On October 15, 2024, the United States Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) Final Rule. The rule became operational on December 16, 2024, with assessments beginning on January 2, 2025.
On November 10, 2025, CMMC requirements will begin to appear in select defense contracts.
Understanding CMMC’s key compliance deadlines is critical for DoD suppliers. By knowing what’s required by each date, you can split the certification journey into achievable milestones.
But perhaps the best way to ace CMMC compliance is to familiarize yourself with the requirements in the program’s newly revamped framework – CMMC 2.0.
Here are the key updates and their implications for defense contractors.
- Consolidated Maturity Levels
One of CMMC’s most outstanding features is its different maturity levels. Defense contractors fall under specific categories, depending on the information they handle.
CMMC 1.0 had five maturity levels – Performed, Managed, Documented, Reviewed, and Optimized. To streamline compliance, the DoD decided to consolidate these into three levels in CMMC 2.0.
We now have Level 1/Foundational, Level 2/Advanced, and Level 3/Expert.
The Foundational Level applies to contractors that process Federal Contract Information (FCI). It mandates compliance with 17 cybersecurity controls derived from the Federal Acquisitions Regulation (FAR) 52.204-21.
Level 2 is where most contractors fall. To obtain CMMC certification under this category, you must fulfill 110 controls contained in the National Institute of Standards and Technology (NIST) 800-171. These protocols are designed to safeguard Controlled Unclassified Information (CUI).
Level 2 also mandates CMMC C3PAO assessments.
Short for CMMC third-party assessor organizations, C3PAOs are independent agencies authorized to conduct cybersecurity audits on the DoD’s behalf. They’re accredited by the Cyber Accreditation Body (AB).
Finally, Level 3 aims to safeguard high-priority CUIs. It stipulates compliance with all Level 2 cybersecurity standards plus 24 protocols in NIST 800-172.
- Removal of Unique CMMC Practices
Both CMMC 1.0 and 2.0 are based on established NIST cybersecurity standards.
However, CMMC 1.0 had additional cybersecurity practices.
At first glance, implementing unique cybersecurity requirements may sound like an ingenious strategy by the DoD to raise the compliance bar. But upon closer inspection, these additional controls only complicated the compliance process.
After months of analyzing opinions from the public and cybersecurity pundits, the DoD decided to eliminate the unique requirements. This led to a more streamlined framework.
- Emphasis on Mandatory Compliance
CMMC compliance has always been mandatory for defense suppliers.
However, CMMC 2.0 underscores this requirement by spelling out different key stakeholders.
Prime Contractors
Prime contractors engage directly with the DoD. Examples include Lockheed Martin, Boeing, General Dynamics, Northrop Grumman, and BAE Systems.
Due to their direct engagement with the DoD, prime contractors shoulder the heaviest responsibility in safeguarding sensitive information. Compliance is simply not an option.
Subcontractors
The DoD allows its suppliers to subcontract their services. But while subcontractors don’t maintain direct contractual engagements with the defense agency, they must equally comply with the CMMC framework.
Note that this requirement applies across all CMMC maturity levels. If you’re, say, a Level 2 contractor, ensure your subcontractors fulfill all Level 2 requirements before scheduling the next CMMC assessment.
External Service Providers (ESPs)
External service providers offer specialized services to defense contractors, such as data management, accounting, and human resources. They, too, must comply with the CMMC framework.
In fact, CMMC 2.0 has an ESP-dedicated section titled ‘External Service Provider Considerations.’ A clause within the section states that ESPs are within the scope of CMMC requirements if they meet the criteria for CUI Asset or Security Protection Asset.
- Hybrid Assessments
Under CMMC 1.0, the DoD required all its contractors to enlist independent cybersecurity assessors. This applied across all the framework’s maturity levels.
However, CMMC 2.0 introduces self-assessments for Level 1 businesses.
Level 1 DoD suppliers can self-audit annually and submit their affirmation reports to the DoD’s Supplier Performance Risk System (SPRS).
Meanwhile, a C3PAO must spearhead most Level 2 assessments. These audits are mandatory every three years, with each finding reported to the Enterprise Mission Assurance Support Service (eMASS).
Level 3 audits are only undertaken by a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)-designated official. Such audits must also happen triennially.
- Affirmation of Ongoing Compliance
CMMC 2.0 certification isn’t a one-time event. Instead, defense contractors must confirm their continued compliance with the framework.
And this isn’t only applicable for Level 1 businesses. While Level 2 and 3 vendors can schedule assessments triennially, the DoD requires them to complete annual affirmations of compliance.
This is an ingenious strategy by the DoD to hold its suppliers individually accountable for safeguarding the defense supply chain.
In contrast, CMMC 1.0 lacked a robust system for defense contractors to submit annual self-affirmation of CMMC compliance. The implication is that most contractors would only want to bolster their security posture ahead of the mandatory assessments.
- Stringent Noncompliance Penalties
When it comes to CMMC compliance, the DoD makes no exemption. All contractors handling FCI and CUI must align their cybersecurity procedures with the framework.
While not elaborately spelled out in CMMC 2.0, recent events have proved that noncompliant contractors can face costly penalties.
A case in point is the False Claims Act settlement by Pennsylvania State University with the Department of Justice (DoJ).
On October 22, 2024, Penn State coughed up $1.25 million in settlement following accusations it breached the DoD’s fundamental cybersecurity requirements in 15 contracts entered between 2018 and 2023. Note that this settlement happened in the backdrop of publishing the CMMC Final Rule.
- Phased Rollout
CMMC 2.0 will be rolled out in phases. They include;
Phase 1 (From November 10, 2025)
CMMC’s rollout starts on November 10, 2025. A key highlight here will be the incorporation of CMMC requirements into applicable solicitations and awards. This phase mostly targets Levels 1 and 2 self-assessments.
Phase 2 (From November 1, 2026)
In Phase 2, C3PAO-led assessments will be a condition for contract awards.
Phase 3 (After Phase 2)
Level 3 assessments are expected to begin from this phase.
Phase 4 (After Phase 3)
This phase will mark the end of the rollout, with CMMC requirements expected in all defense contracts and solicitations.
Get Ahead Of the Pack by Keeping Abreast Of CMMC News
The CMMC program has evolved tremendously since its initial unveiling in January 2020. Although CMMC 2.0 is still taking shape, the DoD may reform the framework further to align with emerging cybersecurity concerns.
As a smart contractor, it’s imperative to keep abreast of every CMMC development.
Start by complying with all the requirements under your CMMC maturity level. Then, actively monitor defense pressers for any proposed reforms to the framework.
This way, you can implement new changes and get ahead of your competitors.