The US Department of Defense (DoD) has begun enforcing new cybersecurity requirements for defence contractors — more than six years after first announcing the framework.
The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), which came into effect on 10 November 2025, establishes mandatory standards that private companies must meet to be eligible for government defence contracts.
The framework outlines a unified set of policies and standards that contractors must adhere to, in order for them to win government defense related contracts.
The model is designed to strengthen the security of the Defense Industrial Base (DIB), a network of roughly 300,000 contractors handling sensitive or classified information.
Until recently, each contractor was accountable for implementing and monitoring its own cybersecurity structures. Under CMMC 2.0, that responsibility shifts to a formal certification process that sets consistent standards across all suppliers.
In recent years, US defence contractors have been frequent targets of state-sponsored cyberattacks, including incidents attributed to China and Russia.
The introduction of CMMC 2.0 marks a shift in accountability, ensuring that companies handling sensitive government data meet the same baseline security requirements.
What does CMMC mandate?
There are five certification levels that contractors need to adhere to, depending on the type of contract they are working on. Across these five levels, there are 171 practices that organizations must adhere to. In order to conform to a level, the organization must also be compliant with all policies relating to lower levels.
- Level 1: Organizations must perform specific specified practices to ensure basic cyber hygiene.
- Level 2: Organizations must establish documented processes and policies to guide security implementation. This is seen as a transitional stage and contains a subset of security requirements as outlined in NIST 800-171.
- Level 3: Organizations must establish, maintain, and resource cybersecurity plans. This focuses on protecting Controlled Unclassified Information (CUI), and further incorporation of NIST SP 800-171.
- Level 4: Organizations must review and measure how effective their processes are. This includes improving and correcting processes where necessary. This level enhances the detection and response capabilities of various tactics, techniques, and procedures (TTPs).
- Level 5: Organizations must standardize and optimize processes, focusing on protecting CUI from advanced persistent threats (APTs).
The 10th November marked the first phase of a three year role out. Over the next several years, the rollout will take the following structure:
- Phase 1 (2025–2026): Contractors must complete self-assessments for Level 1 and Level 2 cybersecurity compliance.
- Phase 2 (starting November 2026): Contractors handling more sensitive information will need third-party certification for Level 2 compliance, conducted by authorised assessors (C3PAOs).
- Phase 3 (from November 2027): The most advanced requirements, Level 3, will be introduced, requiring certification by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The Department has described the first phase as the “beginning of enforcement,” with the new clauses to be included in new solicitations and contracts issued after 10 November 2025, excluding commercial off-the-shelf procurements.
The Response
Despite years of preparation, many companies remain underprepared.
In January 2025, Redspin published a report that revealed 58% of respondents did not feel prepared for the CMMC to be enforced.
Industry groups have raised concerns about the administrative burden and cost of certification — particularly for smaller firms — but few dispute the need for consistent security standards across the supply chain.
The CMMC has faced multiple delays since it was first announced in 2019, as officials revised its scope and requirements in response to industry feedback.
