The regulatory countdown that defense contractors have been watching for years is finally over. On November 10, 2025, the Department of Defense began including CMMC 2.0 requirements in contract solicitations - transforming cybersecurity compliance from a policy goal into a binding contractual obligation for anyone in the defense supply chain. If you manufacture components for the DoD, provide engineering services, or operate anywhere in the defense industrial base, CMMC 2.0 compliance now directly determines whether you can bid on and win contracts.
This shift represents a fundamental change in how the Pentagon verifies cybersecurity across its supply chain. For years, defense contractors self-attested their compliance with existing cybersecurity standards. The DoD found that the approach wasn't working - studies revealed that only a fraction of contractors who claimed compliance actually met the required security controls when audited. CMMC 2.0 fixes that gap by introducing verified assessments that create real accountability throughout the defense ecosystem.
The Cybersecurity Maturity Model Certification (CMMC) program establishes a tiered framework that defense contractors must follow to protect sensitive government information. Think of it as a standardized verification system that confirms whether your organization has actually implemented the cybersecurity practices you've been claiming in self-assessments.
CMMC 2.0 replaced the original CMMC 1.0 model, which had five certification levels. The updated version streamlines things down to three levels, each tied to the sensitivity of information your organization handles:
Level 1 applies to contractors who work only with Federal Contract Information - basic administrative data, logistics information, and similar materials that aren't classified but still require basic safeguarding. You'll need to implement 15 foundational security practices drawn from FAR Clause 52.204-21 and complete an annual self-assessment.
Level 2 covers contractors who handle Controlled Unclassified Information, commonly known as CUI. This includes technical data, engineering specifications, and information marked with CUI designations. Level 2 requires implementing all 110 security controls from NIST 800-171, and for most contractors, a third-party assessment by a C3PAO (Certified Third-Party Assessment Organization) every three years. The DoD estimates roughly 80,000 contractors fall into this category.
Level 3 targets contractors working on the Pentagon's most sensitive programs. It builds on Level 2 with 24 additional controls from NIST 800-172 and requires government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center. This level applies to perhaps 600 organizations working on programs where advanced persistent threats pose significant risks.
Most defense contractors reading this will need CMMC Level 2 certification. If your contracts involve technical drawings, specifications, test results, or any data marked as CUI, that's your target certification level.
At its core, CMMC 2.0 compliance builds on security standards that have technically been required since 2017. DFARS 252.204-7012 has mandated that defense contractors implement the 110 controls from NIST 800-171 for years. The difference now is verification - and consequences.
The CMMC 2.0 requirements break down across 14 security domains that cover every aspect of how your organization handles sensitive information:
Access Control forms the foundation. You need documented policies governing who can access what systems and data, implemented through mechanisms like multi-factor authentication, role-based access controls, and the principle of least privilege. This domain alone contains 22 controls addressing everything from account management to session termination.
Identification and Authentication ensures your systems can verify that users are who they claim to be before granting access. For environments handling CUI, this means implementing cryptographic authentication mechanisms and managing identifiers across the system lifecycle.
Audit and Accountability requires your organization to create, protect, and retain system audit logs that can track individual user actions. When an incident occurs, these logs become the forensic trail that reveals what happened.
Configuration Management mandates documented baseline configurations for your information systems and a formal change control process. You can't protect what you can't define, and this domain ensures your security posture remains consistent and measurable.
System and Communications Protection addresses how CUI is protected during transmission and at rest. This includes encrypting sensitive data, establishing boundary protections between networks, and controlling information flows between security domains.
The remaining domains cover Awareness and Training, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, and System and Information Integrity. Each contains specific controls that assessors will verify during your CMMC assessment.
The short answer: any organization that processes, stores, or transmits Federal Contract Information or Controlled Unclassified Information as part of a DoD contract. This includes prime contractors, subcontractors at every tier, and external service providers who touch sensitive data.
The CMMC certification requirement flows down through the supply chain. If a prime contractor needs Level 2 certification, they'll require their subcontractors to achieve the same or equivalent certification. This creates a cascading effect where compliance becomes a prerequisite for participation at any level.
Here's how to determine your organization's situation:
You definitely need CMMC Level 2 if your contracts contain DFARS 252.204-7012 (which requires safeguarding covered defense information) or reference NIST 800-171requirements. Look at your contracts - if they mention CUI, controlled technical information, or reference these regulatory clauses, you're in scope.
