After five years of discussion, training, and a growing focus on CMMC, 2025 will be the most impactful year yet for companies working on Department of Defense (DoD) contracts. In this article, we will provide an overview of the key CMMC developments in 2025 and what they mean for your small business working with the defense industry.
CMMC 2.0 replaces CMMC 1.0
CMMC, the Cybersecurity Maturity Model Certification Program, was first introduced in 2020 to give companies involved in the DoD’s supply chain guidance on how to better safeguard unclassified information. On December 16, 2024, with the implementation of Title 32 of the Code of Federal Regulations (CFR), CMMC 2.0 fully replaced CMMC 1.0. This new CMMC version is now the framework and certification that assesses information systems for compliance with security standards published by the National Institute of Standards and Technology (NIST).
The two main kinds of information protected by CMMC include Federal Contract Information (FCI) such as contract timelines and deliverable details and Controlled Unclassified Information (CUI), which is more sensitive data such as personally identifiable information (PII) and weaponry design and specifications.
Key changes with CMMC 2.0
CMMC 2.0 was designed to streamline and simplify the compliance requirements for CMMC. The key developments are outlined below.
-Three compliance levels instead of five
The main change in CMMC 2.0 is the reduction of the original five compliance levels of the model to three levels. This design change is meant to give companies more flexibility while still maintaining high standards for protecting sensitive information.
-Self-assessments allowed
CMMC 2.0 allows companies to conduct self-assessments for Level 1 and a limited number of Level 2 requirements.
-Waivers for requirements
The DoD can now waive selected non-critical CMMC requirements, which makes the process less cumbersome for contractors.
-Plans of Action and Milestones (POA&Ms) made more flexible
In CMMC 2.0 companies are allowed to use POA&Ms for noncompliance areas with non-critical controls as opposed to “all or nothing” compliance. This flexibility helps organizations pass assessments more easily by using structured deadlines and objectives.
-Focus on CMMC maturity
CMMC 2.0 assessors stress that they are not looking for a company to prove it can temporarily pass certain cybersecurity tests, but instead they want to see examples of how your organization will continuously apply CMMC’s requirements.
This development encourages companies to focus on automation controls and configuration management to enforce continuous compliance. In order to pass your assessment, third-party and government assessors will want to see examples of how your company has not only implemented controls, but how you have maintained and improved them over a set time period.
Compliance requirements for CMMC 2.0 Levels 1-3
CMMC Level 1 is considered a basic level of cybersecurity that emphasizes 15 foundational good cyber hygiene practices to protect FCI. The only assessment required is an annual self-assessment. Sample companies seeking this level normally work with the DoD and its agencies, but they don’t work with technical information and never come in contact with CUI.
CMMC Level 2 quickly becomes more difficult to achieve as it specifies 110 cybersecurity controls from NIST 800-171. To meet compliance at this level requires a demanding assessment by a CMMC Third-Party Assessor Organization (C3PAO) every three years. This is the most common level that small to mid-sized contractors in the defense industry will look to achieve. Typical organizations seeking this level include companies involved in research and development and companies providing or maintaining IT services for sensitive DoD networks.
CMMC Level 3 has the most demanding requirements with 24 additional controls from NIST 800-172. There is also a mandatory comprehensive assessment from government officials at the Defense Industrial Base Cybersecurity Assessment Center (DIBAC) every three years. Companies at this advanced compliance level typically need to protect critically sensitive CUI when developing advanced defense systems such as nuclear applications and stealth weapons.
The time to get CMMC compliance is now
As of early 2025, Title 48 of the CFR requires all DoD contractors to be CMMC compliant. As a result, your small business should be focused on improving your cybersecurity level with the adoption of data-centric security measures and good cyber hygiene practices. Because of the limited number of C3PAOs, there will be extended delays to get assessments done, so we highly recommend you expedite your goal of obtaining CMMC compliance.
Get help from a CMMC expert
Our most useful advice on CMMC compliance is to get assistance from an expert in cybersecurity and compliance requirements such as Network Depot. These experienced professionals will be with you every step of the way to successfully navigate this complicated process and prepare your company to meet all cybersecurity challenges.
Network Depot has been a registered provider organization (RPO) since CMMC was introduced, recognized by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). As an RPO, Network Depot is authorized to provide valuable guidance to clients who are looking to achieve CMMC certification.
Network Depot will evaluate your current IT security environment, recommend remediation steps, and effectively implement measures to help prepare you for a CMMC 2.0 assessment, no matter what level you are seeking to achieve. Working closely with Network Depot, you will get valuable support meeting the requirements for CMMC certification. With this important IT security compliance credential, your company will be able to participate on DoD contracts and work effectively and securely on all projects.