The Cybersecurity Maturity Model Certification (CMMC) program began a new program in November 2025 that will shift the burden of attestation and place stricter requirements on government contractors and subcontractors. The existing framework establishes a uniform cybersecurity standard for businesses that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) under contracts with the Department of War (DoW), the agency formerly known as the Department of Defense (DoD). CMMC 2.0 replaces the previous self-attestation model with verified assessments and may affect businesses across the federal supply chain, including subcontractors several tiers removed from a prime contractor.
This article covers what the new rules will actually require, the three certification levels, the phased rollout timeline through 2028 and the broader implications for businesses affected:
What CMMC 2.0 is and What Changed in November 2025
CMMC 2.0 is the formal framework the DoW uses to assess and verify the cybersecurity practices of businesses in the Defense Industrial Base. The program organizes existing federal cybersecurity standards into three levels of certification that are each aligned with widely accepted guidance from the National Institute of Standards and Technology (NIST). Two regulatory milestones gave the program its current legal weight: the 32 Code of Federal Regulations Part 170 final rule, which took effect December 16, 2024 and the 48 CFR rule published in the Federal Register on September 10, 2025, which took effect on November 10, 2025.
The 48 CFR rule amended the Defense Federal Acquisition Regulation Supplement (DFARS) to allow contracting officers to include CMMC requirements in solicitations and contracts through DFARS clause 252.204-7025, with contract eligibility now tied to a business’s CMMC status under DFARS clause 252.204-7021,. CMMC obligations no longer appear only in policy documents but do in the contract itself, with status confirmed through the Supplier Performance Risk System (SPRS) before an award can be made.
The Three CMMC Levels
CMMC 2.0 streamlined the original five-tier model into three certification levels. The level required for a given contract depends on the type of information involved and a single business may need to demonstrate different levels for different contracts in its portfolio:
Level 1 (Foundational)
Level 1 applies to businesses that handle FCI but not CUI. It requires implementation of the 15 basic safeguarding practices set out in FAR 52.204-21, covering fundamental controls such as access management, password protection and basic incident reporting. Verification is handled through an annual self-assessment, the results of which must be entered into SPRS along with an affirmation from a senior executive.
Level 2 (Advanced)
Level 2 applies to businesses that handle CUI and is the level most defense suppliers will need to reach. It requires implementation of the 110 security controls in NIST SP 800-171 Revision 2, covering areas such as access control, audit and accountability, configuration management, incident response, media protection, system integrity and more. Some Level 2 contracts permit self-assessment, while others require a third-party assessment conducted by a CMMC Third-Party Assessor Organization (C3PAO) accredited by the Cyber Accreditation Body.
Level 3 (Expert)
Level 3 applies to a narrow set of businesses supporting the most sensitive DoW programs. It builds on the 110 controls of Level 2 by adding 24 enhanced controls drawn from NIST SP 800-172, designed to address advanced persistent threats. Verification is handled through a government-led assessment rather than a third-party assessor.
The Phased CMMC Rollout Timeline Through November 2028
The DoW is implementing CMMC 2.0 through a four-phase rollout that began on November 10, 2025 and will run through November 10, 2028. The phased structure determines when CMMC clauses appear in DoW solicitations and which level of verification those clauses require.
- Phase 1 runs from November 10, 2025, through November 9, 2026 and triggers Level 1 and Level 2 self-assessment requirements in applicable solicitations, with contracting officers retaining discretion to require third-party Level 2 assessments for select high-priority contracts
- Phase 2 begins November 10, 2026, and introduces mandatory C3PAO Level 2 certification for applicable contracts involving CUI
- Phase 3 begins November 10, 2027, and introduces Level 3 certification requirements where applicable
- Phase 4, scheduled to begin November 10, 2028, marks full implementation, at which point CMMC level requirements will appear as a condition of award across all applicable DoW solicitations and contracts
What CMMC 2.0 Readiness Looks Like in Practice
Readiness under CMMC 2.0 has four practical dimensions:
- Scope – A business must identify which of its systems, applications, users and data flows actually touch FCI or CUI, because the scope of the assessment is bound by where that information lives. Many businesses may discover during scoping that the relevant data passes through more hands than expected, including external people, technology and facilities, and can end up stored in systems outside of your immediate control or visibility.
- Documentation – CMMC assessments evaluate a System Security Plan that describes how each applicable control is implemented, supported by evidence demonstrating how each control is implemented. Businesses that fall short of the full control set may submit a Plan of Action and Milestones (POA&M) to document remediation work, but for Level 2 the rule sets a strict 180-day window to close the open items before a conditional status expires. Independent assessments by a third-party auditor can help businesses identify and document unmet requirements before a formal CMMC assessment.
- Controls – The 15 practices at Level 1 and the 110 controls at Level 2 cover areas such as multi-factor authentication (MFA) for accounts accessing FCI or CUI, centralized logging with active monitoring, consistent patch management and least-privilege access enforcement. A vulnerability assessment is required by NIST to help identify gaps across these areas through automated scanning and analysis; though not required, penetration testing also validates whether these controls function under the kind of pressure an attacker would apply.
- Sustainment – CMMC validation requires consistent compliance management year-over-year. Level 1 requires annual self-assessment and affirmation in SPRS. Level 2 certifications carry a three-year validity period but require annual affirmation in years two and three. Changes to the business, including acquisitions, divestitures, technology migrations and new data flows, can shift the compliance posture and the scope of the next assessment.
Prepare for CMMC 2.0 with SWK Technologies
CMMC 2.0 has reshaped how cybersecurity compliance is verified for businesses across the federal supply chain and the practical work of preparing for an assessment can take months depending on the current state of your security program. SWK Technologies will help you evaluate your cybersecurity posture against the controls that CMMC and similar frameworks rely on, identify gaps through structured assessments and document the evidence needed to demonstrate compliance.
Sign up here for an independent assessment by SWK and let us help you validate if your security controls meet NIST guidelines to ensure compliance with the latest cybersecurity regulations.