On Nov. 10, the Department of Defense (DoD) started implementing the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program by directing contract officers to add the updated Defense Federal Acquisition Regulation Supplement (DFARS) clause to applicable new contracts and renewals. This launched a three-year phased rollout, making CMMC requirements increasingly common in solicitations until they become standard for most defense contracts.
CMMC was first introduced in January 2020.
The program has gone through significant changes since then:
- January 2020: CMMC 1.0 announced (had 5 levels)
- November 2021: CMMC 2.0 announced (simplified to 3 levels)
- December 2023: CMMC 2.0 proposed rule published in Federal Register
- October 2024: Final CMMC rule published
- November 10, 2025: Implementation began with updated DFARS clause
After years of delays and changes, cybersecurity is no longer a back-page requirement. It’s part of the contract conversation from the very beginning.
Defense contractors have had nearly six years since the initial announcement to start preparing, and about four years since CMMC 2.0’s structure was established.
For contracts where the CMMC clause applies, defense suppliers that don’t meet the required certification level can’t be considered eligible for award or renewal. Over time, that will directly affect a company’s ability to keep its place in the defense supply chain.
This shift is reshaping the Defense Industrial Base (DIB), which includes hundreds of thousands of businesses across the country. The message from the Pentagon is straightforward: if you want to handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for DoD, you need to prove you can protect it. Learn more at: https://dodcio.defense.gov/cmmc/About/.
The urgency is rooted in how modern conflict actually works.
‘Adversarial Asymmetric Warfare’
“We are in an era of adversarial asymmetric warfare for which we have no comprehensive deterrence,” warned a 2018 MITRE study commissioned by the DoD. The report highlighted that adversaries don’t need to attack the United States directly. Instead, they can target vulnerable supply chains, cyber infrastructure, and people to quietly degrade national capabilities before they’re ever used.
MITRE is a not-for-profit corporation that operates federally funded research and development centers (FFRDCs) for the U.S. government. MITRE’s independence and technical credibility make them a trusted source for this type of strategic analysis, which is why their warning about adversaries targeting vulnerable supply chains carries significant weight.
The fact that MITRE identified these supply chain cybersecurity risks back in 2018 provides additional context for why CMMC became necessary: the threat assessment came from one of the government’s most trusted technical advisory bodies.
What Nov. 10 Changed
The updated DFARS 252.204-7021 clause will now be added to applicable solicitations and contracts, giving contracting officers the authority to make CMMC compliance a condition of award.
CMMC 2.0 has three levels, aligned to the sensitivity of information you handle.
Level 1 (Foundational) requires self-assessment for contractors handling FCI. The baseline includes 17 basic security practices covering access control, identification, authentication, media protection, and physical safeguards.
Level 2 (Advanced) mandates implementation of all 110 National Institute of Standards and Technology (NIST) Special Publication 800-171 controls. Depending on contract sensitivity, companies must either self-assess or undergo third-party audits to verify compliance. This verification requirement represents a shift from previous trust-based approaches. Now the DoD gets assurance suppliers have implemented required cybersecurity standards on non-federal information systems processing, storing, or transmitting Controlled Unclassified Information (CUI).
Level 3 (Expert) involves government-led assessments reserved for the most critical defense programs. This tier applies to fewer than 10% of DoD contractors.
Rollout Timeline
CMMC enforcement is phased:
- Nov 2025–Nov 2026: Level 1 and Level 2 self-assessments appear in applicable contracts.
- Starting Nov 2026: Third-party Level 2 assessments become more common.
- Starting Nov 2027: Government-led Level 3 assessments begin.
- By Nov 2028: DoD expects full implementation across applicable contracts.
For contractors, the window to prepare is narrowing quickly.
Many Prime Contractors Take Action
Major defense primes are already pushing compliance requirements down their supply chains. In a letter to suppliers, Leonardo DRS notified vendors that CMMC Level 2 requirements certified by a third-party Certified Third-Party Assessor Organization (C3PAO) could appear in contracts “at any point within the next 2 years.”
