← Back to all articles

Understanding CMMC 2.0: What Defense Contractors Need to Know

June 1, 2025 · 8 min read · By Michael Roberts

X LinkedIn

The Department of Defense (DoD) has officially released the Cybersecurity Maturity Model Certification (CMMC) 2.0, marking a significant evolution in how defense contractors must approach cybersecurity compliance. This updated framework streamlines the original five-level model into three more focused maturity levels while maintaining the core objective: protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Key Changes in CMMC 2.0

The most notable change is the reduction from five maturity levels to three:

• Level 1 (Foundational): Basic cyber hygiene practices for FCI
• Level 2 (Advanced): Comprehensive cybersecurity practices for CUI based on NIST 800-171
• Level 3 (Expert): Advanced practices for the highest priority programs

Self-Assessment vs. Third-Party Assessment

CMMC 2.0 introduces a hybrid assessment approach. Level 1 requires annual self-assessments, Level 2 allows for self-assessments in most cases with triennial third-party assessments for critical programs, and Level 3 mandates government-led assessments.

Timeline and Implementation

The DoD plans to begin incorporating CMMC requirements into contracts by 2025, with full implementation expected by 2026. Defense contractors should begin preparation immediately to avoid losing future contract opportunities.

What This Means for Your Business

For small and medium defense contractors, CMMC 2.0 represents both challenges and opportunities. The streamlined approach reduces complexity while maintaining rigorous security standards. Companies that achieve compliance early will have a competitive advantage in the defense marketplace.

Next Steps

Start by conducting a gap analysis against NIST 800-171 requirements, as this forms the foundation of Level 2 compliance. Develop a comprehensive cybersecurity program that includes policies, procedures, and technical controls. Consider partnering with experienced CMMC consultants to ensure your preparation is thorough and efficient.