top of page
Search

Navigating CMMC Requirements in 2025: What Defense Contractors Must Know

  • mike08242
  • 2 days ago
  • 5 min read


Thinking about CMMC 2.0

If your organization handles sensitive information on behalf of the U.S. Department of Defense (DoD), there’s a good chance that your eligibility for future contracts hinges on one thing: your ability to meet CMMC requirements. The Cybersecurity Maturity Model Certification (CMMC) is no longer just a theoretical framework. As of December 2024, CMMC 2.0 has entered the rule making phase, and its enforcement is set to ramp up throughout 2025.


The rollout of CMMC represents one of the most consequential shifts in how defense contractors must manage and protect federal information. The goal? To prevent cybersecurity breaches in the Defense Industrial Base (DIB) by ensuring that every contractor meets a baseline level of cybersecurity hygiene — or better, depending on the type of data they touch.


In this article, we’ll explore what CMMC requirements entail under the updated 2.0 model, how the assessment process works, why it matters to organizations like yours, and how you can prepare for what’s coming next.


What is CMMC?

The Cybersecurity Maturity Model Certification is a unified standard for implementing cybersecurity across the DIB. Originally launched in 2020, the framework was developed to address inconsistent cybersecurity protections across contractors. Over time, it became clear that the original five-level structure needed refinement. Enter CMMC 2.0 — a streamlined, more flexible approach that closely aligns with existing federal standards like NIST SP 800-171.


CMMC 2.0 simplifies the framework into three levels, each tied to the sensitivity of the data a contractor accesses or stores. And unlike before, where the same level might apply across the board, CMMC 2.0 offers a tailored approach: not every contractor must undergo a third-party audit, and not every level demands the same level of rigor.


Why CMMC Requirements Matter

Cyber threats targeting the defense industry have grown in volume and sophistication. From state-sponsored actors to opportunistic cybercriminals, adversaries have learned to exploit vulnerabilities in the supply chain — and contractors are often the weak link. The DoD estimates that billions of dollars in intellectual property and defense data are lost each year due to cyberattacks and data breaches. CMMC is an attempt to stop that bleeding.


For defense contractors, this is about more than just compliance. It's about maintaining competitiveness. If your organization fails to meet the required level of CMMC, you could be ineligible to bid on contracts that involve Controlled Unclassified Information (CUI). And if you’re already working under such a contract, you risk noncompliance — and possibly losing the business.


Understanding the Three CMMC 2.0 Levels

Let’s break down the three levels under CMMC 2.0 and what each requires in terms of cybersecurity maturity:


Level 1: Foundational


This level applies to contractors that handle only Federal Contract Information (FCI), which includes information not intended for public release but also not classified. Think project schedules, contract performance details, and other administrative data.


  • Security Requirements: Implement the 17 basic controls outlined in FAR 52.204-21. These are straightforward cybersecurity hygiene practices like using strong passwords, limiting access to systems, and ensuring firewalls are in place.


  • Assessment Requirements: An annual self-assessment is required, and results must be submitted to the Supplier Performance Risk System (SPRS). This is a trust-based model, and it applies only to contractors that don’t handle CUI.


Level 2: Advanced


Most contractors seeking to meet CMMC requirements will fall under Level 2. This level is required for organizations that handle CUI — information that, while not classified, is considered sensitive and requires protection under federal law and policy.


  • Security Requirements: Level 2 mirrors the 110 controls specified in NIST SP 800-171, including access control, audit logging, incident response, configuration management, and more.


  • Assessment Requirements: If your contract is deemed “critical to national security,” you’ll need to undergo a third-party assessment by an accredited Certified Third-Party Assessment Organization (C3PAO) every three years. For non-critical contracts, you may be allowed to self-assess annually with a senior company official attesting to the results.


Level 3: Expert


This highest level is intended for contractors working with the most sensitive CUI or systems critical to national security.


  • Security Requirements: Compliance with all 110 controls from NIST SP 800-171 plus a subset of the enhanced security requirements from NIST SP 800-172.


