From compliance to confidence: Mastering the new CMMC 2.0 requirements
- Defense contractors and other vendors who work with the Department of Defense must now meet CMMC 2.0 compliance requirements to bid on contracts.
- CMMC 2.0 compliance will be implemented over four phases that end in November 2028. Organizations will also be sorted into one of three CMMC levels based on their degree of access to sensitive information. Each level comes with different compliance standards.
- Contractors that wish to keep doing business with the Department of Defense should work with an advisor to understand the new CMMC rules and make changes needed to achieve and maintain compliance.
After years of development, the Cybersecurity Maturity Model Certification (CMMC) 2.0 marks a significant evolution in the Department of Defense’s (DoD) efforts to enhance cybersecurity across the defense industrial base. Now it’s time for the implementation period.
The CMMC 2.0 final rule, which was published on October 15, 2024, established that defense contractors will be expected to implement CMMC compliance requirements in four phases from November 2025 through 2028. This new framework aims to ensure that all defense contractors implement necessary cybersecurity safeguards to protect controlled unclassified information (CUI) and federal contract information (FCI).
Keep reading to learn what’s changing and how your business may need to adapt.
What does CMMC actually mean?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a cybersecurity compliance framework for defense contractors and other vendors who work with the Department of Defense (informally referred to as the Department of War). It is the latest version of the CMMC framework and now appears in all DoD contracts with the goal of raising cybersecurity standards for the defense industrial base (DIB).
Is CMC compliance mandatory?
DoD contractors who wish to continue bidding on federal defense contracts must meet CMMC 2.0 compliance requirements. However, your business will be able to do this through a phased transition over several years.
Who does CMMC 2.0 apply to?
CMMC applies to all contractors, vendors and other third-party organizations that do business with the Department of Defense. These are mandatory requirements that may also continue to evolve in the coming years to adapt to the ever-changing cybersecurity threat environment.
CMMC 2.0 rulemaking update established a three-year phased implementation period
CMMC 2.0 will phase in via four stages of compliance requirements over the next three years. The implementation timeline begins with Phase 1 on November 10, 2025, and culminates in Phase 4 three years later.
This phased approach allows contractors to gradually adapt to the new requirements and ensures a smooth transition to full compliance. Here are the four phases:
- Phase 1: The first phase began on November 10, 2025. During this phase, the DoD can begin to include CMMC requirements in new contracts. Contractors will need to meet Level 1 or Level 2 self-assessment requirements as a condition of contract award.
- Phase 2: The second phase starts one year after the effective date, on November 10, 2026. In this phase, contractors handling CUI will be required to undergo a third-party assessment by a certified assessor organization as a condition of award.
- Phase 3: The third phase begins two years after the effective date, on November 10, 2027. This phase involves the DoD conducting Level 3 CMMC assessments for contracts involving the most sensitive CUI.
- Phase 4: The final phase starts three years after the effective date, on November 10, 2028. This phase marks the full implementation of the CMMC requirements across all applicable solicitations and contracts.
This phased approach is intended to address ramp-up issues, provide runway to train the necessary number of assessors and allow companies the time needed to understand and implement CMMC requirements.
Key clarifications around CMMC compliance requirements
The final CMMC 2.0 rule provides several key clarifications that are crucial for defense contractors to understand:
- The operational plan of action allows contractors to identify temporary vulnerabilities and deficiencies, as opposed to documenting in a plan of action and milestones (POA&M). This allows for management to remediate vulnerabilities or deficiencies identified through the normal operation of detective controls without causing you to go out of compliance.
- Contractors must retain artifacts used in evidence for an assessment for at least six years after the date of their certification assessment. This retention obligation extends to the annual self-certifications that contractors must perform.
- External service providers are not required to have CMMC certification but are “in-scope” if they store, transmit or process CUI.
An endpoint hosting a virtual desktop infrastructure (VDI) client configured to disallow processing, storage or transmission of CUI beyond keyboard/video/mouse sent to the VDI client is considered an out-of-scope asset.
How should you implement the CMMC 2.0 cybersecurity framework?
With the CMMC Final Rule now in effect, defense contractors must take several steps to become compliant and properly flow down the compliance requirements to their subcontractors. Some key actions to take include:
1. Understand the three CMMC levels
Based on the type of sensitive information or CUI your organization handles, you should determine the appropriate CMMC level for your organization. This will guide your compliance efforts and help you identify the specific requirements you need to meet.
The three levels are:
- Level 1: Basic protection of FCI, requiring an annual self-assessment.
- Level 2: General protection of CUI, which can be achieved through either a third-party assessment or a self-assessment.
- Level 3: Enhanced protection against advanced persistent threats, requiring an assessment led by the Defense Industrial Base Cybersecurity Assessment Center.
2. Conduct proper scoping of your environment
Proper scoping of your environment for CMMC is crucial because it clearly defines the boundaries where CUI is stored, processed and transmitted within your organization. This allows you to focus security efforts only on the relevant systems and data, minimizing the scope of your assessment and ultimately reducing the cost and complexity of achieving compliance while ensuring the most critical assets are adequately protected. If not done correctly, your entire network could be considered “in-scope” for assessment, leading to unnecessary overhead and potential noncompliance issues.
3. Perform a gap analysis
Assess your current cybersecurity posture against the CMMC standards. Conduct a thorough gap analysis to identify deficiencies in your existing cybersecurity controls. This will help you develop a POA&M to address these gaps and achieve compliance.
4. Implement required controls
Based on the results of your gap analysis, implement the necessary cybersecurity controls to meet the CMMC requirements. This may involve updating your policies, procedures and technical controls, or implementing new technology.
5. Prepare for assessment
Whether you are undergoing a self-assessment or a third-party assessment, ensure that you have all the required documentation and evidence in place. This includes maintaining control evidence for six years and being prepared for potential audits by the DoD.
6. Flow down requirements to subcontractors
Ensure that your subcontractors are also compliant with the CMMC requirements. This involves flowing down the relevant requirements to all subcontractors at every tier and verifying their compliance.
By following these steps, defense contractors can help ensure that they are fully compliant with the CMMC requirements and are well-prepared to protect sensitive information from evolving cyberthreats. A third-party advisor can help you navigate this process and implement solutions to bring you up to speed.
How Wipfli can help
We help businesses understand, implement and maintain compliance with CMMC 2.0 requirements. Let’s talk about your current cybersecurity readiness and how you need to evolve.