April 18, 2025
If you're in the Defense Industrial Base (DIB), these changes will directly impact your business operations and ability to bid on DoD contracts.
Understanding CMMC 2.0 is no longer optional—it's essential for your company's future with the Department of Defense.
In this article, you'll learn:
CMMC 1.0 introduced a complex 5-level model that many contractors found confusing.
CMMC 2.0 has streamlined this into a more straightforward 3-tier approach.
Gone are the transitional levels 2 and 4.
The new levels have been renamed to Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
This simplification makes it much clearer which level your organization needs to target based on the data you handle.
For most DIB organizations, the requirements break down like this:
One of the most significant changes in CMMC 2.0 is the elimination of all "delta" requirements.
These were additional security practices and maturity processes that CMMC 1.0 added beyond the baseline DFARS requirements.
CMMC 2.0 has returned to requiring the 110 NIST SP 800-171 security requirements at Level 2 and additional NIST SP 800-172 requirements at Level 3.
This alignment with established NIST standards makes compliance more straightforward for organizations already working toward NIST SP 800-171 implementation.
CMMC 1.0 required 100% implementation of all security requirements.
No exceptions.
CMMC 2.0 introduces a more practical approach by allowing Plans of Action and Milestones (POA&Ms).
This means organizations can achieve certification even with some gaps, provided they have a clear plan to address them.
However, there are important restrictions:
This flexibility acknowledges the real-world challenges of implementing comprehensive cybersecurity measures while still maintaining high standards.
Another major change is the introduction of self-assessment options.
Under CMMC 1.0, all assessments required third-party certification.
CMMC 2.0 allows:
This tiered approach reduces costs for smaller contractors while maintaining appropriate scrutiny for organizations handling more sensitive information.
The DoD has published the final rule for the CMMC Program on October 15, 2024.
The program will roll out in four phases over three years:
Phase 1: Expected to begin in early to mid-2025, requiring Level 1 (Self) and Level 2 (Self) assessments for applicable contracts.
Phase 2: Begins six months after Phase 1, continuing the requirements from Phase 1.
Phase 3: Begins one year after Phase 2, adding Level 2 (C3PAO) assessment requirements and possibly Level 3 (DIBCAC) assessments for high-value contracts.
Phase 4 (Full Implementation): Begins three years after the effective date of Phase 1, with CMMC requirements included in all applicable DoD solicitations and contracts.
This phased approach gives organizations time to prepare, but the clock is ticking.
CMMC 2.0 represents a more pragmatic approach to securing the defense supply chain.
The streamlined level structure, alignment with NIST standards, and introduction of POA&Ms all reflect feedback from the defense industrial base.
But don't mistake these changes for a relaxation of security requirements.
The core mission remains the same: protecting controlled unclassified information throughout the defense supply chain.
What you've learned today should help you navigate the evolving CMMC landscape and prepare your organization for what's coming next.
The time to start preparing is now, as the first phase of implementation is expected to begin in early to mid-2025.