Since the new administration took office in January 2025, government and government contracting has seen many changes. The Cybersecurity Maturity Model Certification (CMMC) continues to remain the same: a top priority for the Department of Defense (DoD).
Here is what you need to know about the current CMMC process.
Phased Implementation Forthcoming
- Phase 1: Initial Requirements – Begins when DFARS 7021 is finalized. Requires Level 1 or Level 2 self-assessments for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Level 2 certifications, both self-assessments and third-party assessments, may be required for certain contracts.
- Phase 2: Level 2 Third-Party Assessments – Begins approximately 1 year after Phase 1 kicks off. Requires Level 2 certifications by Certified Third-Party Assessment Organizations (C3PAOs) for selected contract awards. Level 3 certifications may be required for high-security contracts.
- Phase 3: Level 3 Third-Party Assessments – Begins approximately 1 year after Phase 2 start. Requires both Level 2 and Level 3 certifications for certain contracts. The Government will perform Level 3 certifications directly.
- Phase 4: Full Implementation – Begins approximately 1 year after Phase 3. Requires CMMC certifications for all applicable contracts, including previous awards.
Third-Party Assessment Requirements Are Live
Now that CMMC 2.0 is live, C3PAOs are authorized to perform Level 2 Assessments as independent entities without Government support (as in the case of the JVSAs). Unleashing C3PAOs to perform Level 2 assessments solo has freed up scheduling and allowed members of the DIB to begin this process ahead of the rush. Although Level 2 assessments are not yet written into contracts, this is an ideal time for companies to engage with C3PAOs early so these companies can proactively prepare for formal solicitation requirements. As of February 28, 2025, the Supplier Performance Risk System (SPRS) is accepting Level 1 and Level 2 self-assessment scores with required annual affirmations.
With the publication of the final rule, Contractors are also permitted the use of Plans of Action & Milestones (POA&Ms) at Level 2. If the Contractor obtains a score of at least 88 in SPRS, they will be granted a conditional Level 2 certification and allowed to correct remaining issues identified by POA&Ms. However, Contractors should note that these POA&Ms are only permitted for low-weight controls (1 point) and must be remediated within 180 days to receive a final Level 2 certification. If these issues are not resolved in this timeframe, the Contractor will need to begin the process again.
For instance, a contractor scoring 88 out of 110 on their NIST 800-171 assessment may receive a conditional Level 2 certification. However, they must resolve any low-weight control deficiencies—such as audit log retention or user identification practices—within 180 days. After remediation, a follow-up confirmation may be required to finalize certification. This allows for operational flexibility while maintaining accountability.
New Tools Provided
On June 6, 2025, the Government retired the former Defense Information Systems Agency (DISA)/DIBNet portal and activated the new DIB Collaborative Information Sharing Environment (DCISE) Cybersecurity Reporting Portal. Contractors must now input their cyber incident details in the new portal, which will generate an XML file to provide to the DoD Cyber Crime Center (DC3). To comply with DFARS 252.204‑7012, Contractors must submit this file using the DoD Secure Access File Exchange (SAFE) system. DC3 will confirm the submission and provide an incident number and text-formatted copy of the report[2].
Additionally, the DC3 DCISE is offering a variety of Cybersecurity-as-a-Service (CaaS) tools and capabilities to support the DIB in its quest for CMMC compliance. This includes:
- Service Offerings like a Vulnerability Disclosure Program, centralized dashboard with real-time threat intelligence, and automated threat detection and blocking.
- Educational and Networking Events including webinars, tabletop exercises, meetings with Government stakeholders, and other valuable opportunities.
- Analytics Products supporting threat reporting, risk analysis, alerts and warnings, and informational reporting.
Links and information pertaining to these resources may be found at https://www.dc3.mil/Missions/DIB‑Cybersecurity/DCISE-Resources/.
Reciprocity for Mature Frameworks
Contractors already complying with frameworks like Federal Risk and Authorization Management Program (FedRAMP), ISO 27001, or International Traffic in Arms Regulation (ITAR) requirements may benefit from partial reciprocity. While these certifications do not provide a direct path to CMMC compliance, they often overlap in foundational security controls. Mapping existing controls to the NIST 800-171 framework can streamline readiness efforts and reduce duplicating documentation and effort.
What Can I Do?
Apart from scouring the news and watching for the final approval of DFARS 7021, Contractors can get ahead of the final requirements by preparing for CMMC 2.0 now. Here are a few tips to help get you started:
- Begin the gap assessment process to identify your weaknesses or areas for improvement against NIST 800-171.
- Use the Cyber Marketplace to reach out to potential C3PAOs and learn more about the overall process. C3PAOs can also provide you with a Rough Order of Magnitude (ROM) quote, and many have direct relationships with gap assessment partners to provide you with a referral. Visit https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending to find a list of providers.
- Update your documentation, including relevant policies, System Security Plan (SSP), and Incident Response Plan (IRP). Use the results of your gap assessment to map out remediation efforts.
- Perform your own self-assessment in SPRS to consider whether a Level 1 or Level 2 third-party certification is right for you. If you are interested in a Level 2 third-party certification, begin engaging C3PAOs NOW.
- Use the new DCISE portal to remain compliant with DFARS incident reporting.
- Make sure your SPRS entries and self-affirmations are legally accurate to avoid costly Department of Justice (DOJ) enforcement. DOJ is currently enforcing cybersecurity compliance under the False Claims Act, and many contractors faced lawsuits in early 2025 for misrepresenting scores or implemented security measures.
For example, in one 2025 case, a contractor was fined $4.6 million for falsely attesting to compliance without fully implementing NIST 800-171 controls[3]. Another settled for $8.4 million after an audit revealed inflated SPRS scores and missing incident response protocols[4]. These cases underscore the importance of accuracy and transparency in your cybersecurity documentation and reporting.
Additionally, keep a weather eye on the rollout of DFARS-7021, which could occur at any time.
One thing is certain: CMMC 2.0 is here to stay. Don’t wait until the last minute to begin your preparations. 
[1] https://federalnewsnetwork.com/defense-news/2025/06/dod-addresses-two-big-challenges-to-make-cmmc-a-reality/
[2] https://cmmccompliance.us/dib-updates-june-6-2025/
[3] https://www.linkedin.com/pulse/defense-contractor-pays-46m-false-claims-act-warning-kayne-mcgladrey-x4acc/
[4] https://www.pilieromazza.com/cybersecurity-compliance-in-the-crosshairs-raytheons-8-4-million-fca-settlement-and-what-it-means-for-defense-contractors-2
Leave a Comment