Understanding CMMC 2.0: What DoD Contractors Need to Know for 2025 and Beyond

The Department of Defense (DoD) has issued the final rule for CMMC 2.0 in an effort to protect sensitive information within the Defense Industrial Base (DIB). With a phased rollout set to begin in mid-2025, the newest CMMC version seeks to consolidate much of the original in order to make compliance more attainable for small- to medium-sized businesses. 

Here’s what contractors need to know to prepare effectively.

Key Changes in CMMC 2.0

One of the most significant updates in CMMC 2.0 is the reduction of cybersecurity levels from five to three. This new structure prioritizes clarity and simplicity with the information a contractor routinely handles. 

Level 1 applies to contractors who deal with Federal Contract Information (FCI), and includes 17 basic cybersecurity practices that can be self-assessed annually.

Level 2 involves contractors working with Controlled Unclassified Information (CUI), and mandates a more extensive cybersecurity structure that consists of 110 controls aligned with NIST SP 800-171. Compliance with Level 2 requires independent third-party assessments every three years.

Level 3 targets the most sensitive data, and requires a government-led assessment of advanced cybersecurity practices. This level is intended for contractors handling highly sensitive information who need protection from risks like advanced persistent threats (APTs).

Benefits for Small- and Medium-Sized Businesses

Many SMBs have reported challenges to CMMC compliance in previous years, ranging from budget limitations to a lack of available resources. By consolidating assessment levels and permitting Level 1 self-assessments, CMMC 2.0 aims to make it more feasible and affordable to meet DoD requirements. 

Additionally, Level 2 allows these businesses to leverage cloud solutions that meet NIST standards. This not only enhances security but also minimizes the need for substantial investments in infrastructure.

Timeline for CMMC 2.0 Implementation

The DoD’s phased approach to implementing CMMC 2.0 gives contractors time to adapt their cybersecurity measures, assuming they act now. 

Phase 1 will begin once the rule becomes active in mid-2025, with DoD offering a six-month lead time for contractors to start making adjustments. Under Phase 1, DoD may require Level 1 or Level 2 self-assessments as contract conditions for certain projects. 

Phase 2 will begin six months after the start of Phase 1, and will incorporate CMMC Level 2 certification assessments and option periods. 

Phase 3 will commence one year after the start of Phase 2. It will mandate the CMMC Level 2 certification assessment, and enforce the Level 3 assessment and option periods for applicable contracts.

Phase 4 will be full implementation for all contractors and requirements, beginning one year after Phase 3.

Practical Steps for Contractors

Achieving compliance under CMMC 2.0 requires a proactive approach, especially as demand for certified assessors is expected to increase. Here are some steps to help contractors prepare.

1. Understand Your Required Level

Contractors should assess which CMMC level applies to their DoD contracts based on the information that they handle — i.e. FCI or CUI. This ensures that they focus their efforts on the specific cybersecurity practices that are relevant to their data management.

2. Review NIST SP 800-171 Controls

For Level 2, contractors must meet all 110 controls outlined in NIST SP 800-171. Conducting a thorough internal review is essential for identifying any gaps in compliance so that those contractors can establish plans of action and milestones (POA&Ms) to meet them.

3. Plan and Schedule Assessments Early

Given that independent third-party assessments are required at Level 2 and a government-led assessment at Level 3, contractors should plan and book these well ahead of established deadlines. Third-party assessments can take six to eight months to schedule due to high demand, and that’s not including the three to four months it could take to complete the actual work.

4. Leverage Cloud Services

Many cloud providers offer built-in security aligned with CMMC requirements. For SMBs, using cloud services that meet NIST standards can be a cost-effective way to achieve compliance without the need for in-house hardware.

5. Stay Informed of Subcontractor Requirements

Prime contractors should verify that their subcontractors comply with the necessary CMMC levels, especially for projects involving CUI. Subcontractors handling only FCI may only need Level 1, but those involved in more sensitive data projects could easily require Level 2 or higher.

Preparing for a Secure Future

As we look to CMMC 2.0’s phased rollout, contractors within the DIB must take the time now to prepare. By aligning their cybersecurity practices with DoD standards, they can help protect national security, secure sensitive information, and strengthen the defense supply chain for years to come. 

Those that need assistance with this process can do so through HCRS! Contact us today to discuss our RPO program.