CMMC 2.0 Timeline: What Defense Contractors Need to Know in 2025

If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) for the Department of Defense, the CMMC 2.0 framework will directly affect your ability to bid on and retain contracts. With the final rule published in late 2024 and phased enforcement rolling out through 2025, the window to achieve compliance is narrowing fast.

What Changed from CMMC 1.0 to 2.0

The original CMMC model introduced five maturity levels with 171 practices across 17 domains. CMMC 2.0 simplifies this significantly. The DoD consolidated the framework into three levels, eliminated unique CMMC-only practices, and aligned requirements directly with existing NIST standards. This makes the path to compliance clearer, but no less rigorous.

The most important shift is that Level 1 now allows annual self-assessment, while Level 2 requires either self-assessment or third-party certification depending on the sensitivity of the CUI involved. Level 3 requires government-led assessments and maps to NIST SP 800-172 controls.

The Three CMMC 2.0 Levels

Level 1: Foundational

Level 1 covers 15 basic cybersecurity practices derived from FAR 52.204-21. These are fundamental controls like access management, media protection, and physical security. Organizations at this level handle only FCI and can demonstrate compliance through annual self-assessment. There is no requirement for a third-party audit.

Level 2: Advanced

Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. This is where most defense contractors will land, as it covers organizations that process, store, or transmit CUI. Depending on the criticality of the information, contractors will either self-assess or undergo a C3PAO (CMMC Third-Party Assessment Organization) audit every three years.

Level 3: Expert

Level 3 builds on Level 2 by adding a subset of NIST SP 800-172 enhanced security requirements. This level targets contractors working with the most sensitive CUI and requires a government-led assessment by the Defense Contract Management Agency (DCMA).

"CMMC 2.0 is not a new set of requirements. It is the enforcement mechanism for standards that defense contractors were already expected to meet under DFARS 252.204-7012."

Key Dates and Timeline

The 48 CFR rule, which embeds CMMC requirements into defense contracts, is expected to take effect in mid-2025. Once active, the DoD will begin including CMMC level requirements in new solicitations under a phased rollout:

• Phase 1 (2025): Self-assessment for Level 1 and select Level 2 contracts
• Phase 2 (2026): Third-party certification required for all Level 2 contracts involving critical CUI
• Phase 3 (2027): Level 3 government-led assessments for applicable contracts
• Phase 4 (2028): Full implementation across all new DoD contracts

How to Prepare: A Practical Approach

1. Scope your CUI environment: Identify where CUI enters, resides, and exits your systems. The smaller and more well-defined your CUI boundary, the fewer controls you need to implement and the simpler your assessment will be.
2. Conduct a gap analysis against NIST SP 800-171: Evaluate your current security posture against all 110 requirements. Document what you have in place, what is partially implemented, and what is missing entirely.
3. Build a Plan of Action and Milestones (POA&M): Under CMMC 2.0, limited POA&Ms are allowed for Level 2 assessments, but only for non-critical controls. You must close POA&M items within 180 days of your assessment.
4. Implement a System Security Plan (SSP): Your SSP documents how each control is implemented in your environment. Assessors will use this as the foundation for their evaluation.
5. Engage a C3PAO early: Third-party assessor capacity is limited. If you need a Level 2 certification assessment, schedule your engagement well in advance to avoid delays that could cost you contract eligibility.

Conclusion

CMMC 2.0 brings real enforcement to cybersecurity requirements that have existed in policy for years. The streamlined three-level structure is a welcome improvement, but the compliance work itself remains substantial. For most defense contractors, that means achieving and maintaining alignment with all 110 NIST SP 800-171 controls and being prepared to prove it under audit.

The organizations that start their readiness work now will be positioned to win contracts when enforcement begins. Those that wait risk being locked out of the defense supply chain entirely. If you need help scoping your CUI environment or building a roadmap to certification, our team can guide you through the process from gap analysis to assessment day.