CMMC Is Now Official – What It Means for DoD Contractors (Non-Technical)

If your company does business with the Department of Defense (DoD) – either directly as a prime contractor or indirectly as a subcontractor – big changes are here in how you must handle cybersecurity. On September 10, 2025, the DoD published a final rule launching the Cybersecurity Maturity Model Certification (CMMC) program into its contracting process1. In plain terms, this means cybersecurity compliance will now be a formal requirement in DoD contracts going forward. Starting November 10, 2025 (when the rule takes effect), new DoD contracts will include CMMC requirements2. Eventually, if you don’t meet these cybersecurity requirements, you won’t be able to win or even keep DoD contracts – in short, no compliance, no contracts2.

What does this phased approach mean for you? There’s a grace period of sorts – not every contract will require CMMC immediately in late 2025. However, the clock is ticking. If you plan to seek new contracts (or renew existing ones) in the next couple of years, you should start preparing now so that you have the required certification by the time it applies to you. Some larger contractors are already getting certified, and many small businesses are using this lead-up time to get ready.

Also, note that CMMC isn’t just for prime contractors. It flows down to subcontractors as well. If you’re a subcontractor, you may not see the CMMC clause directly in your subcontract, but you will be required by your prime contractor to have the appropriate CMMC level if the prime contract calls for it. (Primes are obligated to ensure their subs comply1.) The vast majority of defense contractors are actually subcontractors, so this flow-down rule is a big deal – it means small businesses in the supply chain also must meet CMMC, not just the big primes.

CMMC Levels Made Simple

CMMC has three levels in the current version (often called CMMC 2.0). Each level corresponds to the sensitivity of information you handle and has a set of cybersecurity practices you must implement. Here’s an easy way to understand them:

• Level 1 (Foundational) – Basic cyber hygiene. This is the entry level of CMMC, focused on companies that handle only Federal Contract Information (FCI) – that is, information provided or generated under a contract which is not public but also not highly sensitive (no CUI)3. There are 17 baseline security practices to implement (things like using antivirus, using strong passwords, basic access control, etc.). Assessment: You can do an annual self-assessment for Level 1. Essentially, you will affirm each year that you have these basic safeguards in place1.

• Level 2 (Advanced) – Good security for protecting sensitive data. Level 2 applies to contractors that handle Controlled Unclassified Information (CUI) – this is sensitive information like schematics, technical data, personnel data, or anything the government says needs protecting but isn’t classified3. Level 2 is roughly equivalent to meeting all the requirements of NIST SP 800-171 (110 security controls established by the National Institute of Standards and Technology) – in other words, a robust set of cybersecurity practices covering areas like access controls, incident response, risk assessment, etc. Assessment: For most contracts, Level 2 requires a third-party certification. An accredited CMMC assessor (from a C3PAO – Certified Third-Party Assessor Organization) will need to audit your company’s practices and grant you a certificate that is valid for 3 years1. (In a small number of cases, if the data is less critical, the DoD might allow self-assessment at Level 2 – but the DoD estimates only ~2% of contractors will be allowed to self-certify at Level 22. The vast majority will need the third-party audit.) You’ll also need to affirm annually that you’re maintaining the practices.

• Level 3 (Expert) – The highest level of cyber maturity. This is intended for a very small subset of contractors working on the most sensitive unclassified projects (critical national security information). It builds upon Level 2 by adding even more stringent controls (roughly an extra 20 requirements drawn from NIST SP 800-172, which is designed to counter advanced persistent threats)1. Assessment: Level 3 will require a government-led assessment – specifically, an audit by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every 3 years1. Annual affirmations are also required. Level 3 is relatively rare – likely only about 1% of the defense contractor base will need Level 3, as it’s for top-tier critical work2.

In summary, Level 1 = basic self-assessed cybersecurity, Level 2 = robust cybersecurity (usually third-party validated), Level 3 = elite cybersecurity (government validated). Each company will need to achieve the level specified by the contract it’s working on (the DoD will indicate the required CMMC Level in the solicitation). If you’re not sure which level applies to you, a good rule of thumb is: if you never handle CUI, you’ll likely be Level 1; if you do handle CUI, plan for Level 2.

