ARTICLE
29 October 2025

Is Your Business Ready For CMMC 2.0?

MG
MGO CPA LLP

Contributor

MGO CPA LLP logo
As a global team of more than 500 financial service professionals, we stand ready to serve you through assurance, tax, consulting, outsourcing, and private client services where and when you need us.
Explore Firm Details
Here are answers to some frequently asked questions (FAQs) about the Cybersecurity Maturity Model Certification (CMMC) 2.0...
United States Technology
Adam Wisnieski
Your Author LinkedIn Connections
Adam Wisnieski’s articles from MGO CPA LLP are most popular:
  • within Technology topic(s)
  • with Inhouse Counsel
  • in United States
  • with readers working within the Aerospace & Defence, Healthcare and Construction & Engineering industries

Key Takeaways:

  • CMMC 2.0 includes three tiers of cybersecurity validation, from self-assessments to government-led audits, based on contract sensitivity.
  • DoD contracts involving FCI or CUI now need minimum security controls before award, with POA&Ms allowed only in limited circumstances.
  • CMMC 2.0 introduces phased rollout deadlines starting November 2025, with requirements increasing from self-assessments to government-led audits over three years.

Here are answers to some frequently asked questions (FAQs) about the Cybersecurity Maturity Model Certification (CMMC) 2.0:

What is CMMC 2.0 and why is it important for your business?

CMMC 2.0 is the Department of Defense's (DoD) updated framework to verify cybersecurity across the Defense Industrial Base (DIB). It aligns closely with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800‑171 and is designed to protect controlled unclassified information (CUI) and federal contract information (FCI) from cyber threats.

CMMC 2.0 emphasizes accountability, streamlined levels, and a direct path to verification.

1697536.jpg

How are the CMMC 2.0 levels defined and assessed?

  • Level 1: Applies to FCI. Requires an annual self-assessment per Federal Acquisition Regulation (FAR) 52.204-21, with results posted in the Supplier Performance Risk System (SPRS).
  • Level 2: CMMC Level 2 Certification is required for CUI categorized under the National Archives' CUI Registry Defense Organizational Index Grouping.
  • Self-assessments are only allowable for CUI existing outside of the Defense Organizational Index Grouping — such as tax information, archeological data, and other data types that are rare in the defense industrial base.
  • Level 3: Reserved for extremely sensitive CUI. Requires a government-led Defense Industrial Base Cybersecurity Center (DIBCAC) assessment every three years and includes select NIST SP 800-172 controls.

Key implementation timeline: The final rule on CMMC 2.0 went into effect as of December 16, 2024. The phased rollout of CMMC 2.0 will begin in November 2025.

Which contracts require CMMC 2.0 compliance?

CMMC 2.0 applies to nearly all DoD contracts where contractors or subcontractors process, store, or send FCI or CUI. This includes businesses of all sizes within the DIB — prime contractors, subs, and service providers alike.

Can your business receive a contract without full compliance?

In some situations, yes. The DoD may allow award with a plan of action and milestones (POA&M) for certain requirements if core controls are already implemented. However, not all controls are deferrable, and the ability to continue will depend on the specifics of your contract and the level of risk involved.

When will CMMC 2.0 go into effect?

CMMC 2.0 has been codified in the Federal Register and will be available for inclusion within DoD contracts starting November 10, 2025.

The department plans to roll out the program's three-tier model in four phases over the next three years:

  • Phase 1 begins on November 10. At that point, solicitations will require CMMC Level 1 or Level 2 self-assessments (where applicable).
  • 12 months later, solicitations will require CMMC Level 2 third-party assessments (where applicable).
  • Another 12 months after that, solicitations will require CMMC Level 3 assessments — conducted by the Defense Contract Management Agency's DIBCAC (where applicable).

Some DoD agencies are already including CMMC-like requirements in pilot programs and RFPs — meaning the sooner you start preparing, the better.

Do subcontractors need to follow CMMC too?

Yes. If your subcontractors handle CUI, they must meet the right CMMC level. Prime contractors handle confirming subcontractor compliance before assigning work — noncompliance in your supply chain could put your own eligibility at risk.

How can your business prepare now for CMMC 2.0?

Here's a practical roadmap for readiness:

  1. Show where FCI and CUI exist in your systems and operations
  2. Decide the applicable CMMC level based on contract language and sensitivity
  3. Perform a readiness assessment against NIST 800-171 controls
  4. Develop documentation such as system security plans (SSPs) and POA&Ms
  5. Address technical gaps and improve process controls
  6. Train employees on CUI handling, phishing prevention, and cyber hygiene
  7. Coordinate with subcontractors to confirm their readiness

MGO's Role in Supporting Your CMMC 2.0 Readiness

MGO works with companies across the DIB to support their CMMC 2.0 readiness journey. We provide clear, efficient guidance to help you meet DoD expectations — without overbuilding your environment or overextending your resources.

Our CMMC readiness services include:

  • Maturity level scoping and gap assessments
  • NIST SP 800-171 alignment
  • POA&M and SSP development
  • Security policy documentation
  • Cybersecurity training
  • Subcontractor readiness support

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Adam Wisnieski
Adam Wisnieski
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More