  • Assessment Requirements: A government-led assessment conducted every three years by the Defense Contract Management Agency (DCMA) or another DoD-approved entity.



The CMMC Assessment Process

One of the major changes in CMMC 2.0 is the updated approach to assessments. Previously, all certification levels required third-party audits, which proved costly and time-consuming for smaller contractors. Under 2.0, the DoD has introduced a tiered approach that adjusts the burden based on the risk associated with the data involved.


Here’s how assessments work:


  • Self-Assessments: Permitted at Level 1 and for some Level 2 contracts. Organizations perform their own evaluations and submit scores to SPRS. A senior executive must affirm the accuracy of the results.


  • Third-Party Assessments: Required for critical Level 2 contracts. C3PAOs conduct formal audits and issue a certification valid for three years.


  • Government Assessments: Level 3 assessments are exclusively conducted by the government.


This model allows for scalability while focusing audit resources where the risk is greatest.


What’s the Timeline for Enforcement?

While the final rule was issued in December 2024, CMMC requirements won’t appear in every DoD contract overnight. Instead, the DoD is taking a phased approach. According to the official Federal Register notice, the implementation timeline looks like this:


  • Q1 2025: Voluntary third-party assessments for Level 2 become available.


  • Mid-2025: The first contracts requiring CMMC certifications will begin to appear.


  • Late 2025 – 2026: CMMC requirements become increasingly common in solicitations.


  • 2026 and Beyond: Full enforcement is expected across all relevant contracts.


The takeaway? Contractors need to act now. Waiting until you see CMMC requirements in your contract could be too late, especially if a third-party audit is needed.


Challenges to Anticipate

Even though CMMC 2.0 is more streamlined than its predecessor, implementation isn’t without challenges:


  • Documentation: Organizations must demonstrate policies and procedures that align with each control. Documentation gaps are one of the most common failure points in assessments.


  • Costs: Especially for small- to mid-sized businesses, the costs of security tools, personnel training, and audits can be significant.


  • Resource Constraints: Many contractors rely on MSPs or internal IT teams that are already stretched thin. Adding compliance responsibilities without a strategy can lead to burnout or missteps.


  • Supply Chain Risk: Prime contractors must also ensure that their subs are compliant. A non-compliant subcontractor could jeopardize an entire project.



Steps to Get Started

Here’s a practical path to preparing for CMMC certification:


  1. Conduct a Readiness Assessment: Map your current practices against the CMMC level you expect to need. Use tools like NIST’s self-assessment handbook for SP 800-171.


  2. Remediate Gaps: Address missing controls through updated policies, technical controls, and employee training.


  3. Implement Continuous Monitoring: Cybersecurity is not a “set it and forget it” task. Make sure you have monitoring, detection, and response plans in place.


  4. Engage a C3PAO (if needed): Visit the CMMC-AB Marketplace to find authorized assessors.


  5. Stay Informed: Rules and guidance continue to evolve. Subscribe to updates from dodcio.defense.gov or trusted compliance consultants.


Final Thoughts

CMMC requirements are reshaping the way defense contractors approach cybersecurity — and for good reason. The threats facing our nation’s supply chain are growing, and inconsistent practices across the DIB have left the door wide open for cyberattacks.


Whether you’re a large prime contractor or a 10-person subcontractor supporting a logistics program, your cybersecurity maturity will soon be under the microscope. The good news? With proper planning and the right expertise, achieving CMMC compliance is absolutely possible.


The time to prepare is now. Don’t wait for the requirement to land in your inbox. Start assessing, planning, and building today.




Sources:


U.S. Department of Defense Chief Information Officer. “Cybersecurity Maturity Model Certification (CMMC).” https://dodcio.defense.gov/CMMC/

Federal Register. “Cybersecurity Maturity Model Certification (CMMC) Program Final Rule.” https://federalregister.gov

National Institute of Standards and Technology. “NIST SP 800-171 and 800-172.” https://csrc.nist.gov

CMMC Accreditation Body Marketplace. https://cmmcab.org

Crowell & Moring LLP. “Preparing for CMMC in 2025"

 
 
 

Recent Posts

See All

Comments

bottom of page