Pentagon image by mariordo59 , CC BY-SA 2.0 Understanding the new federal rules, their business impact, and what to do about them. The Department of Defense (DoD) has finalized the Cybersecurity Maturity Model Certification (CMMC) 2.0 rules in 32 CFR and 48 CFR , making cybersecurity a condition of doing business with the federal government.
For companies in the Defense Industrial Base (DIB), this means eligibility for future contracts now depends on verified cybersecurity compliance.
This article explains what changed, how the rules affect prime and subcontractor relationships, what “scope” means in business terms, and how to plan realistic timelines for compliance.
When we say “compliance,” think “competitive.” Without meeting CMMC objectives, you will no longer be competitive for new work.
CMMC, like many government programs, features a lot of unique terms and acronyms. We spell out each acronym the first time it appears in this article, and have published a full CMMC glossary for your reference.
Note on Terminology Recent executive policy permits the use of the name “Department of War” as an alternate reference to the Department of Defense (DoD) . Both titles refer to the same federal department responsible for national defense and military operations. In this article, the term Department of Defense (DoD) is used for consistency, as it remains the department’s official legal name under federal statute. Readers may encounter either term in current government materials and both describe the same agency and programs.
The Rules Are In Place Two regulatory foundations define the new DIB environment.
32 CFR Part 170 establishes the CMMC program itself — the certification levels, assessment requirements, and applicability.
48 CFR integrates these obligations into federal acquisition rules through updates to the Defense Federal Acquisition Regulation Supplement (DFARS) .
Put simply, 32 CFR sets the standard, and 48 CFR makes it enforceable. Once a CMMC clause appears in a DoD solicitation or contract, compliance is mandatory, not optional.
CMMC is now law. It is no longer about preparing for something in the future. It is about acting now.
Why CMMC Matters to Business Leaders For business leaders, this shift is not a technology issue.
If your organization works with the DoD, handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) , it is now subject to CMMC. (More on the difference between FCI and CUI later).
Failure to achieve the required certification level can block new awards, delay renewals, or even disqualify existing work. Compliance now defines business eligibility and competitive advantage.
This is not just about data protection. It is about protecting your own contracts, revenue, opportunities, and reputation.
A Streamlined but Serious Framework CMMC 2.0 simplifies the earlier five-level model into three levels that align with NIST SP 800-171 Revision 2 and DoD cybersecurity expectations.
CMMC Implementation Rules and Timeline The program rule (CFR 32) was finalized in late 2024, and the acquisition rule (CFR 48) was published in September 2025 with an effective date of November 2025.
The Department of Defense will phase in CMMC requirements across new contracts over several years rather than applying them all at once. This approach allows program managers and contracting officers to introduce CMMC clauses gradually, beginning with contracts that handle more sensitive information or pose higher levels of risk.
It is important to understand that the phased rollout does not mean companies can wait to prepare. It only means that not every new contract will contain CMMC language immediately. Contractors and subcontractors that are already compliant will be in the strongest position to compete as CMMC appears in more solicitations.
CMMC Level 1 vs. Level 2 The framework itself also provides some flexibility in how compliance is demonstrated. CMMC Level 1 , which applies to companies handling only Federal Contract Information (FCI) , will continue to be based on annual self-attestation .
CMMC Level 2 applies to companies that handle Controlled Unclassified Information (CUI) . Although most organizations will eventually need an independent assessment by a Certified Third Party Assessor Organization (C3PAO), the Department’s Phase 1 strategy focuses on allowing Level 2 self-attestation. During this phase, solicitations are expected to require only a Level 2 self-assessment even when CUI is involved, unless program managers and contracting officers from the DoD decide that a third party assessment is necessary based on the needs of the program and the availability of qualified contractors.
This phased and flexible structure is designed to make implementation manageable while maintaining the DoD’s focus on protecting sensitive data. For business leaders, the takeaway is clear: readiness still matters now. Early preparation will ensure your organization is eligible for future contracts, regardless of when CMMC clauses appear in your specific opportunities.
Since the difference between FCI and CUI is the difference between a contractor that must pursue CMMC Level 1 or Level 2, it’s important to understand how they are both defined.
Federal Contract Information (FCI) is Information that is not intended for public release and is provided or generated under a contract with the government to develop or deliver a product or service. FCI typically applies to CMMC Level 1 requirements.
Some examples of FCI are:
Internal government points of contact, phone numbers, or email addresses that are not public.
Non-public invoice instructions or internal billing procedures.
Government-provided templates for reporting labor hours, expenses, or progress.
