Are you a supplier seeking to cash in on lucrative Department of Defense (DoD) tenders? If yes, you might well be on course to turn your fortunes around.  

The United States military is the most heavily-funded in the world, a position it has held consistently for several years. In the Financial Year 2025, the DoD received a whopping $841.4 billion in spending. That excluded billions allocated to defense-related activities performed by several other agencies.  

Expectedly, prospective DoD vendors must satisfy stringent eligibility criteria to secure any contract with the agency. One such requirement is demonstrating compliance with the Cybersecurity Maturity Model Certification (CMMC).  

However, attaining CMMC compliance doesn’t only confer economic benefits to Defense Industrial Base (DIB) companies. It also helps safeguard national security and improve cyber hygiene for defense suppliers.  

The CMMC framework has undergone significant upgrades over the years, the most recent of which culminated in the Final Rule published by the DoD on October 15, 2024. Vendors must keep up with CMMC news to ensure compliance with new cybersecurity controls.  

We’ve prepared a guide to the latest changes defense contractors can expect in the revamped CMMC framework. 

 

About CMMC 2.0 

CMMC, short for the Cybersecurity Maturity Model Certification, is a framework developed by the United States Department of Defense to assess how defense vendors comply with relevant cybersecurity regulations.  

As we’ll see, CMMC exists on several levels. Most control measures are consistent with the cybersecurity guidelines published in the National Institute of Standards and Technology (NIST) 800-171.  

As hinted, CMMC has undergone tremendous reforms over the years. The DoD has continually perfected the program to align it with emerging cybersecurity risks. The latest CMMC framework, known as CMMC 2.0, was unveiled on October 15, 2024, following the publishing of the Final Rule by the DoD.  

As with previous upgrades, the recent changes to the CMMC rule were informed by mounting cybersecurity threats across the defense industrial base. The program is primarily intended to safeguard the handling and dissemination of two types of sensitive data – Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).  

According to the DoD, most cyber-attacks aimed at the federal agency previously targeted its central intelligence networks and military infrastructures. Such threats were easier to thwart as they focused on specific systems and often followed predictable patterns.  

Unfortunately, hackers became shrewder and began attacking businesses further down the DoD supply chain. Since any breach can potentially lead to the leakage of sensitive defense information, it was time to reform the earlier CMMC program.  

The new CMMC framework went into effect on December 16, 2024. It will now require defense contractors to rigorously probe their cybersecurity infrastructures and obtain proper CMMC certification to qualify for DoD tenders.  

Since information is power, you’ll need to familiarize yourself with the recent upgrades to undertake proper CMMC assessments. You can then develop a robust CMMC policy template to track your organization’s compliance status. 

Unveiling the Maturity Levels Under the Current CMMC Framework 

Early CMMC frameworks had five maturity levels: Performed, Documented, Managed, Reviewed, and Optimized. These have since been collapsed into three.  

Levels 3 and 4 were eliminated from the new CMMC program. However, Level 1 retained all its previous 17 controls.  

Another significant modification was replacing Level 3 in the former CMMC program with Level 2 in the current framework but excluding the delta 20 practices in the previous level. Eliminating the delta controls saw the new CMMC Level 2 align more with NIST 800-171’s 110 protocols.  

Controls for Level 3, the most advanced of the three Levels, are currently under development. According to recent CMMC news, Level 3 will be modeled after a subset of NIST 800-172 standards to replace Levels 4 and 5 in the previous CMMC framework.  

Here’s a brief overview of the three maturity levels under the current CMMC framework;

1. Level 1

Level 1 in the new CMMC framework constitutes the foundational level. Organizations seeking certification (OCSs) must fulfill at least 15 of the 17 controls to be deemed compliant.  

The foundational level calls for annual self-affirmations. Results from these assessments are published in the Supplier Performance Risk System (SPRS) for easy scrutiny by the DoD and other stakeholders.

2. Level 2

CMMC Level 2, the Advanced Level, emphasizes adherence to 110 NIST 800-171 controls. OSCs must fulfill at least 80% of these protocols, with audits conducted every three years. Results are published on the state-owned web-based application – the Enterprise Mission Assurance Support Service (eMASS).  

Companies that don’t meet all the control measures but score at least 80% receive conditional certification but have up to 180 days to remediate all gaps. This grace period is exercised within a framework known as the Plan of Action and Milestones (POA&Ms).  

Another notable reform is the introduction of CMMC Third-Party Assessor Organizations (C3PAOs) for Level 2 audits. You can find accredited C3PAOs on the Cyber AB marketplace. 

