the assessment boundary, and you agree on this scope with assessors before evaluation begins.

Key CMMC controls that apply to video surveillance

Several NIST SP 800-171 control families directly apply to video surveillance and physical security systems. Understanding these requirements helps you evaluate your current infrastructure.

Access control and identity management

CMMC requires role-based access control for video systems. Only authorized personnel should view footage, manage settings, or delete recordings.

You need to define specific roles like security officer, system administrator, and viewer. Each role gets only the permissions needed for that job. Strong authentication including multi-factor authentication should protect system access. Every access attempt must be logged with timestamps and user identification.

Encryption for data in transit and at rest

CMMC requires encryption of CUI, including video footage containing sensitive information. You must encrypt data both during network transmission and while stored.

Use TLS or equivalent encryption for all communications between cameras, servers, and viewing clients. Use AES-256 or equivalent for stored footage on servers, storage arrays, or cloud platforms. If you store video in cloud environments, the platform must be FedRAMP-authorized or meet equivalent security standards.

Audit logging and continuous monitoring

CMMC requires centralized logging of all security-relevant events. This includes access to video systems, configuration changes, and potential security incidents.

Send all logs to a centralized security information and event management system. Retain logs according to your organizational policy, typically one year or longer. Protect logs against unauthorized access, modification, or deletion. Monitor logs in real time for security incidents or policy violations.

Incident response and recovery planning

CMMC requires documented procedures for detecting, responding to, and recovering from security incidents involving video systems.

Establish mechanisms to detect unauthorized access, tampering, or deletion of footage. Document steps for incident notification, investigation, containment, and remediation. Preserve video footage and system logs as evidence. Create recovery procedures to restore video system functionality after an incident.

Common CMMC readiness gaps in physical security infrastructure

Federal contractors frequently encounter specific gaps when preparing physical security systems for assessment. Identifying these early allows targeted remediation.

• Lack of centralized logging: Many video systems do not send logs to a centralized SIEM, making incident detection difficult.
• Inadequate access controls: Video systems may allow multiple users to access footage without role-based restrictions or strong authentication.
• Unencrypted data transmission: Video streams transmitted without encryption expose footage to potential interception.
• No documented incident response: Organizations often lack written procedures for responding to video system breaches.
• Unclear assessment boundaries: Organizations may not clearly define which physical security systems fall within scope.
• Legacy system limitations: Older video systems may not support modern security controls without replacement or significant upgrades.
• Vendor oversight gaps: Organizations may not assess whether video system vendors meet CMMC requirements.

Steps to prepare your security systems for CMMC compliance

Achieving CMMC readiness requires a structured approach. You need to address gaps systematically while building documentation for assessment.

Conduct a gap assessment against NIST SP 800-171

A gap assessment evaluates your current security posture against NIST SP 800-171 controls. This identifies where you fall short of CMMC compliance requirements.

Define which systems, networks, and information fall within your assessment boundary. Evaluate your current implementations against each control. Review existing policies, procedures, and documentation for gaps. Consider engaging a qualified CMMC consultant for an objective assessment.

Document your system security plan and network boundaries

The system security plan is your foundational CMMC documentation. It defines your assessment scope, system components, data flows, and how you implement each control.

Clearly define which systems and networks are within scope. Map how CUI flows through your systems, networks, and physical locations. Document how you implement each NIST SP 800-171 control. Gather evidence including screenshots, logs, and policies to support your claims.

Remediate gaps with a plan of action and milestones

A Plan of Action and Milestones documents your roadmap for fixing identified gaps. This shows assessors you have a clear path to full compliance.

Prioritize gaps based on risk severity, remediation cost, and timeline. Define specific actions, responsible parties, deadlines, and success criteria for each gap. Allocate budget, personnel, and tools to execute remediation. Track progress and adjust timelines as needed.

Evaluate video security architecture for compliance alignment

Assess your video security architecture against CMMC requirements. Determine whether your current systems support encryption, centralized logging, access control, and incident response.

Identify capability gaps in your existing infrastructure. Evaluate whether current vendors can support CMMC requirements, including unified video and access control, or if you need replacements. Consider whether cloud-based, on-premises, or hybrid storage best supports your compliance objectives.

Perform a pre-assessment before formal CMMC evaluation

A pre-assessment simulates the official CMMC assessment process. It identifies remaining gaps before your formal evaluation.

Engage a qualified CMMC assessor or consultant to conduct the pre-assessment. Address all findings before your official assessment. Schedule the pre-assessment at least two to four weeks before your formal evaluation to allow time for final remediation.

How cloud and hybrid-cloud video security supports CMMC readiness

Cloud-based and hybrid-cloud video architectures can support CMMC compliance when properly configured. Understanding the trade-offs helps you make informed decisions.

Cloud-based video storage must reside in FedRAMP-authorized or equivalent environments. Hybrid architectures let you store sensitive footage on-premises while using cloud for redundancy or non-sensitive data. Regardless of architecture, you remain responsible for ensuring your video vendors meet CMMC requirements.

What to look for in a CMMC-ready video security platform

When evaluating video security platforms for CMMC compliance, assess specific capabilities that support control requirements.

• Encryption support: The platform should encrypt video data in transit using TLS and at rest using AES-256 or equivalent.
• Centralized logging: The platform should send logs to a centralized SIEM and support configurable retention policies.
• Role-based access control: Look for granular access controls, multi-factor authentication, and comprehensive audit trails.
• Incident response features: The platform should provide real-time alerts, anomaly detection, and forensic preservation capabilities.
• Compliance documentation: The vendor should provide documentation supporting CMMC control implementation.
• Vendor security assessment: Verify the vendor has undergone security assessments like SOC 2 or FedRAMP authorization and uses NDAA-compliant cameras.
• Federal environment support: The platform should be designed for federal contractor requirements with CMMC implementation experience.

Frequently asked questions about CMMC readiness

Do physical security systems like video surveillance fall under CMMC?

Yes, video surveillance systems fall under CMMC scope if they connect to your network, store footage containing CUI, or link to assessed infrastructure. They must meet the same control requirements as IT systems, including encryption, access control, and audit logging.

How does cloud vs. on-premises video storage affect CMMC compliance?

Cloud-based video storage must reside in FedRAMP-authorized environments to meet CMMC requirements, while on-premises storage gives you full control but requires more infrastructure investment. Hybrid architectures balance control and scalability by storing sensitive footage on-premises and using cloud for backup.

What happens if a federal contractor fails a CMMC assessment?

Contractors who do not achieve the required CMMC level cannot be awarded or maintain contracts requiring that certification. You can remediate gaps documented in a Plan of Action and Milestones and reassess within 180 days.

How long does it typically take to achieve CMMC readiness?

Timelines vary based on your current security posture and required CMMC level, but most organizations should plan for several months of preparation. Starting with a comprehensive gap assessment helps you understand your specific timeline and resource needs.

Get started with CMMC-ready video security

Federal security teams preparing for CMMC assessment need video security infrastructure that supports compliance without adding complexity. Lumana's AI-powered video security platform features built-in encryption, centralized logging, role-based access control, and incident response capabilities aligned with NIST SP 800-171 controls.

The platform works with your existing IP cameras, eliminating costly hardware replacements while providing the security controls federal contractors require. Lumana can assist with system security plan development, compliance documentation, and integration with existing security systems. Request a demo to see how Lumana supports CMMC readiness for federal security teams.