April 25, 2025
Today I'm going to break down the CMMC 2.0 timeline so you know exactly what's coming and when.
If you're in the Defense Industrial Base (DIB), understanding this timeline isn't just helpful—it's critical for your business survival.
The Department of Defense is moving forward with implementing cybersecurity requirements, and knowing the schedule helps you plan properly.
Here's what you'll learn today:
The wait is over.
On October 11, 2024, the DoD released the final CMMC rule.
It was officially published in the Federal Register on October 15, 2024.
This marks the beginning of the countdown to implementation.
The current version is officially CMMC 2.13, though most still refer to it as CMMC 2.0.
Unlike the previous version, CMMC 2.0 has removed many of the unique requirements that made the original model so challenging.
CMMC 2.0 simplified the previous five-level model to just three levels.
Level 1 (Foundational): Requires 15 basic cybersecurity practices for protecting Federal Contract Information (FCI).
Level 2 (Advanced): Requires all 110 NIST SP 800-171 security requirements for protecting Controlled Unclassified Information (CUI).
Level 3 (Expert): Builds on Level 2 with additional requirements from NIST SP 800-172 to address Advanced Persistent Threats.
The model is hierarchical, meaning you must implement all requirements from lower levels to achieve a higher level.
Is your organization ready for the level you'll need to achieve?
The DoD isn't implementing CMMC all at once.
Instead, they're using a phased approach over three years.
Phase 1 begins in early to mid-2025, when the 48 CFR CMMC acquisition final rule becomes effective.
During this phase, CMMC Level 1 and Level 2 self-assessments will be required for all DoD contract solicitations and awards.
This gives you some breathing room, but not much.
The clock is already ticking.
CMMC 2.0 made several significant changes from the original version.
It eliminated all maturity process requirements and CMMC-unique security practices.
The new version allows for Plans of Action and Milestones (POA&Ms) - something forbidden in CMMC 1.0.
This means you can achieve certification even with some shortfalls, as long as you address them within 180 days.
But there's a catch.
For CMMC Level 2, you must meet at least 80% of requirements (88 out of 110) at the time of assessment.
For Level 3, that's 19 out of 24 additional requirements.
Don't wait until the last minute.
Start by determining which CMMC level applies to your organization based on the data you handle.
Conduct a gap assessment against the requirements for your level.
Develop a remediation plan to address any shortfalls.
Remember that some technical solutions, especially around encryption, must be FIPS-validated.
This isn't something you can implement overnight.
The sooner you start, the less painful the process will be.
The CMMC 2.0 timeline is now clear, with implementation beginning in early to mid-2025.
This gives you some time to prepare, but not much.
Today you learned about the simplified three-level model, the phased implementation approach, and the key differences from the original CMMC.
The most important takeaway?
Start preparing now.
The organizations that begin their compliance journey early will have a significant advantage when these requirements become mandatory.
Your future contracts depend on it.