USFCR Blog

CMMC Levels Explained: What Contractors Need to Know in 2025

Jul 23, 2025 9:00:00 AM / by USFCR posted in News, cmmc

What Is CMMC and Why It Matters in 2025

The Cybersecurity Maturity Model Certification, or CMMC, is the Department of Defense’s framework for protecting sensitive information in the federal contracting space. Starting in October 2025, CMMC requirements will begin appearing in DoD solicitations. The rollout will occur in phases through 2028.

CMMC applies to both prime contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Even if it’s not yet written into your current contract, many prime contractors are already requesting proof of compliance or system readiness from their subs.

If you want to stay eligible for DoD opportunities over the next few years, understanding your required CMMC level and the assessment path that comes with it is critical.

The Origin of CMMC: From 1.0 to 2.0

CMMC was introduced in January 2020 as a five-level certification model aimed at improving cybersecurity across the Defense Industrial Base. The original framework required all contractors to undergo third-party assessments. While this was a step toward stronger security, it created delays and compliance hurdles for small businesses.

In November 2021, the DoD announced CMMC 2.0. This new version reduced the framework to three levels, aligned with existing NIST standards, and introduced the possibility of self-assessment for Level 1 and some Level 2 contracts.

The final rule under 32 CFR was published on October 15, 2024. In July 2025, the DoD submitted the acquisition-focused 48 CFR rule to the Office of Information and Regulatory Affairs. This second rule allows CMMC to be written into federal contracts. While not finalized, the 48 CFR rule targets an implementation date of October 1, 2025.

How Has CMMC 2.0 Changed from Version 1.0?

Feature CMMC v1.0 CMMC v2.0
Levels 5 Levels 3 Levels
Assessment Model All third-party Mix of self and third-party
Certification Renewal Unclear Level 1 annually, Level 2 every 3 years
Implementation Speed Slower pre-COVID Final Rule effective Dec. 2024

CMMC 2.0 streamlines the framework without removing core security requirements. Here's how it compares to the original:

Levels
• 3 instead of 5

Assessment model
• Mix of self and third-party, depending on contract type

Certification renewal
• Level 1 annually
• Level 2 every 3 years

Implementation
• Targets October 2025 start under the 48 CFR rule

CMMC Consultation

Breakdown of CMMC Levels 1–3

Level 1 – Foundational

Level 1 applies to contractors handling only Federal Contract Information. These companies typically provide services like custodial work, groundskeeping, deliveries, or basic maintenance.

Requirements include 15 security practices outlined in FAR 52.204-21. These cover:

• Access control for authorized users
• Password policy enforcement
• Use of antivirus and antimalware software
• Restricting physical access to systems
• Keeping software and devices updated
• Documented system security plans (SSPs)

Level 1 contractors must also:

• Complete an annual self-assessment
• Maintain internal documentation
• Report results in the Supplier Performance Risk System (SPRS)

Level 2 – Advanced

Level 2 applies to contractors who handle Controlled Unclassified Information. This level requires implementation of all 110 controls in NIST SP 800-171 Revision 2. Although Revision 3 was released in 2024, the DoD has locked current compliance requirements to Revision 2 under DFARS 252.204-7012.

Key security requirements include:

• Documented System Security Plans
• Access control and logging
• Secure data transmission
• Incident response and recovery policies
• Multi-factor authentication

Assessment process:

• Phase 1 (October 2025): Some contracts allow self-assessment for non-prioritized CUI
• Phase 2 (October 2026): Most Level 2 contracts require third-party assessments
• Assessment results submitted via SPRS or eMASS (when available)

Other considerations:

• Level 2 certification typically takes 12 to 18 months
• Limited number of Certified Third Party Assessment Organizations (C3PAOs)
• Delaying preparation increases the risk of missing future opportunities

Level 3 – Expert

Level 3 is intended for contractors supporting the most sensitive national security programs. It requires full implementation of NIST SP 800-171 Revision 2 and additional protections from NIST SP 800-172.