What Should Contractors Be Doing Now?

Whether you’re a seasoned DoD contractor or new to defense contracts, here are practical steps to take now in light of the CMMC final rule:

1. Determine your required CMMC level. Review the kind of information your company handles for DoD contracts. If it’s only FCI (basic contract info), you’ll need Level 1. If you handle CUI (technical data, etc.), you’ll need Level 2. (Level 3 would likely be explicitly told to you for very critical contracts – if you haven’t heard of it, you probably don’t need Level 3.) Knowing your target level will guide your preparations.

2. Assess your current cybersecurity practices. If you have been following NIST SP 800-171 requirements already (as required by the DFARS 252.204-7012 clause in past contracts), keep it up to date1. Now is the time to close any gaps in those controls. For example, are you using multi-factor authentication for remote access? Are you regularly training employees on security awareness? Conduct an internal audit or gap analysis against the required practices for your CMMC level.

3. Update your SPRS score. The DoD’s Supplier Performance Risk System (SPRS) is where contractors post their self-assessment scores for NIST SP 800-171. Make sure your score is current and reflects your true compliance status. Contracting officers will be checking SPRS; in fact, during this rollout, they won’t exercise contract options or give new awards if your SPRS record isn’t up-to-date with a valid CMMC status2. Keeping SPRS updated is crucial to show you are working toward compliance.

4. Sign up for free DoD cybersecurity resources. The DoD knows this is a big change, especially for small businesses, and has set up help. One great resource is Project Spectrum, run by the DoD Office of Small Business Programs. It offers free training courses, guides, and self-assessment tools to help companies with CMMC. You can register on the Project Spectrum website (projectspectrum.io) to access on-demand CMMC Level 1 and 2 training modules, and even take a mock self-assessment to see where you stand. This can be a good starting point to educate yourself and your team on what’s required. (Note: These resources are provided by the DoD and are free to use.)

5. Develop a plan and get expert help if needed. Create a roadmap for achieving compliance. This might include scheduling a third-party readiness assessment, investing in new security tools (for example, encryption or monitoring software), updating policies and documentation, and training your staff on new procedures. Aim to remediate any identified weaknesses as soon as possible – remember, once the CMMC requirement hits your contracts, you don’t want delays. If this process feels overwhelming, consider bringing in outside expertise. EasyITGuys can assist with a pre-assessment, help implement required controls, and guide you through preparing for the official CMMC assessment. Getting help can streamline your compliance effort, ensuring you get it right the first time so you can stay focused on your business.

6. Stay informed on timeline and contract updates. Keep an eye on your current and upcoming DoD contracts for CMMC clauses. The two key clauses to look for are DFARS 252.204-7021 and 252.204-7025, which will be inserted into contracts to specify CMMC requirements1. When you see these, pay attention to what level is required and by when. Also watch communications from your prime contractor (if you’re a sub) about CMMC flow-down. They might request proof of your certification or help you coordinate assessments.

Finally, recognize that CMMC is now a permanent part of doing business with DoD. It might seem like a lot to take in, but with the right plan and resources, you can achieve compliance and continue competing for the valuable opportunities in the defense sector. Cybersecurity is now as fundamental as quality control or safety when it comes to federal contracts – it’s part of the new normal.

Secure Your Future with EasyITGuys – Preparing for CMMC may feel daunting, but you don’t have to do it alone.

EasyITGuys specializes in helping defense contractors navigate cybersecurity requirements like CMMC. We offer consulting and hands-on support to get your systems up to standard, whether you need a basic Level 1 implementation or a full Level 2 readiness and certification plan. Our experts can conduct a pre-audit, help remediate gaps, and even manage the formal assessment process with you. Don’t wait until a contract opportunity is at risk – contact EasyITGuys today to create a CMMC action plan tailored to your business. We’ll help you protect your data and your DoD revenue by making sure you meet these new requirements smoothly and on time.