What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for ensuring that contractors handling sensitive defense information maintain adequate cybersecurity protections. After several years of development and revision, the CMMC 2.0 final rule was officially published in September 2025 and took effect on November 10, 2025, initiating a phased rollout into DoD contracts.
If your business holds or pursues DoD contracts — or if you're a subcontractor to a prime that does — CMMC 2.0 is not optional. This is one of the most significant regulatory changes for defense contractors in a decade, and preparation takes months, not weeks.
Who Does CMMC Apply To?
CMMC requirements apply to any company in the Defense Industrial Base (DIB) that handles:
- Federal Contract Information (FCI): Information not intended for public release that is provided by or generated for the government under a contract
- Controlled Unclassified Information (CUI): Information the government creates or possesses that requires safeguarding — think technical data, export-controlled research, personally identifiable information, and more
This includes prime contractors and subcontractors at every tier of the supply chain.
The Three CMMC Levels
CMMC 2.0 simplified the earlier five-level model into three:
Level 1 — Foundational
Applies to: Companies handling Federal Contract Information (FCI) only
Requirements: 17 basic cybersecurity practices aligned with FAR 52.204-21
Assessment: Annual self-assessment — no third-party auditor required
Examples of Level 1 controls: access control, incident response, system and communications protection
Level 2 — Advanced
Applies to: Companies handling Controlled Unclassified Information (CUI)
Requirements: 110 security controls from NIST SP 800-171
Assessment: Third-party assessment by a C3PAO (Certified Third-Party Assessment Organization) every three years. Lower-risk contracts may permit annual self-assessments.
This is where the vast majority of defense contractors fall. If you're a tech company, IT services firm, engineering firm, or any company with access to CUI, expect Level 2.
Level 3 — Expert
Applies to: Companies handling highly sensitive CUI, typically on DoD's most critical programs
Requirements: NIST SP 800-171 plus additional controls from NIST SP 800-172
Assessment: Conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — the government's own assessors
Most small businesses will not need to achieve Level 3.
The Phased Implementation Timeline
DoD is rolling out CMMC requirements across contracts in four phases:
- Phase 1 (Starting November 2025): Contracting officers can begin including CMMC requirements in contracts. Level 1 and Level 2 self-assessment requirements start appearing.
- Phase 2 (Starting ~2026): Level 2 C3PAO assessment requirements start appearing in new contracts involving CUI.
- Phase 3 (Starting ~2027): CMMC requirements expand to a broader range of contracts.
- Phase 4 (Starting ~2028): Full implementation — all applicable contracts include CMMC requirements.
The key point: you don't need to wait until 2028 to be affected. Contracts in 2025 and 2026 may already include CMMC clauses (DFARS 252.204-7021 and 252.204-7025), and bidding without the right certification level means disqualification.
How to Prepare: A Practical Roadmap
Step 1: Identify Your Data Environment
Determine whether your contracts involve FCI, CUI, or neither. If you're not sure, review your contracts for DFARS 252.204-7012 clauses — that's a strong indicator that CUI is in scope.
Step 2: Determine Your Required CMMC Level
Talk to your contracting officer or prime contractor to understand what CMMC level will be required on your contracts. Check new solicitations for CMMC clauses.
Step 3: Conduct a Gap Analysis
Compare your current cybersecurity posture against the required control set (FAR 52.204-21 for Level 1, NIST SP 800-171 for Level 2). Tools like the NIST SP 800-171 Assessment Guide provide a scoring methodology. Many companies use a third-party consultant or C3PAO to conduct this gap analysis.
Step 4: Build Your System Security Plan (SSP)
A System Security Plan documents your environment, the controls you've implemented, and how you manage each one. This is a required artifact for self-assessments and third-party assessments alike.
Step 5: Remediate Gaps via a Plan of Action & Milestones (POA&M)
CMMC 2.0 allows contractors to use a POA&M to address gaps — giving you up to 180 days after contract award to close identified vulnerabilities. However, not all controls can be left on a POA&M. High-priority controls must be in place before award.
Step 6: Complete Your Assessment
For Level 1: Complete your self-assessment and submit your score to the Supplier Performance Risk System (SPRS). For Level 2 (third-party required): Engage a C3PAO to conduct your formal assessment. Find C3PAOs on the Cyber AB marketplace.
What Happens if You Don't Comply?
The consequences are serious:
- You cannot bid on or win DoD contracts that require CMMC certification at your level
- Providing false assessment scores to the government (via SPRS) can trigger the False Claims Act, with potential penalties up to three times the contract value
- Prime contractors are required to flow down CMMC requirements to subcontractors — failure to verify your subs' compliance is a risk for primes
Resources
- DoD CMMC Official Site
- Cyber AB (C3PAO Directory)
- NIST SP 800-171 Rev 3
- Small Business Development Centers (SBDCs) and PTACs often offer free CMMC readiness assessments
How AI GovCon Helps with CMMC
When AI GovCon surfaces contract opportunities from SAM.gov, compliance requirements — including CMMC clauses — are extracted and surfaced in the opportunity brief. Before you spend time drafting a proposal, you'll know exactly what cybersecurity certification level is required and whether you're currently eligible to bid.
