CMMC 2.0 Becomes A Contract Test For Defense Contractors

CMMC 2.0 is now a contract requirement for many U.S. defense contractors after the Department of Defense finalized the DFARS rule that lets contracting officers put Cybersecurity Maturity Model Certification requirements directly into solicitations, contracts, task orders and delivery orders starting November 10, 2025. The rule changes CMMC from a long-running compliance planning issue into an award-eligibility issue for contractors that process, store or transmit Federal Contract Information or Controlled Unclassified Information on nonfederal systems. 

What Does The CMMC 2.0 Contract Requirement Mean For Defense Contractors?

The CMMC 2.0 contract requirement means defense contractors must have the required CMMC status in the Supplier Performance Risk System before award when a covered solicitation names a CMMC level. Contractors without the required status and annual affirmation can lose eligibility for the contract, task order or delivery order. 

The DFARS final rule, published on September 10, 2025, amended 48 CFR Parts 204, 212, 217 and 252 to add the acquisition mechanism for CMMC. The separate program rule at 32 CFR Part 170, effective December 16, 2024, created the CMMC program itself. 

The key contract clause is DFARS 252.204-7021, titled Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements. The key solicitation provision is DFARS 252.204-7025, titled Notice of Cybersecurity Maturity Model Certification Level Requirements. 

When Did CMMC 2.0 Become A DoD Contract Requirement?

CMMC 2.0 became a DoD contract requirement on November 10, 2025, when the DFARS final rule took effect and Phase 1 began. DoD’s public CMMC page says phased implementation has begun, with Phase 1 running from November 10, 2025, to November 9, 2026. 

The timeline stretches back to 2019, when DoD began developing CMMC to move away from cybersecurity self-attestation. DoD issued an interim DFARS rule in September 2020, announced the simplified CMMC 2.0 model in November 2021, published the 32 CFR Part 170 final program rule on October 15, 2024, and published the DFARS final acquisition rule on September 10, 2025.

Full implementation is set for Phase 4, which begins one calendar year after Phase 3. Under the current schedule, all applicable DoD solicitations and contracts, including option periods on earlier contracts, will include CMMC program requirements once Phase 4 begins. 

Which CMMC 2.0 Levels Must Defense Contractors Prepare For?

Defense contractors must prepare for CMMC Level 1 , Level 2 or Level 3, depending on whether their systems handle Federal Contract Information, Controlled Unclassified Information or higher-priority CUI tied to sensitive DoD programs. DoD reduced the original CMMC model from 5 levels to 3 levels after industry feedback. 

CMMC Level 1 uses an annual self-assessment against 15 safeguarding requirements aligned with FAR 52.204-21. CMMC Level 2 compliance uses the 110 requirements in NIST SP 800-171 Revision 2 and may require either self-assessment or a C3PAO assessment. Level 3 requires selected requirements from NIST SP 800-172 and a government assessment by DCMA DIBCAC.

NIST published SP 800-171 Revision 2 in February 2020, and DoD’s current CMMC rule still uses that version for Level 2 assessments. NIST later published Revision 3 in May 2024, but CMMC does not automatically shift to that standard without DoD rulemaking. 

Which Defense Contractors Are Covered By CMMC 2.0?

CMMC 2.0 applies to DoD solicitations and contracts where a defense contractor or subcontractor will process, store or transmit FCI or CUI on unclassified contractor information systems. The rule excludes contracts and orders solely for commercially available off-the-shelf items and does not apply to federal information systems operated for the government. 

DoD estimated the defense industrial base includes more than 220,000 companies that process, store or transmit FCI or CUI in support of military missions. In the DFARS rule, DoD estimated 337,968 impacted prime and subcontractor entities by Year 4, including 229,818 small entities. 

Prime contractors must flow down CMMC requirements to subcontractors and cannot pass FCI or CUI to subcontractors that lack the required CMMC level for the information being shared. Subcontractors must apply the same flowdown principle to lower-tier suppliers. 

What Must Defense Contractors Put In SPRS For CMMC 2.0?

