Free Checklist: CMMC Assessment Cheat Sheet for CUI
Download
CMMC

CMMC 2.0 Explained: What You Must Know For 2025

With the final CMMC rule published, here’s a summary of everything you need to know for your CMMC Level and when.

November 5, 2024
CMMC 2.0 Explained: What You Must Know For 2025

Another step closer. After more than seven years in the making, the US Department of Defense (DoD) finalized a rule establishing the Cybersecurity Maturity Model Certification (CMMC) program and outlining how it will work. 

The final program rule was published in the Federal Register on 15 October and will go into effect on 16 December. From that date forward, certified third-party assessment organizations (C3PAOs) can begin official CMMC assessments. 

Given there are roughly 100 assessment teams and 100,000 members of the Defense Industrial Base (DIB) requiring assessment, contractors should aim to be assessment-ready as soon as possible to get in line early. 

Here’s a quick recap of everything you need to know. 

What is CMMC compliance?

According to the DoD, “the purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.”

What does the final CMMC rule do?

This final rule officially establishes the CMMC program. It also outlines how contractors need to safeguard FCI and CUI (depending on their CMMC Level) and how the certification process will verify that defense contractors have implemented the correct security requirements. 

In addition, this final rule aligns the CMMC 2.0 program with the most up-to-date Federal Acquisition Regulations (FARs) and the relevant National Institute of Standards and Technology (NIST) requirements. 

Who needs to comply with CMMC 2.0?

CMMC will apply to all DoD contracts above the micro-purchase threshold ($10,000), so almost every business that works with the DoD will need to comply - no matter their size. From domestic prime contractors (i.e. Northrop, Lockheed Martin and Boeing etc.) to small international subcontractors (i.e. providing custom parts), all parts of the DoD supply chain will need to prove their CMMC compliance. 

It doesn’t matter where a company is headquartered or operates. Foreign companies that work on DoD contracts still have to meet the same compliance requirements as US companies by the same timeline. 

When will CMMC 2.0 be required for DoD contracts?

Although C3PAO assessments will launch in December, the updated Defense Federal Acquisition Regulation Supplement (DFARS) CMMC rule - which will make CMMC certification a DoD contract requirement - is not expected until the first half of 2025. 

According to the DoD, “the rule change to contractually implement the CMMC Program will be published in early to mid-2025. Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.”

However, as prime contractors are responsible for ensuring its supply chain partners are CMMC-certified, some prime contractors might demand proof of CMMC compliance from suppliers before this date. 

What CMMC Level is my organization?

CMMC Level 1 (Foundational) is for companies that handle Federal Contract Information (FCI), such as non-technical data. 

CMMC Level 2 (Advanced) is for companies that handle Controlled Unclassified Information (CUI), such as engineering drawings.  

CMMC Level 3 (Expert) is for companies that handle CUI, which is targeted with advanced persistent threats. 

What are the CMMC 2.0 requirements for each level?

CMMC Level 1 requires contractors processing, storing or transmitting FCI to adhere to 15 cybersecurity standards aligned with Federal Acquisition Regulations (FAR 52.204-21). To achieve compliance, CMMC Level 1 contractors must submit an annual self-assessment and affirmation. 

CMMC Level 2 requires contractors handling CUI to implement 110 security controls aligned with revision 2.0 of NIST SP 800-171 (an updated version of SP 800-171 was announced in May 2024, but the new version won’t be incorporated into the CMMC program yet). To achieve compliance, the vast majority of Level 2 contractors are required to undergo a third-party assessment through a C3PAO, which is then valid for three years, and file an affirmation every year. Some selected Level 2 programs will be eligible for self-assessment. 

CMMC Level 3 requires contractors that handle CUI linked to “a critical program or high value asset” to meet the 110 Level 2 security controls and an additional 24 security requirements from NIST’s SP 800-172 standard. To achieve compliance, Level 3 contractors will be assessed by government officials from the DOD’s Internal Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years and must submit an annual affirmation in the interim. 

How many CMMC controls are there for CMMC Level 2

If you handle CUI, such as engineering drawings or design blueprints, you need to satisfy CMMC Level 2 security requirements. To comply with CMMC Level 2, there are 110 NIST SP 800-171 assessment controls, which are broken down into 14 families. 

For more information on these controls and advice on how to meet them, check out our CMMC Assessment Cheat Sheet for CUI.

CMMC Assessment Cheatsheet for CUI

How to comply with CMMC 2.0?

CMMC compliance is not an overnight fix. You first need to work out your CMMC Level and then create a plan to satisfy the relevant security requirements. 

To get the ball rolling, address the simpler compliance controls first before tackling the more time-consuming elements of certification. For example, if you're CMMC Level 2, you should first identify where your CUI lives and what forms it takes (i.e. CAD files) to determine the information systems, assets or networks that need to be controlled. 

Next, look for cybersecurity tools that help you achieve compliance, but make sure they don’t slow down your existing workflows, so you continue to be competitive. 

If your CAD files are CUI, download our eBook: How to easily protect and track CAD files that are CUI for CMMC compliance.

How to Easily Protect and Track CAD Files that are CUI for CMMC Compliance

Get in touch with a Certified CMMC Professional (CCP)

The recent rule publication stated that disagreements with third-party assessments cannot be appealed to the DoD, so contractors should ensure they know exactly what they need for their CMMC Level before applying for assessment. 

If you’re still unsure what you need for CMMC 2.0, reach out to a Certified CMMC Professional (CCP) for advice. These professionals, who take part on CMMC Level 2 Assessment teams that are managed by C3PAOs, can advise on CMMC assessment readiness and the best way forward for your organization. 

If you have CAD files that are considered CUI, get in touch with Secude’s Certified CMMC Professional, Blake Wood.

Be Secure with Secude

Protect your data. Protect your brand.