Controlled Unclassified Information (CUI) is Sensitive information that requires safeguarding but is not classified. CUI is information that the government does not want publicly shared because it could create a mission, operational, privacy, or security risk. Handling CUI triggers CMMC Level 2 or higher obligations.
Some examples of CUI are:
A parts list containing internal codes, stock numbers, and usage data for DoD equipment.
Procurement specifications that include detailed performance requirements.
Non-public test results or evaluation data for equipment under development.
Subcontractor Relationships and Prime Expectations Many DIB companies work as subcontractors under larger prime contractors.
Under the new rules, the government regulates primes directly but does not dictate how those primes manage their subcontractors. The relationship is governed by contract terms between the two companies.
In practice, this means a subcontractor may be required to meet a higher CMMC level than it would under direct government regulation.
For example, a prime contractor required to meet CMMC Level 2 may require some or all its subs to achieve Level 2 as well, even if they do not handle CUI .
This is a business decision, not a federal mandate.
Primes are managing their own risk and compliance posture by ensuring every link in their supply chain is strong.
Subcontractors should think strategically about these relationships.
What primes will you work with in the coming year? What levels of certification will they expect?
Starting those conversations early can prevent disruptions later and ensure your business remains a trusted partner.
What You Should Do Now 1. Engage a Cybersecurity Leader The first step is to engage a security professional who understands CMMC .
Compliance is not only about implementing technical controls. It is about aligning cybersecurity with your company’s goals, objectives, and constraints.
A qualified security professional will help you interpret the requirements, define scope, and build a plan that fits your size, resources, and growth trajectory.
They will also help you understand why each control matters, ensuring you make informed decisions that balance compliance and efficiency.
Ideally, you find a cybersecurity professional who has experience with the DIB. While CMMC is new, DoD cybersecurity is not. There are also a couple of relevant certifications that denote relevant CMMC skills and knowledge.
CMMC Registered Practitioner (RP) – This designation is granted to individuals who have been trained in supporting organizations preparing for a CMMC assessment.CMMC Certified Practitioner (CCP) – This certification is for individuals who have received training from a Licensed Training Provider (LTP) to assess, verify, and review the compliance of organizations pursuing CMMC.
I’m CMMC-CCP certified. If you need help with your CMMC program, I would be happy to help. You can reach out to me and the Fractional CISO team here .
2. Define Your Scope and Assess Your Readiness Once that guidance is in place, begin defining your scope and assessing readiness.
Identify where government contract-related sensitive information resides, who has access to it, and how it is currently being protected. Compare your current practices against CMMC requirements and create a plan to close gaps.
Governance should be established early. Assign accountability, set timelines, and make cybersecurity a standing business discussion.
Talk with your subcontractors, vendors, and prime partners about their own readiness and expectations.
Building transparency across the supply chain will strengthen your competitive position and demonstrate maturity to the DoD and your partners.
Understanding Scope in Plain Terms Scope defines what parts of your business fall under CMMC certification.
It is the boundary of the “secure environment” – the systems, processes, and people that touch DoD-related data. Everything inside that boundary must comply with the CMMC standard.
From a business standpoint, scope includes the contracts that require compliance, the data and systems involved, and the employees or vendors with access to that data.
Your marketing and HR tools may fall outside the boundary, but your engineering and production systems likely fall within it.
A clearly defined scope allows you to focus resources where they matter most and avoid over-securing areas that do not need inclusion.
Document your scope decisions carefully and be ready to explain them to assessors.
Clarity and precision will make your assessment smoother and reduce both risk and cost.
Planning Realistic Timelines Beware companies promising you a shortcut route to CMMC compliance!
The vast majority of organizations will need months, not weeks, to become compliant.
Companies pursuing Level 1 (for FCI only) often need at least six months to document policies, implement practices, and perform a self-assessment.
Those pursuing Level 2 (for CUI) typically require a year or more. Level 2 also demands a third-party audit by a Certified Third-Party Assessor Organization.
Even if you reach internal readiness early, C3PAOs have limited availability and are booking assessments months in advance.
A company that waits until January to request an audit might not secure a date until the following year!
Such delays could disrupt contract renewals or exclude you from new opportunities.
Planning ahead is essential. Integrate CMMC milestones into your broader business strategy. Build readiness throughout 2025, and schedule assessments as soon as possible.
Companies that act now will be ready to compete while others are still waiting in line.
The Bottom Line CMMC is now a permanent part of the defense contracting landscape. The rules are published, and enforcement has begun.
For business leaders, the path forward is clear:
1. Engage experienced help.
CMMC is already starting to appear in contracts. If you start the process today, your company will be much more competitive tomorrow.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
