The Cybersecurity Maturity Model Certification (CMMC) 2.0 came into force on November 10, 2025. S-RM cyber experts Stephen Ross, Jordan Toth and Matthew Mettenheimer caught up to discuss the revised CMMC framework in the webinar ‘Getting set for CMMC success’. During their conversation they detailed the evolution of CMMC, the impact of the revised changes on organizations handling defense contracts, and how compliance can bring competitive advantage. Below is a short summary of their webinar, watch in full for more tips and advice.
How did we get here? A brief history of CMMC
The US defense sector made cyber maturity and protection a clear priority in October 2016 with the introduction of the Defense Federal Acquisition Regulation Supplement (DFARS) – a new legal requirement underpinning defense contracts. This law required contractors to implement technical controls and standards issued by the National Institute of Standards and Technology (NIST) to protect sensitive defense information.
The clauses within DFARS required organizations handing sensitive DoD information to submit self-assessment or attestation of their cyber posture but by 2020, with numerous cyber breaches still happening, it was clear the self-assessment model was not working and a more rigorous and enforceable framework was needed. This paved the way to the Cybersecurity Maturity Model Certification or CMMC. This model introduced a tiered certification whereby some tiers require independent third-party assessments while other lower sensitivity contracts still relied upon that self-attestation.
In 2025 CMMC 2.0 is more even more stringent, recognising the complexity of today’s digital environments including the risks posed by third parties who may have access to CUI.
What are the levels in CMMC 2.0?
In summary, there are three levels within CMMC each reflecting the sensitivity of the data an organization is handling:
- Level 1 Federal Contract Information (FCI)
- Level 2 Controlled Unclassified Information or (CUI)
- Level 3 very sensitive information, critical CUI.
The number or types of controls increase with the sensitivity of data. Level 1, FCI requires 17 controls to be in place compared to Level 2 which has a broader, more stringent set of 110 security controls as well as 320 assessment objectives that would be checked by an external auditor. From there, Level 3 expands even further and actually gets up into over 140 control requirements needed to gain certification.
Steps to finding your level
- Understand contract stipulations: Review the contracts you are currently working with to determine CMMC requirements.
- Assess data handling: Identify whether your organization handles Controlled Unclassified Information (CUI) or other sensitive data, which influences your required CMMC level.
- Consider organizational size Smaller organizations typically fall under Level 1 unless they engage in mission-critical work for the government.
- Vendor relationships: If you are a tiered or tertiary vendor to a primary government contractor, you may be subject to Level 2 requirements even if the work seems less critical.
- Flow down requirements: Be aware of requirements passed down from prime contractors even if your company does not have a direct contract with the government.
- Evaluate compliance needs: If any of your contracts or relationships necessitate Level 2 compliance, you must meet those requirements regardless of other contract levels.
- Identify obligations: Understand what your specific contractual obligations are and what level of compliance is required for each.
- Vendor oversight: Ensure that any vendors you work with who handle CUI data are also compliant with necessary CMMC levels to avoid contract breaches.
Building blocks of compliance
[Figure 1: Building blocks of CMMC compliance]
A helpful way to visualise compliance is through the model in figure 1, compliance starts at the core with DFARS (Defense Federal Acquisition Regulation Supplement) this provides:
- Legal foundation for compliance requirements, and
- Defines mandatory standards and practices for defense contractors.
The next layer is NIST (National Institute of Standards and Technology) SP 800-171 which:
- Provides technical controls and standards.
- Features 110 controls across 14 families, ensuring protection of Controlled Unclassified Information (CUI), and is
- Considered more stringent compared to frameworks like NIST CSF.
The third layer is ITAR (International Traffic in Arms Regulations) which:
- Manages the export and import of defense-related articles and services, and
- Requires compliance when handling ITAR-controlled data, often necessitating data hosting on U.S. servers.
The last layer is CMMC (Cybersecurity Maturity Model Certification) which:
- Certification process to verify compliance through third-party audits.
- Levels 2 and 3 require detailed audits to ensure implementation of necessary controls.
Challenges and opportunities of CMMC 2.0 compliance
Non-compliance of CMMC 2.0 will simply mean loss of defense contracts. The Department of Defense and the Department of War must protect national secrets with strong controls so adversary states are not able to gain any inside information.
We have seen some organizations, after reviewing the compliance requirements, consider the uplift required for compliance as incommensurate to the size or focus of their business and decide not pursue certification. This provides opportunities to organizations that are pursuing CMMC 2.0 compliance to gain ground in the marketplace as some organizations exit.
Another factor to consider in achieving compliance is your insurance posture. Failing to meet the CMMC compliance when required to do so could be a red flag for an insurer and make insurance renewal harder. But conversely for those that do achieve compliance by meeting a more stringent set of cybersecurity and IT controls in place could lead to more favourable premiums.
Watch Steve, Matt and Jordan discuss all these points in detail and do not hesitate to reach out to the team if you have any questions.
