Home > Blog > DoD Finalizes CMMC 2.0 Rule, Initiates Three-Year Rollout
Compliance

DoD Finalizes CMMC 2.0 Rule, Initiates Three-Year Rollout

By whois-secure March 12, 2026 12 views

DoD Finalizes CMMC 2.0 Rule, Initiates Three-Year Rollout

On September 10, 2025, the U.S. Department of Defense (DoD) published the final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the Cybersecurity Maturity Model Certification (CMMC) 2.0 into defense contracts. This rule, effective November 10, 2025, marks the beginning of a structured three-year implementation plan aimed at enhancing cybersecurity across the Defense Industrial Base (DIB).

Understanding CMMC 2.0

CMMC 2.0 is a streamlined framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the DIB. It reduces the original five-tier model to three levels, aligning more closely with existing cybersecurity standards to simplify compliance for contractors.

  • Level 1 (Foundational): Applicable to contractors handling FCI, requiring 17 basic cybersecurity practices as outlined in FAR 52.204-21. Annual self-assessments are mandatory.
  • Level 2 (Advanced): For contractors managing CUI, necessitating implementation of 110 controls from NIST SP 800-171. Depending on the contract, either triennial third-party assessments by a Certified Third-Party Assessment Organization (C3PAO) or self-assessments are required.
  • Level 3 (Expert): Pertains to contractors dealing with the most sensitive CUI, incorporating additional practices from NIST SP 800-172. These contractors must undergo triennial assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

For a detailed overview of CMMC 2.0 levels and requirements, refer to the DoD's official resources. DoD CMMC 2.0 Resources

Phased Implementation Timeline

The DoD has outlined a four-phase rollout to integrate CMMC 2.0 requirements into defense contracts:

  • Phase 1 (November 10, 2025 – November 10, 2026): New contracts will include CMMC Level 1 and Level 2 requirements. Contractors must perform self-assessments and submit scores to the Supplier Performance Risk System (SPRS).
  • Phase 2 (November 10, 2026 – November 10, 2027): Continuation of Phase 1 with the addition of mandatory third-party assessments for Level 2 contractors handling CUI.
  • Phase 3 (November 10, 2027 – November 10, 2028): Introduction of Level 3 requirements, with DIBCAC conducting assessments for contracts involving the most sensitive CUI.
  • Phase 4 (Post November 10, 2028): Full implementation of CMMC 2.0 across all DoD contracts, requiring appropriate certification levels for all contractors.

Detailed information on the phased rollout is available in the DoD's official documentation. CMMC 2.0 Implementation Timeline

Implications for Defense Contractors

The finalization of the CMMC 2.0 rule signifies a shift from voluntary compliance to mandatory certification for defense contractors. Key implications include:

  • Contract Eligibility: Contractors must achieve the required CMMC level to be eligible for DoD contracts. Non-compliance may result in disqualification from contract awards.
  • Assessment Requirements: Depending on the CMMC level, contractors will undergo self-assessments, third-party assessments, or government-led assessments at specified intervals.
  • Supply Chain Security: Prime contractors are responsible for ensuring that their subcontractors also meet the necessary CMMC requirements, emphasizing the importance of cybersecurity throughout the supply chain.

For further insights into the implications of CMMC 2.0 for defense contractors, consult the analysis provided by Goodwin Law. Goodwin Law Analysis on CMMC 2.0

Preparing for Compliance

To align with CMMC 2.0 requirements, defense contractors should:

  • Assess Current Practices: Evaluate existing cybersecurity measures against the CMMC 2.0 framework to identify gaps.
  • Develop a Compliance Plan: Create a roadmap to address identified deficiencies, including timelines and resource allocation.
  • Engage with Assessors: For Level 2 and Level 3 requirements, coordinate with C3PAOs or DIBCAC to schedule assessments.
  • Monitor Supply Chain: Ensure that subcontractors and suppliers also comply with relevant CMMC levels to maintain contract eligibility.

Additional guidance on preparing for CMMC 2.0 compliance is available from Infor's comprehensive guide. Infor's CMMC 2.0 Compliance Guide

Conclusion

The DoD's finalization of the CMMC 2.0 rule and its phased implementation plan underscore the critical importance of cybersecurity within the defense sector. Contractors must proactively engage with the CMMC framework to ensure compliance, secure sensitive information, and maintain eligibility for future DoD contracts.

For a visual overview of CMMC Level 2 compliance, consider watching the following video:

Tags: CMMC 2.0 CMMC compliance defense contractor DoD
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →