Now that CMMC 2.0 enforcement is finally underway, the whole topic of the U.S.’ Cybersecurity Maturity Model Certification needs to be revisited.
Version 2.0 was simplified and finalized in 2024; however, its official start date was November 10, 2025. Consequently, defense contractors and hopefuls will have to officially clear this latest set of hoops to earn government contracts with the U.S. Department of Defense (DoD).
Here’s a refresher on the certification, who needs it, and what organizations can do if they haven’t gotten started.
The Latest News on CMMC 2.0
While the original CMMC was officially introduced in 2020, the DoD published its final Cybersecurity Maturity Model Certification (CMMC) rule in the Federal Register on September 10, 2025.
This kicked off the implementation stage, in which a new DFARS clause officially inserts CMMC requirements into DoD contracts, making compliance mandatory for any future business with the Department.
This begins a 3-year rollout in which:
CMMC Level 1 and 2 will be included in new contracts (as of November 10, 2025).
Companies must submit self-assessment scores in the Supplier Performance Risk System (SPRS)
CMMC will be mandatory after the 3-year phase-in period. By the fourth year, every contractor will be required to be compliant.
“This milestone marks the official transition from planning to execution,” the Office of Small Business Programs (OSBP’s) states on its website. “It signals to all defense contractors, especially small and medium-sized businesses, that CMMC compliance is no longer optional.”
CMMC 2.0 vs. CMMC
What is the CMMC and Who Must Comply?
The CMMC is a piece of legislation that applies to all federal contractors doing business with the U.S. Department of Defense.
Its goal is to secure the DoD’s supply chain by ensuring that all companies working on government contracts adequately protect the safety of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Before the CMMC was introduced, defense contractors had to self-attest compliance with NIST SP 800-171.
What’s New in CMMC 2.0?
CMMC 2.0 is a simpler, more streamlined version of the original CMMC, released in 2020. The original CMMC had a robust five-level security framework.
After a period of feedback, CMMC 2.0 was released as a more simplified, three-level model in November 2021.
It aligns more closely with what defense contractors were already used to complying with (NIST 800-171), and offers greater cost reduction, flexibility, and customization for small businesses.
CMMC 2.0 vs. FedRAMP
Do CMMC 2.0 and FedRAMP apply in the same spaces? Yes, there is some overlap:
CMMC applies to DoD contractors only and covers their entire IT environment.
FedRAMP applies to all federal agencies but only in regard to their use of cloud service providers (CSPs).
Here is where the overlap occurs:
Organizations would be subject to both CMMC 2.0 and FedRAMP if a DoD contractor stored federal contract information or CUI in a cloud service.
Fortra’s Role in CMMC 2.0 Certification
Understanding that attackers are looking where we’re not, CMMC 2.0 was implemented so every private company hoping to do business with the Department doesn’t become just another liability in the DoD’s supply chain.
This will require a new level of cybersecurity vigilance and, in many cases, investment from smaller to mid-sized companies hoping to win contracts in the next four years and beyond.
Fortra offers ample guidance on bringing your organizations up to speed on the now-here CMMC 2.0 requirements.
Dive deeper into the three CMMC 2.0 security levels (Foundational, Advanced, and Expert).
Get your CMMC Compliance Checklist and see how well you stack up.
Learn how to obtain CMMC certification, why CMMC is important, its scope, and what to do to prepare.
And in this webinar, Fortra explains why Fortra Data Classification Suite (DCS) is one of the only solutions that can help organizations who do business in the defense space when it comes to classifying CUI for CMMC requirements.
No Weak Links in National Defense
The protection of the defense industrial base depends on the security of its data. This latest iteration of the CMMC is more than just another security framework. It is a landmark piece of legislation that officially makes cybersecurity a formal part of doing business with the U.S. Department of Defense.
And entering into 2026, it’s not a moment too soon.
Free Cloud Data 30-Day Risk Assessment
Gain complete clarity on your cloud data landscape with Fortra’s Data Risk Assessment, powered by DSPM.