Defense contractors must put current CMMC status, self-assessment results when applicable, CMMC unique identifiers and annual affirmations into SPRS for systems that process, store or transmit FCI or CUI under the contract. A current affirmation of continuous compliance cannot be older than 1 year. 

The solicitation provision requires offerors to provide CMMC UIDs in the proposal for each contractor information system that will process, store or transmit FCI or CUI. The offeror must update the list when new CMMC UIDs are generated in SPRS. 

The contract clause requires contractors to maintain the required CMMC status for the contract period, process covered information only on systems with the required CMMC status, and keep annual affirmations current for each applicable CMMC UID. 

What Penalties And Legal Risks Come With CMMC 2.0 Noncompliance?

CMMC 2.0 noncompliance can create contract-award ineligibility, loss of future award eligibility for affected systems, standard contractual remedies and False Claims Act risk when contractors misstate cybersecurity status. The DFARS clause makes eligibility depend on current CMMC status and current affirmation in SPRS. 

Conditional Level 2 and Level 3 statuses depend on POA&M closeout. The 32 CFR Part 170 rule says a Conditional Level 2 C3PAO status expires when the contractor fails to close out the POA&M within 180 days, and the contractor becomes ineligible for extra awards at that level or higher for the covered system until a new status is achieved. 

Bloomberg Law commentary in November 2025 warned that cyber professionals at defense contractors face rising pressure because inaccurate cyber compliance claims can carry fraud and whistleblower risk. The article cited prior Justice Department False Claims Act settlements involving Raytheon and Aerojet Rocketdyne as examples of cybersecurity compliance disputes in the defense market. 

What Should Defense Contractors Do Now For CMMC 2.0 Phase 1?

Defense contractors should identify the CMMC level tied to each DoD opportunity, confirm whether systems handle FCI or CUI, update SPRS entries, complete annual affirmations, close NIST SP 800-171 gaps using a structured NIST 800-171 compliance checklist and prepare subcontractor flowdown language before bidding. These steps now affect award eligibility, not just audit readiness.

The most urgent tasks are practical. Contractors should maintain a current system security plan, validate the assessment scope, document CUI boundaries, confirm external service provider scope, preserve evidence for assessment, and schedule C3PAO work early when Level 2 certification is required.

Contractors seeking Level 2 certification should treat POA&Ms as limited exceptions, not a broad substitute for control implementation. A conditional status can support eligibility only when the rule permits it and when the contractor can close the POA&M within 180 days. 

How Ready Is The Defense Industrial Base For CMMC 2.0?

The defense industrial base remains unevenly prepared for CMMC 2.0, according to industry surveys and trade reporting. DefenseScoop reported in January 2025 that a Redspin survey of 107 respondents found 58% were not ready for the final rule, including 13% that had taken no preparatory action. 

Cybersecurity Dive reported in September 2025 that a Cybersheath survey of 300 contractors found only 1% reported 100% readiness, while the median readiness level was 70%. The same report said none of the respondents reported an SPRS score of 110, the full score associated with NIST SP 800-171 implementation. 

National Defense reported that a Kiteworks survey of 461 organizations found nearly half were unprepared for CMMC compliance. The report said 44% had not implemented end-to-end encryption and 42% lacked visibility into third-party ecosystems. 

What Will CMMC 2.0 Cost Small Defense Contractors?

CMMC 2.0 will impose direct assessment, documentation, remediation and affirmation costs on small contractors, although the total cost depends on level, assessment type, system scope and C3PAO pricing. DoD estimated 229,818 small entities would be affected by Year 4 of the DFARS rollout. 

DoD estimated the Year 4 mix at 209,540 Level 1 self-assessments, 6,759 Level 2 self-assessments, 118,289 Level 2 certificates and 3,380 Level 3 certificates across small and large entities. It said the phased rollout was intended to reduce financial disruption, especially for small entities. 

Industry pushback has focused on upfront costs, C3PAO availability, internal security staffing and uncertainty about assessment evidence. DoD acknowledged comments that CMMC could burden small firms but said the value of protected information does not decline when CUI moves through lower-tier suppliers. 

What Open Questions Remain For CMMC 2.0 In 2026?

