CMMC 2.0 Compliance: What Contractors and Manufacturers Need to Know

For government contractors and the manufacturers who support them, cybersecurity has become as critical as cost, quality, and delivery. It is a business requirement that can determine whether you win or lose contracts. The Cybersecurity Maturity Model Certification, or CMMC, was developed by the Department of War to raise the bar for protecting sensitive information within its supply chain. Its updated version, CMMC 2.0, is now here, and enforcement begins October 1, 2025.

 

While that may sound like you have time to prepare, the steps required to achieve CMMC compliance can take 6-12 months to implement, particularly for small and mid-sized organizations. Now is the time for contractors and manufacturers to understand what CMMC 2.0 requires, how it differs from the original version, and how to begin preparing for the changes before they impact your contracts.

What Is CMMC and Why Does It Matter?

The Department of War relies on a vast network of contractors and subcontractors to provide goods and services, from software development and equipment manufacturing to logistics and maintenance. These organizations often handle sensitive information. This data is referred to as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While this data may not be classified, it is still highly valuable to adversaries and needs strong protection.

In the past, the Department of War required contractors to self-attest to meeting certain cybersecurity standards. However, audits revealed that many companies were not fully compliant. The Cybersecurity Maturity Model Certification was introduced to fix this problem by requiring contractors and their supply chains to meet clearly defined cybersecurity standards and, in many cases, to verify compliance through independent assessments.

For contractors, CMMC determines eligibility for Department of War contracts. If you cannot prove that you meet the requirements at the level specified for a project, you cannot bid on that work. For manufacturers, it ensures that your products can be used within defense programs. Whether you are a prime contractor or a subcontractor, compliance is no longer optional.

What Is New in CMMC 2.0?

The original CMMC framework was released in 2020 with five certification levels. Many organizations, particularly small and mid-sized businesses, found it expensive and confusing to implement. In response to this feedback, the Department of War (then Department of Defense) introduced CMMC 2.0 in late 2021. This updated version simplifies the framework while maintaining its security goals.

Here are the most important changes:

​​Three certification levels instead of five: CMMC 2.0 reduces the number of levels from five to three.

Level 1 (Foundational):
Basic cybersecurity practices for companies that handle only Federal Contract Information. This level requires an annual self-assessment.

Level 2 (Advanced):
Expanded requirements based on the National Institute of Standards and Technology Special Publication 800 171 (NIST SP 800 171). Companies at this level will need either a third-party assessment or a self-assessment depending on the type of information they handle and the sensitivity of the contract.

Level 3 (Expert):
The highest level for companies working on the most sensitive Department of War projects. This level requires government-led assessments.

Alignment with NIST standards:
CMMC 2.0 is closely aligned with NIST SP 800 171, which makes it easier for companies that have already implemented those controls. Rather than introducing an entirely new set of requirements, CMMC 2.0 builds on established best practices.

Self-assessments for some organizations:
Under the updated framework, some companies, especially those at Level 1 and certain Level 2 contractors, can perform annual self-assessments rather than undergoing third-party audits. This reduces the cost and complexity for smaller businesses.

Plans of Action and Milestones (POA&Ms):
CMMC 2.0 allows the limited use of Plans of Action and Milestones (POA&Ms), which document how an organization plans to address specific gaps in compliance. However, the requirements for using a POA&M are stringent. There are high-weighted practices that must be fully compliant at the time of audit that are not eligible for POA&M. 

Additionally, any item included in a POA&M must be remediated within 180 days. Companies should not assume they will be granted a POA&M and must be prepared to demonstrate full compliance with the most critical requirements during the audit. While POA&Ms can offer some flexibility, they are not a substitute for readiness.

When Will CMMC 2.0 Be Enforced?

CMMC 2.0 is now officially in effect. The final rule (32 CFR Part 170) became effective on December 16, 2024, and CMMC assessments began on January 2, 2025. On July 23, 2025, the Department of War (then Department of Defense) submitted the 48 CFR acquisition rule to the Office of Management and Budget, officially setting October 1, 2025 as the date when CMMC requirements will begin appearing in virtually all new Department of War contracts.