You probably need CMMC Level 1 if you have DoD contracts but only handle basic Federal Contract Information without any CUI. This applies to contractors providing administrative support, basic logistics, or commercial services without access to sensitive technical data.
You might need higher certification based on what your prime contractor requires. Even if your direct contract doesn't specify CUI handling, your prime may require CMMC Level 2 certification as a condition of doing business because their certification depends on supply chain security.
Commercial Off-The-Shelf (COTS) items represent the main exception. If your DoD contract is solely for standard commercial products, CMMC requirements don't apply.
The DoD structured CMMC rollout across four phases over three years. Understanding this CMMC timeline helps you prioritize your compliance efforts:
Phase 1 (November 10, 2025 – November 10, 2026): CMMC Level 1 and Level 2 self-assessment requirements appear in select solicitations and contracts. Contracting officers can also include Level 2 C3PAO (third-party) assessment requirements for certain contracts at their discretion.
Phase 2 (November 10, 2026 – November 10, 2027): Third-party Level 2 C3PAO assessments become more widely required. This is when most contractors handling CUI will face mandatory third-party certification requirements.
Phase 3 (November 10, 2027 – November 10, 2028): Level 3 DIBCAC assessments begin appearing in contracts for highly sensitive programs.
Phase 4 (November 10, 2028 onward): All DoD contracts (except COTS) that require processing, storing, or transmitting FCI or CUI must include appropriate CMMC levels as award conditions.
The critical date circled on every defense contractor's calendar is November 10, 2026 - when third-party certification requirements become widespread. But don't let that date create false comfort. CMMC requirements are already appearing in contracts right now, and achieving compliance typically takes six to twelve months of dedicated effort.
Prime contractors are already demanding CMMC readiness from their supply chains. Lockheed Martin, Boeing, Northrop Grumman, and other major defense primes aren't waiting for Phase 4 to verify their subcontractors' cybersecurity postures.
CMMC readiness doesn't happen overnight. Organizations that succeed approach this as a structured project with clear milestones rather than a last-minute scramble.
Start by scoping your CUI environment. Before you can protect sensitive information, you need to know exactly where it lives. Map every system, application, and data repository that touches CUI. Many organizations discover CUI scattered across more systems than they realized - email servers, file shares, legacy applications, employee devices, and cloud services.
Scoping directly impacts your compliance burden. A tightly defined CUI enclave - where you isolate sensitive data into a controlled environment separate from your broader network - can dramatically reduce the number of systems requiring full CMMC controls.
Conduct a thorough gap assessment. Once you know your scope, evaluate your current security posture against all 110 NIST 800-171 controls. Be honest here. Many contractors who conducted self-assessments overestimated their compliance status. A realistic gap assessment reveals exactly what work remains.
Build a remediation roadmap. Prioritize gaps based on risk and effort required. Some controls require significant technology investments - encryption solutions, endpoint detection and response tools, security information and event management systems. Others require policy development, documentation, and training. A structured roadmap sequences these efforts logically.
Documentation matters as much as implementation. CMMC assessors will ask for evidence. You need a System Security Plan documenting how your organization addresses each security requirement. You need policies governing everything from access control to incident response. You need evidence that these policies are actually followed through training records, audit logs, and configuration artifacts.
Consider your technology platform. Microsoft 365 GCC High exists specifically to help defense contractors meet CMMC requirements in their collaboration and communication tools. As an authorized environment for CUI, GCC High can provide up to 110 inheritable controls - security measures already implemented at the platform level that your organization can leverage. The right technology foundation simplifies compliance by building security into your operating environment rather than bolting it on afterward.
The DoD CMMC program draws on years of experience watching contractors struggle with cybersecurity compliance. Understanding common failure points helps you avoid them.
Insufficient documentation trips up many organizations. You might have implemented strong security controls, but if you can't produce the policies, procedures, and evidence that prove it, assessors have nothing to evaluate. Documentation isn't bureaucratic overhead - it's the evidence that demonstrates compliance.
Underestimating scope creates problems when you discover CUI on systems you didn't include in your compliance boundary. Contractors sometimes learn during assessments that email archives, backup systems, or cloud applications contain sensitive data they hadn't accounted for.
Treating security as a project rather than a program leads to compliance gaps after initial certification. CMMC isn't a one-time achievement - it's an ongoing commitment. Organizations must maintain their security posture and demonstrate continuous compliance throughout the certification period.