3. Level 3

Finally, DIB companies seeking Level 3 compliance must fulfill all Level 2 controls plus 24 additional standards outlined in NIST 800-172. However, developing the extra controls is still a work in progress.  

Compliance with CMMC Level 3 will be assessed by an official from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

Below is a summary of all three CMMC levels; 

	Level 1	Level 2	Level 3
Total Number of Controls	17	110	110 + 24 Others
Controls Mandatory for Certification	15	At least 80%	Unspecified
Assessment Type	Self	Third-party	Government-facilitated
Assessing Entities	DIBs themselves	C3PAOs	DIBCAC
Assessment Frequency	Annually	Triennially	Triennially

Other Outstanding Reforms to the CMMC Framework

1. The Burden on Small Businesses

Previous CMMC frameworks had glaring oversights that enabled smaller organizations to evade stringent certification procedures. However, those loopholes have since been sealed in the new CMMC rule.  

Mandatory CMMC compliance is now imposed on all businesses that handle CUI or FCI. That includes both prime DoD contractors and their subcontractors.  

Many small vendors have voiced concerns about the CMMC’s rather inhibitive certification fees. Despite the validity of such arguments, the DoD continues to implement sweeping controls for businesses of diverse scales.

2. New Standards for Foreign Businesses

Like smaller businesses, foreign companies exploited various loopholes in the previous CMMC framework to escape rigorous evaluations. That’s now a thing of the past. Moving forward, all foreign businesses seeking to join the DIB will undergo robust cybersecurity assessments as a mandatory eligibility criterion. That’s in addition to achieving ISO 27001 certification.  

A statement in the Final Rule explicitly states that CMMC requirements will apply equally to domestic and international defense contractors. It further adds that this shall trickle down to all contractors, prime or otherwise.

3. ESP Exemption

External Service Providers (ESPs) are external vendors that provide goods and services to an organization but separate legal entities from the contracting firm. While the DoD imposes blanket CMMC 2.0 compliance for businesses of all sizes, ESPs that don’t handle CUI are an exception. However, that privilege is conditional as well.  

If a business has contractual obligations with the DoD but opts to subcontract the project to ESPs, the subcontracted firm must be certified. They don’t have to achieve certification levels similar to those of the companies contracting them.  

4. Hybrid Assessments

Level 1 CMMC compliance now requires self-affirmations, while the two subsequent levels must be overseen by external actors – authorized C3PAOs and DIBAC officials, respectively.  

This hybrid approach to CMMC assessment will foster cybersecurity accountability among DIB companies. Letting vendors undertake basic cyber assessments internally enables them to take a proactive approach to averting cybersecurity threats across the defense supply chain. 

5. Direct Report Sharing and Limited Appeals

The previous CMMC framework required C3PAOs to file V1.02 audit reports to the CMMC Accreditation Body, which would undertake the final assessment before issuing certifications.  

To accelerate the certification process, the DoD replaced that provision. C3PAOs can now submit their audit findings directly to the DoD. Besides, the current CMMC cybersecurity model offers limited flexibility for OSCs who disagree with C3PAO-facilitated audits.  

Previously, an organization could appeal audit reports within the C3PAO itself. If such appeals were overruled, the OSC could escalate it to the DoD. The current framework has no such flexibility. Instead, all appeals are conclusively determined by the CMMC AB.

6. Introduction of POA&Ms 

Plan of Action and Milestones is one of the most revolutionary reforms to the previous CMMC framework.  

Unlike before, companies that don’t meet all 110 controls during CMMC Level 2 assessments but score at least 80% may continue to operate normally. Such vendors can implement POA&Ms, which requires them to commit in writing to address all deficiencies within a 180-day window.  

A POA&M should be well-structured, outlining the security vulnerabilities detected during the audit and the control measures required to remediate them. 

 

Keeping Up With Industry Developments for Continued CMMC Compliance 

The cybersecurity landscape is constantly evolving. As such, it’s unsurprising that the DoD has continually refined its CMMC framework to adapt to emerging threats.  

The most recent of such upgrades was the reduction of maturity levels from five to three and the imposition of mandatory compliance for both prime contractors and subcontractors. Others include the introduction of POA&Ms, the exception of ESPs, and implementing a phased roll-out timeline.  

By keeping up with CMMC news, you can stay updated on emerging developments and implement the necessary controls to avoid costly penalties.  

As a parting shot, remember to conduct routine cyber audits and update your cybersecurity templates regularly. It’s an ingenious way to proactively ward off threats rather than mitigate their impact after the fact.