The Cybersecurity Maturity Model Certification (CMMC) continues to evolve, shaping the cybersecurity landscape for Department of Defense (DoD) contractors
UPDATE May 28, 2025 – Title 48 CFR (Activation) (Title 48 Chapter 2 Subchapter A Part 204 Subpart 204.75) – Delay – According to sources, the approval of Title 48 CFR, which is the final step for implementing CMMC, has been delayed until late Q3 or early Q4 of 2025. Mainly due to the change of government administration and giving the new congress time to review/approve. Once approved, Defense Industrial Base (DIB) partners will have 12 months from that date that they will be allowed to self-certify that they are meeting the NIST SP 800-171r2 requirements. After that point the DIB partners will be required to have completed their CMMC certification. New contracts will require companies to complete CMMC certification as a requirement for award.
Understanding CMMC Contract Clause TITLE 48-204.7503.
Use the clause at 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement, as follows:
(a) Until September 30, 2025, in solicitations and contracts or task orders or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts or orders solely for the acquisition of commercially available off-the-shelf (COTS) items, if the requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement a phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by OUSD(A&S).
(b) On or after October 1, 2025, in all solicitations and contracts or task orders or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts or orders solely for the acquisition of COTS items.
Who is Subject to CMMC?
All DoD prime- and sub-contractors planning to bid on future contracts with the CMMC DFARS 252.204-7021 clause will be required to obtain a CMMC certification prior to contract award. Some prime- and sub-contractors accessing, processing or storing FCI (but not CUI) will minimally require a Level 1 attestation. A DoD contract will specify which level of compliance a contractor needs to meet.
CMMC Compliance Levels: Breaking It Down.
CMMC consists of three distinct levels of cybersecurity maturity:
Level 1 (Foundational): Requires annual self-assessment against the 15 controls aligned with FAR 52.204-21 that apply to Level 1 AND annual affirmation by a senior company official. Level 1 – An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” The company will also need to register these self-assessments and affirmations in the DoD’s SPRS.
Level 2 (Advanced): Level 2 are 110 control requirements aligned with NIST SP 800-171r2. Level 2 – An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST SP 800-171r2 security requirements and processes.
NOTE: For 12 months after CFR 48 has been implemented, companies will be allowed to perform self-assessment but will ultimately require third party assessment by a CMMC Third Party Assessment Organization (C3PAO). Contracting Officers will require companies to complete CMMC certification as a requirement for award.
Level 3 (Expert): Companies handling the most sensitive information will need to meet Level 3 (Expert). Level 3 is based on the 110 controls of NIST SP 800-171r2 plus 24 from NIST SP 800-172. Level 3 – An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.
NOTE: To achieve Level 3, organizations will first need to pass a level 2 assessment by a C3PAO. The organization will then be assessed for Level 3 readiness directly by the US government.
What’s Next? Preparing for CMMC Certification.
Defence contractors must stay proactive in meeting compliance obligations. With certification now a requirement for securing future contracts, businesses should prioritize strengthening cybersecurity practices, conducting internal assessments, and preparing for third-party evaluations.
As Title 48 CFR nears approval, ensuring readiness for the transition will be critical. Organisations looking to compete in US DoD contracting must align with CMMC requirements sooner rather than later—staying ahead of regulatory expectations and safeguarding sensitive government data.
