The Cybersecurity Maturity Model Certification (CMMC) 2.0 introduces a more structured and risk-based approach to cybersecurity compliance, refining both technical safeguards and oversight mechanisms. Moving away from a rigid, one-size-fits-all checklist, CMMC 2.0 tailors security requirements to the sensitivity of data and the evolving threat landscape. Its three-tiered framework — foundational (level 1), advanced (level 2) and expert (level 3) — establishes a progressive security model, with each level incorporating and expanding upon the controls of the preceding tier. To achieve level 3 compliance, an organization must first satisfy all requirements for levels 1 and 2, creating a comprehensive and layered defense strategy.
Under CMMC 2.0, companies at level 1 must complete an annual self-assessment and affirmation. Third-party assessments are required only for Defense Industrial Base (DIB) companies handling Controlled Unclassified Information (CUI). These assessments can be conducted only by Certified CMMC Assessors (CCAs) operating within CMMC third-party assessment organizations (C3PAOs). A CMMC certificate is granted once a CCA verifies compliance, with the Cyber Accreditation Body (Cyber AB) issuing the certification. Except for rare exceptions, DIB companies must obtain this certification before working on Department of Defense (DOD) contracts that include CMMC requirements.
CMMC 2.0 Implementation Timeline
The cybersecurity regulatory landscape for the DIB underwent a pivotal shift in late 2024 and early 2025. In October 2024, the DOD published the final 32 CFR CMMC rule, formally defining the program’s structure and compliance framework. By Dec. 16, 2024, the rule had taken full effect, establishing the foundation for the first official CMMC assessments, which began Jan. 2, 2025.
Expected for release in mid-2025, 48 CFR CMMC will formally integrate CMMC requirements into DOD contracts. New and renewed contracts will soon include clauses mandating CMMC Level 2 self-assessments, requiring a perfect score of 110 — though limited exceptions may apply. This requirement takes effect 60 days after implementation. Achieving a perfect score without a well-established cybersecurity program is highly unlikely. Even organizations with mature programs will need a targeted CMMC compliance strategy to meet the requirements effectively.
Phase 2, expected to begin in mid-2026, will mark a critical transition as mandatory certification assessments replace self-assessments for most new and renewing contracts requiring level 2 compliance. This milestone represents the most significant shift in the CMMC implementation timeline and serves as the final deadline for all level 2 DIB companies to achieve compliance.
Phase 3 will focus on achieving level 3 compliance, applicable to a limited subset of DIB companies handling highly sensitive contracts. Phase 4, expected to roll out in late 2026 or early 2027, will mark the full implementation of CMMC requirements across all DOD contracts. At this stage, CMMC certification will become a mandatory prerequisite for contract eligibility, finalizing the integration of CMMC into the DOD procurement framework.
Waiting to Prepare Is a Risk to Your Future Business With DOD
The path to CMMC certification is a multifaceted process, with preparation timelines varying based on an organization's current cybersecurity posture. Industry estimates suggest that small to mid-sized companies may require six months to a year to achieve compliance, though this time frame is highly contingent on their existing security maturity and readiness.
Prime contractors are accelerating compliance timelines for their subcontractors, often outpacing the phased rollout of the CMMC program. As a result, companies cannot afford to wait, regardless of the official implementation schedule. The pace of adoption is being driven by those at the top of the supply chain, making early preparation essential for maintaining eligibility in DOD contracts.
A key challenge in the certification process is the expected bottleneck among CMMC third-party assessment organizations (C3PAOs). With more than 182,000 entities projected to seek certification in the next decade and only about 60 authorized C3PAOs as of the February 2025 Cyber-AB town hall, a significant backlog is unavoidable. Companies should anticipate wait times of up to five months to schedule an assessment. Additionally, C3PAOs are likely to prioritize organizations that demonstrate strong readiness. Proactive preparation is not just recommended — it is essential to securing a timely assessment.
Misrepresenting Your Cyber Maturity Is a Risk to Your Company
To bolster cybersecurity accountability within the DIB, the Civil Cyber-Fraud Initiative, launched in October 2021, wields the False Claims Act to target companies that misrepresent their self-attested compliance with CMMC requirements. This initiative places the burden of compliance squarely on the affirming official, who must annually affirm, via the Supplier Performance Risk System (SPRS), that their company has implemented and will maintain all relevant CMMC security measures. Failure to meet these requirements can result in contractual penalties and civil liabilities. Furthermore, a mandatory breach reporting obligation demands that DIB companies report any discovered breaches within 72 hours. Adding another layer of oversight, the initiative incorporates a whistleblower provision, empowering employees to file lawsuits based on allegations of false claims, creating a multifaceted approach to maintaining cybersecurity integrity.
The U.S. Department of Justice (DOJ) announced that Pennsylvania State University has agreed to a $1.25 million settlement to resolve allegations of False Claims Act violations related to cybersecurity compliance. The DOJ asserted that between 2018 and 2023, the university failed to meet cybersecurity requirements outlined in 15 DOD and NASA contracts. While the university disclosed deficiencies in its cybersecurity assessment scores, it allegedly misrepresented future implementation timelines and failed to execute required corrective actions. The case originated from a whistleblower complaint filed by the university’s former chief information officer, who received $250,000 from the settlement. This enforcement action underscores the legal and financial risks associated with inaccurate cybersecurity compliance reporting in federal contracts.
Help Is Available
Owners and operators of critical infrastructure and manufacturing facilities and systems require cybersecurity strategies that extend beyond traditional information technology (IT) protections. Effective security measures must address both IT and operational technology (OT) environments. At 1898 & Co., we help clients develop and implement comprehensive OT cybersecurity programs that mitigate risk, safeguard critical assets and anticipate evolving threats. Our knowledge and experience spans from initial assessment to full integration, providing tailored solutions, targeted training and ongoing support to strengthen resilience against emerging cyber risks.
Leveraging our skills and acumen, we support DIB companies in navigating the CMMC 2.0 process with a structured, strategic approach. Our CMMC gap analysis provides a clear assessment of your current cybersecurity posture, identifying necessary steps for compliance. We offer targeted solutions to address identified gaps, assist with assessment preparation and serve as a liaison during the evaluation process. Achieving compliance is complex, but with the right guidance, you don’t have to navigate it alone.
A proactive, balanced approach to cyber resilience is needed for optimal risk management.
Editor’s note: This post was originally published Aug. 3, 2023, and has been updated for context and accuracy.