The Department of War plans a phased rollout over three years:

Phase 1 (October 2025): CMMC requirements begin appearing in new DoW contracts. Level 1 contractors can self-assess, and some Level 2 contractors may also use self-assessments for certain non-critical contracts.

Phase 2 (2026): Third-party CMMC Level 2 certification assessments become mandatory for most Level 2 contracts handling CUI.

Phase 3-4 (2027-2028): Full implementation across all applicable DoW contracts, with Level 3 requirements for the most sensitive programs.

While the rollout is phased, organizations should prepare immediately. Industry experts consistently emphasize that it takes 6-12 months for the average defense contractor to become assessment-ready, and many organizations need even longer depending on their current cybersecurity posture.

What Happens If You Do Not Comply?

Failing to meet CMMC requirements has serious consequences.

You cannot bid on Department of War contracts. Without the required certification, your organization will be ineligible for new opportunities.

You risk losing existing contracts. If you are found to be noncompliant, you could lose your place in the supply chain.

You may face financial penalties. Breaches or false attestations can result in fines under federal laws.

You could damage your reputation. Prime contractors often require their suppliers to meet CMMC standards. If you cannot comply, you may lose their trust and future business.

The costs of noncompliance extend beyond missed opportunities. In a competitive defense market, maintaining your eligibility and credibility is essential for long-term success.

How to Prepare for CMMC 2.0 Now

With enforcement beginning October 1, 2025, the time to prepare is now. Here are the steps contractors and manufacturers should take:

Determine your required level: Review your current and future Department of War contracts to identify the type of information you handle and the level of certification you will need.

Conduct a gap analysis: Compare your existing cybersecurity practices to the controls outlined in NIST SP 800 171. This will help you identify where you fall short and what needs improvement.

Build a remediation plan: Develop a Plan of Action and Milestones that outlines how and when you will close compliance gaps. This shows progress and readiness.

Update policies and procedures: Document key areas like access control, encryption, incident response, and system configurations. These are essential for both compliance and day-to-day security.

Train your team: Employees play a critical role in maintaining compliance. Provide cybersecurity awareness training and ensure they understand their responsibilities when handling sensitive data.

Work with experts: Consider partnering with a CMMC certified Managed IT Services provider or CMMC consultant. They can assist with assessments, remediation, and ongoing compliance management.

Taking these steps now reduces the stress of last-minute preparation and puts you in a stronger position to maintain eligibility for Department of War contracts.

How Managed IT Services Providers Can Help

Managed IT Services providers play a vital role in helping organizations meet CMMC 2.0 requirements. They bring technical expertise, industry knowledge, and the resources needed to build and maintain a compliant cybersecurity program. It’s important to note that any Managed IT Services provider supporting your organization in meeting CMMC requirements must also be CMMC certified at the appropriate level. 

Some of the key ways an MSP can help include:

Implementing security controls: Setting up encryption, multi-factor authentication, secure cloud environments, and other technical safeguards.

Providing ongoing monitoring: Offering 24/7 network monitoring, regular vulnerability scans, and incident response support to detect and address threats quickly.

Preparing for audits: Assisting with documentation, generating compliance reports, and ensuring you are ready for third-party or government assessments.

Supporting supply chain compliance: Helping prime contractors evaluate the cybersecurity readiness of their subcontractors to reduce downstream risk.

Delivering employee training: Offering programs that keep staff informed about cybersecurity risks and compliance requirements.

By outsourcing these tasks to an experienced MSP, contractors and manufacturers can focus on their core business while ensuring they meet the strict standards set by the Department of War.

Why Acting on CMMC 2.0 Now Sets You Apart

CMMC 2.0 is reshaping how government contractors and manufacturers approach cybersecurity. With enforcement beginning October 1, 2025, and the lengthy implementation process required, the organizations that take action now will be in the best position to compete for Department of War contracts.

If you are unsure where to start, a readiness assessment is the first step. From there, you can build a clear plan, close any gaps, and ensure your organization is ready for full enforcement. Partnering with a CMMC certified Managed IT Services provider can make this process faster, more efficient, and less overwhelming.

CMMC 2.0 is an opportunity to strengthen your business, protect your place in the supply chain, and position yourself for long-term success in the defense industry.

We’re ready to help you work smarter.