Examples of advanced protections include:

• Continuous monitoring
• Behavioral analytics and anomaly detection
• Creation of secure enclaves
• Adaptive network segmentation
• Insider threat detection

Assessment for Level 3 is:

• Conducted directly by DoD personnel
• Required only for high-impact, mission-critical contracts

How Much Does CMMC Compliance Cost?

Level 1
• Internal documentation and minor system upgrades
• Estimated cost: a few thousand dollars, depending on existing infrastructure.

Level 2
• Third-party audits typically range from $50,000 to $80,000
• Additional costs may include system remediation, staff training, and policy development.

Level 3
• Requires enterprise-level security investment
• Costs often exceed six figures annually

CMMC Rollout Timeline

The phased implementation plan begins in October 2025. Here's the breakdown:

• Phase 1 (Oct 2025): Level 1 and some Level 2 contracts allow self-assessment
• Phase 2 (Oct 2026): Most Level 2 contracts require third-party assessment
• Phase 3 (Oct 2027): Level 3 compliance begins for selected contracts
• Phase 4 (Oct 2028): Full enforcement across eligible DoD contracts

Full enforcement is expected by the end of fiscal year 2028.

Tips to Stay Contract-Ready

• Identify whether you handle FCI or CUI
• Confirm your CMMC level and self-assessment eligibility
• Start developing your System Security Plan and documentation
• Budget for future audits and technical improvements
• Monitor NIST SP 800-171 Revision 3 for future transition
• Ask your primes about their current flow-down requirements

FAQs

Is NIST SP 800-171 Revision 3 required for CMMC?
No. The DoD has locked current requirements to Revision 2. However, Revision 3 is available and should be reviewed in preparation for future changes.

When do third-party assessments start for Level 2?
Most Level 2 contracts will require third-party certification beginning in October 2026. Some lower-risk contracts in 2025 may still allow self-assessment.

Why are there two rules?
32 CFR defines the technical security standards. 48 CFR makes those requirements enforceable in government contracts.

Is CMMC already showing up in contracts?
Yes. As of late 2025, several agencies have started including CMMC requirements in solicitations. Primes are also requesting SPRS scores and readiness documentation from subs.

What happens if I wait?
The pool of approved assessors is limited. Waiting until a solicitation requires CMMC could result in delays or disqualification. Early preparation gives you more control and better positioning.

CMMC Consultation

Top Articles

The 17 Most Common Types of Government Contracts Explained

Writing a Winning Capabilities Statement in 2025

Understanding Federal Set-Asides

Read More

From SAM Registration to Government Contracts: The Next Steps That Actually Matter

Jun 30, 2025 11:00:00 AM / by USFCR posted in News, cmmc

Your SAM registration cost you time and paperwork. Now it's sitting there doing nothing while your competitors are winning contracts. Here's how to fix that.

Read More

What Is Controlled Unclassified Information (CUI) and Why It Matters to Contractors

Jun 18, 2025 10:00:00 AM / by USFCR posted in News, cmmc

CUI Compliance 101: What Every New Federal Contractor Should Know

When you’re just starting out in federal contracting, it’s easy to focus on the obvious hurdles:  SAM registration, past performance, and finding bid opportunities. But one of the less visible and potentially contract-killing obstacles is something many new contractors overlook: how to handle sensitive government information.

Controlled Unclassified Information (CUI) isn’t classified, but it’s still considered sensitive by federal agencies. And if your contract involves it, even indirectly, you’re expected to meet strict security standards from day one. For small businesses, especially, ignoring CUI compliance can mean losing contracts, getting flagged during award evaluations, or being shut out of future work altogether.

So what exactly is CUI, and how do you handle it the right way without building a massive IT team? Here’s what it means, what the rules say, and the steps your business should take now to stay eligible and competitive.

