CMMC 2.0 Compliance: What US Defense Contractors Need to Know in 2025

What Is CMMC 2.0 and Why Does It Matter?

The Cybersecurity Maturity Model Certification, now in its second major revision, is the Department of Defense's mandatory framework for verifying that companies in the Defense Industrial Base (DIB) adequately protect sensitive federal information. CMMC 2.0 replaced the original five-level model with a streamlined three-level structure, reducing compliance complexity while hardening the requirements that matter most.

For US defense contractors, CMMC is no longer a future concern. The DoD finalized its CMMC Program rule in late 2024, and contract clauses requiring certification began appearing in solicitations in 2025. Any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must align with this framework or risk losing eligibility to compete for DoD work.

The Three-Level Model Explained

Level 1 — Foundational

Level 1 applies to contractors that process only Federal Contract Information. It encompasses 17 basic cyber hygiene practices drawn from FAR clause 52.204-21. Critically, Level 1 is self-assessed annually. Organizations affirm their compliance through a senior official attestation submitted to the Supplier Performance Risk System (SPRS). While the barrier to entry is lower, false attestation carries legal exposure under the False Claims Act.

Level 2 — Advanced

Level 2 is the tier that will affect the largest share of the DIB. It aligns directly with the 110 security practices in NIST SP 800-171 and is aimed at organizations that handle CUI. Most Level 2 contractors will be required to undergo a triennial third-party assessment conducted by a DoD-authorized C3PAO (Certified Third-Party Assessment Organization). A subset of lower-risk programs may permit annual self-assessment with senior-official attestation, but this is the exception, not the rule.

Level 3 — Expert

Level 3 targets organizations supporting DoD's highest-priority programs where CUI is most sensitive. It builds on all 110 NIST SP 800-171 practices and adds a subset of controls from NIST SP 800-172. Level 3 assessments are conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This tier is reserved for a comparatively small number of contractors, but the stakes—and the rigor—are correspondingly high.

Who Is In Scope?

CMMC applies across the entire DoD supply chain, including prime contractors and their subcontractors down the chain. The key triggering factor is not company size or contract value; it is the type of information handled. If your organization stores, processes, or transmits FCI or CUI in the performance of a DoD contract, CMMC requirements will flow down to you through contract clauses.

This means small and mid-size US businesses that serve as sub-tier suppliers to large defense primes cannot assume they are exempt. Primes are contractually obligated to ensure their subcontractors meet the applicable CMMC level, and they will increasingly audit their supply chains accordingly.

Common Misconceptions

• CMMC is not just an IT security checklist. It is a contractual prerequisite. A company that cannot demonstrate the required certification level will be ineligible to receive a contract award, regardless of technical merit or pricing.
• A NIST SP 800-171 self-assessment score is not a CMMC certification. Submitting a score to SPRS fulfills a DFARS 252.204-7019 obligation, but it does not constitute CMMC Level 2 certification. These are parallel, overlapping requirements.
• Plans of Action and Milestones (POA&Ms) have limited utility under CMMC 2.0. Unlike some frameworks where a POA&M can defer deficiencies indefinitely, CMMC 2.0 allows only a narrow set of unmet practices to be covered by a conditional certification, and only for a defined remediation period.
• Cloud environments are in scope. If your organization uses cloud services to process or store CUI, those services must meet FedRAMP requirements or equivalent standards. Selecting a cloud provider is a compliance decision, not merely a technical one.

Timelines and Enforcement Trajectory

The CMMC Program final rule became effective in December 2024. The DoD is implementing CMMC requirements in solicitations on a phased basis. Broadly, Phase 1 began in early 2025 with contracts requiring Level 1 and some Level 2 self-assessments. Subsequent phases will expand the requirement for third-party C3PAO assessments across a broader set of contracts. By 2027, CMMC is expected to be a standard requirement across the majority of DoD acquisitions.

Contractors waiting for a contract award to begin their readiness efforts will be too late. Third-party assessments must be completed and recorded in the CMMC Enterprise Mission Assurance Support Service (eMASS) or equivalent system before award. The assessment pipeline at accredited C3PAOs is already constrained; lead times for scheduling are growing.

Business and Financial Stakes

The consequences of non-compliance extend beyond losing a single contract. A failed CMMC assessment or an inaccurate self-attestation can trigger False Claims Act liability, suspension and debarment proceedings, and reputational damage that affects relationships across the DIB. The DoD has made clear that cybersecurity is now a competitive differentiator, and the cost of a breach affecting CUI—both to national security and to the responsible contractor—is substantially higher than the cost of building a compliant security program.

Comparing CMMC 2.0 to Its Predecessor

Dimension	CMMC 1.0 (Original)	CMMC 2.0 (Current)
Number of levels	5	3
Unique CMMC practices	~20 above NIST 800-171	Eliminated at L2; minimal at L3
Self-assessment permitted	No (all third-party)	Yes, at L1 and select L2 programs
POA&M allowance	None	Limited conditional certification

What Defense Contractors Should Prioritize Now

Organizations across the US defense supply chain should begin by classifying the information they handle to determine which CMMC level applies to their contracts. From there, a gap analysis against NIST SP 800-171 provides an honest baseline of where deficiencies exist. Understanding the remediation timeline and the C3PAO assessment scheduling realities is essential for building a realistic readiness plan before solicitations arrive.

Engaging knowledgeable advisors early—before the contract requirement is imminent—tends to produce better security outcomes and avoids the compressed, costly remediation that characterizes last-minute compliance efforts.

GR IT Services works with defense contractors and their supply chains on cybersecurity readiness and compliance advisory. To discuss your organization's CMMC posture, reach out at inquiry@gritservices.io.