The main open questions in 2026 involve assessor capacity, Level 2 certification bottlenecks, cost recovery, waiver use, treatment of NIST SP 800-171 Revision 3, and how aggressively contracting offices apply CMMC requirements before full implementation. DoD has begun Phase 1, but many contractors still face assessment and evidence gaps. 

DoD’s current rules give program managers and requiring activities discretion during the first 3 years of rollout. That discretion means some contracts may require CMMC earlier than contractors expect, especially when the information risk is higher. 

The rule’s broader significance is that cybersecurity proof now sits inside procurement. Contractors can no longer treat CMMC as a future audit exercise when covered solicitations require a current CMMC status before award.

How Bright Defense Helps Defense Contractors Prepare For CMMC 2.0 Contract Requirements

Bright Defense helps defense contractors prepare for CMMC 2.0 contract requirements through Penetration Testing, Continuous Compliance and Security Assessments that connect technical security work to DoD award eligibility. The goal is to help contractors find gaps, document evidence, validate controls and reduce last-minute risk before CMMC appears in a solicitation.

Penetration Testing can test whether exposed systems and access paths threaten FCI or CUI environments. Continuous Compliance can track CMMC tasks, SPRS evidence and annual affirmation readiness. Security Assessments can review NIST SP 800-171 coverage, scoping boundaries, subcontractor flowdown and remediation priorities before a Level 2 C3PAO assessment or Level 3 DIBCAC review.

Sources Cited In This CMMC 2.0 Report

1. Department of Defense, Federal Register — Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation Of Cybersecurity Requirements (September 10, 2025)
   https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
2. Department of Defense, Federal Register — Cybersecurity Maturity Model Certification Program (October 15, 2024)
   https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
3. eCFR — 32 CFR Part 170, Cybersecurity Maturity Model Certification Program
   https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170
4. Acquisition.GOV — DFARS 252.204-7021, Contractor Compliance With The Cybersecurity Maturity Model Certification Level Requirements
   https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements.
5. Department of Defense CIO — Cybersecurity Maturity Model Certification
   https://dodcio.defense.gov/CMMC/Model/
6. DoD Office of Small Business Programs — CMMC 2.0 Details And Links To Key Resources
   https://business.defense.gov/Programs/Cyber-Security-Resources/CMMC-20/
7. NIST — SP 800-171 Revision 2, Protecting Controlled Unclassified Information In Nonfederal Systems And Organizations (February 2020, updates as of January 28, 2021)
   https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
8. NIST — SP 800-171 Revision 3, Protecting Controlled Unclassified Information In Nonfederal Systems And Organizations (May 2024)
   https://csrc.nist.gov/pubs/sp/800/171/r3/final
9. DefenseScoop — Pentagon To Officially Implement CMMC Requirements In Contracts By Nov. 10 (September 9, 2025)
   https://defensescoop.com/2025/09/09/cmmc-dfars-final-rule-amendment/
10. Federal News Network — With CMMC Rule Final, DoD Focused On Training, Small Business Relief (September 10, 2025)
    https://federalnewsnetwork.com/acquisition-policy/2025/09/with-cmmc-rule-final-dod-focused-on-training-small-business-relief/
11. DefenseScoop — Report Finds Large Gap In CMMC Readiness Among Defense Industrial Base (January 28, 2025)
    https://defensescoop.com/2025/01/28/redspin-report-cmmc-readiness-gap-2025-defense-industrial-base/
12. Cybersecurity Dive — CMMC Is Coming, But Most Contractors Still Have A Long Road To Full Compliance (September 2025)
    https://www.cybersecuritydive.com/news/cmmc-defense-contractors-preparedness-survey/761538/
13. National Defense Magazine — CMMC Phase 1 To Begin Nov. 10 (September 9, 2025)
    https://www.nationaldefensemagazine.org/articles/2025/9/9/cmmc-phase-1-to-begin-nov-10
14. Bloomberg Law — Defense Contractors Are Silencing Their Cybersecurity Watchdogs (November 7, 2025)
    https://news.bloomberglaw.com/legal-exchange-insights-and-commentary/defense-contractors-are-silencing-their-cybersecurity-watchdogs
15. User Brief — Reporting Instructions For This Compliance Report (May 8, 2026)