Read More

Understanding Cost-Plus-Fixed-Fee Contracts

Apr 14, 2025 9:00:00 AM / by USFCR posted in News, cmmc

A Cost-Plus-Fixed-Fee (CPFF) contract reimburses a contractor for allowable costs incurred during a project and provides a fixed fee for profit. Unlike Firm-Fixed-Price contracts, where contractors assume the risk of cost overruns, CPFF contracts protect businesses from financial loss while still ensuring a reasonable return.

Read More

CMMC 101: Mastering Compliance for Federal Contracting Success

Mar 26, 2025 8:00:00 AM / by USFCR posted in USFCR Academy, Guides, cmmc, cybersecurity

Cybersecurity threats are on the rise, and the Federal Government is paying attention. To protect sensitive data within the defense supply chain, the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). For contractors looking to secure or maintain government contracts, getting CMMC certified isn't just a recommendation—it’s a must.

Read More

Understanding the Phased Implementation of CMMC 2.0 Post Dec 2024 Deadline

Dec 11, 2024 11:52:36 AM / by USFCR posted in Guides, cmmc, cybersecurity, Tech

The date December 16, 2024, marks a pivotal milestone for defense contractors. By this deadline, all entities within the Defense Industrial Base (DIB) are required to meet Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements to maintain eligibility for Department of Defense (DoD) contracts. This milestone represents the culmination of years of policy refinement aimed at fortifying national security by safeguarding sensitive defense information.

Read More

The Joint Certification Program (JCP): Why It Matters for Federal Contractors

Sep 16, 2024 10:35:23 AM / by USFCR posted in Guides, cmmc, cybersecurity

The Joint Certification Program (JCP) is critical for U.S. and Canadian contractors who want to access unclassified but sensitive military technical data. If your company plans to work with the Department of Defense (DoD), obtaining JCP certification is often necessary to handle the technical data required for these projects.

JCP certification allows contractors to access Controlled Unclassified Information (CUI), which is crucial when dealing with defense contracts. For example, even if you're manufacturing something as simple as a special bolt for a weapon system, you’ll need JCP certification to access the design files.

Read More

Cybersecurity Compliance for Non-DoD Federal Contracts

Sep 10, 2024 11:08:21 AM / by USFCR posted in News, cmmc, cybersecurity

As cybersecurity becomes increasingly important across all sectors, non-Department of Defense (DoD) federal contractors must stay vigilant about their cybersecurity practices. This article explores the key cybersecurity regulations that apply to non-DoD contractors, emerging trends in the federal cybersecurity landscape, and practical steps to enhance cybersecurity readiness.
Read More

Federal Contract Compliance for DoD Contractors

Sep 3, 2024 12:18:05 PM / by USFCR posted in News, cmmc, cybersecurity

Success in federal contracting, especially with the Department of Defense (DoD), requires a deep understanding of compliance. If your company handles Controlled Unclassified Information (CUI) or works closely with the DoD, mastering systems like PIEE/WAWF, JCP, and SPRS is essential. Additionally, ensuring compliance with NIST 800-171 is a critical step. This guide will walk you through the steps needed to align your business with these stringent federal standards.

Read More

NSF Investing $69 Million Annually in Cybersecurity

Sep 3, 2024 12:07:21 PM / by Daniel Cavins posted in News, Hot Grants, cmmc, Grants

Cyberattacks are a constant threat in today's world, from stealing personal information to breaching large information systems. In response, the National Science Foundation (NSF) has created the Secure and Trustworthy Cyberspace (SaTC) program, which aims to advance cybersecurity and privacy through research and education.

Read More
All posts
  • There are no suggestions because the search field is empty.

Posts by Topic

See all

Contact Us

  • US Federal Contractor Registration
  • 15950 Bay Vista Dr., Suite 250,
  • Clearwater, FL 33760
  • Contact Us or call (877) 252-2700

© Copyright 2023 US Federal Contractor Registration · Privacy · Terms

US Federal Contractor Registration, Inc. (USFCR) is not a government agency. USFCR, recognized as the largest and most trusted full-service Federal consulting organization, provides a range of services, including SAM registration assistance, small-business certifications, and other government contractor services and technologies.