Neglecting the human element undermines technical controls. Security awareness training isn't a checkbox exercise. Your people need to understand why these controls exist and how their daily actions affect organizational security.
Waiting too long to engage a C3PAO can create scheduling problems. As CMMC requirements expand, qualified assessors are in high demand. Organizations that wait until deadlines loom may find limited availability and rushed timelines.
CMMC 2.0 compliance represents a significant undertaking, but it's achievable with the right approach. Organizations across the defense industrial base complete this journey every day, emerging with stronger security postures and continued eligibility for DoD contracts.
The organizations succeeding at CMMC aren't treating it as a regulatory burden to minimize - they're recognizing that protecting sensitive defense information is genuinely important. Cyberthreats targeting the defense supply chain have intensified. Adversaries know that attacking a small subcontractor with limited security resources can provide access to sensitive programs through the supply chain.
Start now, even if your contracts don't yet require certification. The CMMC readiness process takes time, and waiting creates risk. Assess your current state, understand your gaps, and begin the remediation work. When CMMC clauses appear in your solicitations - and they will - you'll be prepared rather than scrambling.
Consider working with experienced partners who understand both the technical requirements and the practical realities of implementation. Microsoft AOS-G (Authorized for GovernmentSolutions) partners, Registered Provider Organizations (RPOs) certified by the Cyber-AB (formerly the CMMC Accreditation Body), and consultants with deep experience in defense contractor compliance can accelerate your path to certification.
The defense industrial base is transforming how it approaches cybersecurity. CMMC 2.0 sets the standard. Your organization's ability to meet that standard determines whether you remain a trusted partner in the nation's defense supply chain.
Daymark Solutions provides comprehensive CMMC compliance services to defense contractors across the supply chain. As a Microsoft AOS-G authorized partner and Cyber-AB Registered Provider Organization, we bring the credentials, methodology, and deep technical expertise needed to guide your organization from gap assessment through successful certification.
Our approach addresses every phase of the compliance journey:
With 25 years of experience, 600+ complex deployments, and a proven methodology that ensures consistency and quality, Daymark helps defense contractors achieve compliance readiness with confidence.
Contact us to discuss your CMMCcompliance strategy:
📞 +1 781.359.3000
✉️ info@daymarksi.com
🌐 daymarksi.com
CMMC 2.0 is the Cybersecurity Maturity Model Certification program, a framework established by the Department of Defense to verify that defense contractors have implemented required cybersecurity practices to protect sensitive government information. The CMMC 2.0 program uses a three-tiered certification system where Level 1 covers basic Federal Contract Information protection, Level 2 addresses Controlled Unclassified Information (CUI) requiring all 110 NIST 800-171 controls, and Level 3 applies to the most sensitive programs with additional controls from NIST 800-172. Unlike previous self-attestation approaches, CMMC 2.0 introduces verified assessments - either through self-assessment or third-party certification depending on the level - to confirm contractors actually meet cybersecurity requirements before contract award.
Organizations that must comply with CMMC 2.0 include any prime contractor, subcontractor, or external service provider that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a Department of Defense contract. This encompasses the entire defense supply chain - from major aerospace manufacturers to small machine shops providing components. Compliance requirements flow down through contract tiers, meaning subcontractors must meet the certification level demanded by their prime contractor. The primary exception applies to contracts involving only Commercial Off-The-Shelf (COTS) products, which are excluded from CMMC requirements. If your contracts contain DFARS 252.204-7012 clauses or reference NIST 800-171 requirements, your organization falls within scope for CMMC compliance.
CMMC 2.0 requirements are being phased in over a three-year period that began November 10, 2025. During Phase 1 (November 2025 through November 2026), CMMC Level 1 and Level 2 self-assessment requirements appear in select contracts, with some contracts requiring Level 2 third-party certification at the contracting officer's discretion. Phase 2 (November 2026 through November 2027) brings widespread requirements for Level 2 C3PAO third-party assessments - this is when most contractors handling CUI will need formal certification. Phase 3 adds Level 3 government-led assessments for highly sensitive programs. By Phase 4, beginning November 2028, all applicable DoD contracts will require the appropriate CMMC level as a condition of award. Defense contractors should prepare now, as achieving compliance typically requires six to twelve months of effort, and prime contractors are already requiring CMMC readiness from their supply chains.