Cybersecurity Maturity Model Certification 2.0

The CMMC program will be implemented across 4 phases, beginning on November 10th, 2025. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1, and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and for companies to understand and implement CMMC assessment requirements.  The DoD will make a decision as the level of cybersecurity compliance, either Level 1, Level 2 or Level 3. 

CMMC Implementation

DFARS 252.204-7021, known as CMMC on the 10th September 2025, completed the Cybersecurity Maturity Model Certification (CMMC) rulemaking process. CMMC comprises two parts. 32 C.F.R. Part 170 establishes the requirements for the CMMC program. The second part is the final rule, which amends the Defence Federal Acquisition Regulation Supplement (DFARS) and establishes DFARS policies, contract clauses, and other provisions to implement the Program Rule.

The DoD has confirmed in the ruling that it expects the National and International Defense Industry Base (DIB) to comply with the ruling.  Confirming that the DIB has had since 2017 to implement NIST SP 800-171 and that CMMC is an assurance over the implementation. 

The DoD expects the national and international DIB to demonstrate compliance to NIST SP 800-171 and the 110 controls it defines.

The 4 phases of CMMC Implementation

CMMC Implementation Plan: In accordance with 41 U.S.C. § 1707, the DFARS Rule takes effect on November 10, 2025. 

Phase 1: Begins on the 10th November, 2025, the effective date of the 48 CRR ruling.

  • CMMC Level 1 and Level 2 self-assessment requirements will be included in applicable DoD solicitations and new contracts as a condition of contract award.
  • The DoD has the discretion to include CMMC Level 2 Certified Third-Party Assessment Organization (C3PAO) certification assessment requirements.
  • The DoD has the discretion to require CMMC Level 1 and Level 2 self-assessments for applicable contracts issued before November 10, 2025 if the contract includes an option.

Phase 2: Begins 12 months after Phase 1 Start.

  • Phase 1 requirements + DoD includes CMMC Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and new contracts as a condition of contract award.
  • DoD has the discretion to delay CMMC Level 2 C3PAO certification assessment requirements to an option period.

Phase 3: Begins 24 months after Phase 1 Start.

  • Phase 1 and Phase 2 Requirements + DoD includes CMMC Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after November 10, 2025.
  • DoD includes CMMC Level 3 certification assessment requirements in applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay CMMC Level 3 certification assessment requirements to an option period.

Phase 4 – Full Implementation: Begins 36 months after Phase 1 Start.

  • Full implementation of CMMC: DoD incorporates CMMC requirements into all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

The Tiered Approach for CMMC Compliance

The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for non-federal systems processing controlled unclassified information.

A Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. 

The program also outlines the process for requiring the protection of information flowing down to subcontractors.  The tiering comprises 3 levels of compliance: Level 1, Level 2 and Level 3.

Level 1: Basic Safeguarding of Federal Contract Information (FCI)

  1. Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of Controlled Unclassified Information (CUI).

  1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
  2. Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats.

  1. Achieve CMMC Status of Final Level 2.
  2. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  3. Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

CMMC Level Requirements: DoD requirements for the three CMMC levels.  Level 1, Level 2 and Level 3.

CMMC Requirements defined by the US DoD - https://dodcio.defense.gov/cmmc/About/
© 2025 CMMC Europe. Created for free using WordPress and Colibri