What Is CMMC and Why It Matters in 2025

The Cybersecurity Maturity Model Certification, or CMMC, is the Department of Defense’s framework for protecting sensitive information in the federal contracting space. Starting in October 2025, CMMC requirements will begin appearing in DoD solicitations. The rollout will occur in phases through 2028.

CMMC applies to both prime contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Even if it’s not yet written into your current contract, many prime contractors are already requesting proof of compliance or system readiness from their subs.

If you want to stay eligible for DoD opportunities over the next few years, understanding your required CMMC level and the assessment path that comes with it is critical.

The Origin of CMMC: From 1.0 to 2.0

CMMC was introduced in January 2020 as a five-level certification model aimed at improving cybersecurity across the Defense Industrial Base. The original framework required all contractors to undergo third-party assessments. While this was a step toward stronger security, it created delays and compliance hurdles for small businesses.

In November 2021, the DoD announced CMMC 2.0. This new version reduced the framework to three levels, aligned with existing NIST standards, and introduced the possibility of self-assessment for Level 1 and some Level 2 contracts.

The final rule under 32 CFR was published on October 15, 2024. In July 2025, the DoD submitted the acquisition-focused 48 CFR rule to the Office of Information and Regulatory Affairs. This second rule allows CMMC to be written into federal contracts. While not finalized, the 48 CFR rule targets an implementation date of October 1, 2025.

How Has CMMC 2.0 Changed from Version 1.0?

CMMC 2.0 streamlines the framework without removing core security requirements. Here's how it compares to the original:

Levels
• 3 instead of 5

Assessment model
• Mix of self and third-party, depending on contract type

Certification renewal
• Level 1 annually
• Level 2 every 3 years

Implementation
• Targets October 2025 start under the 48 CFR rule

---

---

Breakdown of CMMC Levels 1–3

Level 1 – Foundational

Level 1 applies to contractors handling only Federal Contract Information. These companies typically provide services like custodial work, groundskeeping, deliveries, or basic maintenance.

Requirements include 15 security practices outlined in FAR 52.204-21. These cover:

• Access control for authorized users
• Password policy enforcement
• Use of antivirus and antimalware software
• Restricting physical access to systems
• Keeping software and devices updated
• Documented system security plans (SSPs)

Level 1 contractors must also:

• Complete an annual self-assessment
• Maintain internal documentation
• Report results in the Supplier Performance Risk System (SPRS)

Level 2 – Advanced

Level 2 applies to contractors who handle Controlled Unclassified Information. This level requires implementation of all 110 controls in NIST SP 800-171 Revision 2. Although Revision 3 was released in 2024, the DoD has locked current compliance requirements to Revision 2 under DFARS 252.204-7012.

Key security requirements include:

• Documented System Security Plans
• Access control and logging
• Secure data transmission
• Incident response and recovery policies
• Multi-factor authentication

Assessment process:

• Phase 1 (October 2025): Some contracts allow self-assessment for non-prioritized CUI
• Phase 2 (October 2026): Most Level 2 contracts require third-party assessments
• Assessment results submitted via SPRS or eMASS (when available)

Other considerations:

• Level 2 certification typically takes 12 to 18 months
• Limited number of Certified Third Party Assessment Organizations (C3PAOs)
• Delaying preparation increases the risk of missing future opportunities

Level 3 – Expert

Level 3 is intended for contractors supporting the most sensitive national security programs. It requires full implementation of NIST SP 800-171 Revision 2 and additional protections from NIST SP 800-172.

Examples of advanced protections include:

• Continuous monitoring
• Behavioral analytics and anomaly detection
• Creation of secure enclaves
• Adaptive network segmentation
• Insider threat detection

Assessment for Level 3 is:

• Conducted directly by DoD personnel
• Required only for high-impact, mission-critical contracts

How Much Does CMMC Compliance Cost?

Level 1
• Internal documentation and minor system upgrades
• Estimated cost: a few thousand dollars, depending on existing infrastructure.

Level 2
• Third-party audits typically range from $50,000 to $80,000
• Additional costs may include system remediation, staff training, and policy development.

Level 3
• Requires enterprise-level security investment
• Costs often exceed six figures annually

CMMC Rollout Timeline

The phased implementation plan begins in October 2025. Here's the breakdown:

• Phase 1 (Oct 2025): Level 1 and some Level 2 contracts allow self-assessment
• Phase 2 (Oct 2026): Most Level 2 contracts require third-party assessment
• Phase 3 (Oct 2027): Level 3 compliance begins for selected contracts
• Phase 4 (Oct 2028): Full enforcement across eligible DoD contracts

Full enforcement is expected by the end of fiscal year 2028.

Tips to Stay Contract-Ready

• Identify whether you handle FCI or CUI
• Confirm your CMMC level and self-assessment eligibility
• Start developing your System Security Plan and documentation
• Budget for future audits and technical improvements
• Monitor NIST SP 800-171 Revision 3 for future transition
• Ask your primes about their current flow-down requirements

FAQs

Is NIST SP 800-171 Revision 3 required for CMMC?
No. The DoD has locked current requirements to Revision 2. However, Revision 3 is available and should be reviewed in preparation for future changes.

When do third-party assessments start for Level 2?
Most Level 2 contracts will require third-party certification beginning in October 2026. Some lower-risk contracts in 2025 may still allow self-assessment.

Why are there two rules?
32 CFR defines the technical security standards. 48 CFR makes those requirements enforceable in government contracts.

Is CMMC already showing up in contracts?
Yes. As of late 2025, several agencies have started including CMMC requirements in solicitations. Primes are also requesting SPRS scores and readiness documentation from subs.

What happens if I wait?
The pool of approved assessors is limited. Waiting until a solicitation requires CMMC could result in delays or disqualification. Early preparation gives you more control and better positioning.