CMMC 2.0 Updates: Timeline, Deadlines, Requirements Summary & When CMMC Is Required

Estimated reading time: 12 minutes

Key Takeaways

• The Department of Defense has streamlined cybersecurity requirements into three CMMC 2.0 levels
• Level 1 uses annual self-assessments; Level 2 includes NIST SP 800-171 controls; Level 3 adds NIST SP 800-172 enhancements
• A phased timeline spans from the 2021 NPRM publication to full implementation by November 10, 2026
• Major compliance actions include gap analysis, System Security Plan, POA&M, and selecting a C3PAO for required assessments
• DFARS clauses 252.204-7021 and 252.204-7022 specify CMMC requirements in contract solicitations

What’s New in CMMC 2.0 Updates

The CMMC 2.0 updates address evolving cybersecurity threats and industry feedback by simplifying the framework while maintaining robust security requirements for defense contractors.

Simplified Level Structure

• CMMC 1.0 featured five levels; CMMC 2.0 consolidates into three tiers: Level 1 Foundational, Level 2 Advanced, Level 3 Expert
• This simplification makes it easier to map requirements to contract levels

Enhanced NIST Alignment

• Level 2 maps directly to NIST SP 800-171 (110 security controls) NIST SP 800-171
• Level 3 adds enhanced controls from NIST SP 800-172 designed for high-impact CUI NIST SP 800-172
• Eliminates CMMC-specific practices from version 1.0, leveraging existing NIST compliance work

Revised Assessment Approach

• Level 1: Annual self-assessment against 17 basic controls in FAR 52.204-21
• Level 2: Self-assessment with potential third-party review at DoD discretion
• Level 3: Mandatory third-party assessment by a C3PAO

Reduced Compliance Burden

• Eliminates CMMC 1.0 maturity processes
• Reduces number of certification levels
• Allows self-assessments for Level 1 and many Level 2 contractors

CMMC 2.0 Requirements Summary

A breakdown of requirements by level helps organizations determine their compliance obligations and prepare accordingly.

Level 1 (Foundational)

Scope: Applies to organizations handling Federal Contract Information (FCI).

Requirements:

• 17 basic cybersecurity practices from FAR 52.204-21
• Access control, identification and authentication, media protection, physical protection, system integrity, basic incident response

Assessment: Annual self-assessment with leadership affirmation.

Level 2 (Advanced)

Scope: Organizations that process, store, or transmit Controlled Unclassified Information (CUI).

Requirements:

• 110 security controls from NIST SP 800-171
• Multi-factor authentication, FIPS-validated encryption, vulnerability scanning, security awareness training, incident response planning

Assessment: Self-assessment with leadership affirmation; third-party assessment if DoD-directed.

Level 3 (Expert)

Scope: Organizations working with high-priority CUI on critical defense programs.

Requirements:

• All Level 2 controls plus 20+ enhanced controls from NIST SP 800-172
• Advanced threat hunting, penetration testing, specialized training, supply chain risk management

Assessment: Mandatory third-party assessment by a C3PAO.

CMMC 2.0 Timeline

The DoD has established a phased implementation approach spanning from NPRM publication through full rollout.

Key Milestone Dates

• November 30, 2021: NPRM published in the Federal Register introducing CMMC 2.0 Federal Register
• November 2023: Interim Rule effective; DoD began including CMMC 2.0 clauses Federal Register
• FY 2023- FY 2026: Phased rollout by acquisition waves
• November 10, 2025 Phase 1 Begins – Phased Implementation of CMMC Requirements begins. Self assessments used for planning stages.
• November 10, 2026: Phase 2 Begins – Where applicable, solicitations will require L2 Certifications by C3PAO
• November 10, 2027: Phase 3 Begins – Where applicable, solicitations will require L3 Certifications by C3PAO
• November 10, 2028: Phase 4 Begins – All solicitations and contracts include applicable CMMC Level requirements as condition of contract aware.

Implementation Phases

• Initial Implementation (2023-2024): CMMC clauses appear in select solicitations, self-assessments encouraged
• Expanded Implementation (2024-2025): Wider adoption in contracts, growth of third-party assessment capacity
• Full Implementation (2026+): CMMC in all applicable contracts, enforcement of assessment requirements

When Is CMMC Required?

CMMC applicability depends on contract type, information handling, and program criticality.

Contract Applicability

• Applies to DoD prime contractors and subcontractors handling FCI or CUI
• COTS providers exempt unless handling FCI/CUI
• Level 1 for FCI only; Level 2 for CUI; Level 3 for high-priority CUI

Contract Clauses

• DFARS 252.204-7021: CMMC Level 1 Requirements
• DFARS 252.204-7022: Expedited CMMC Level 2 Requirements

Program Criticality

• Major Platform and Capabilities (MPC) programs
• Acquisition Category I modernization programs
• Weapons systems, command and control, intelligence activities

CMMC Deadline

Deadlines vary by CMMC level and assessment type; awareness of key dates is critical for compliance planning.

Level 1 Deadline Requirements

• Self-assessment required upon contract award with CMMC clauses
• Annual affirmation via the Supplier Performance Risk System (SPRS)
• Assessments refreshed annually from submission date

Level 2 Deadline Requirements

• Self-assessment submission to SPRS by November 10, 2026
• Third-party assessment if specified in contract or after transition period
• Assessments refreshed every three years

Level 3 Deadline Requirements

• Mandatory third-party assessment by a C3PAO upon contract award
• No self-assessment option or transition period
• Assessments refreshed every three years

Preparing for Compliance

A structured approach ensures readiness for CMMC assessments and successful certification.

1. Conduct a Gap Analysis

• Compare current controls against target CMMC level requirements
• Document policy, procedure, and technical control gaps

2. Develop a System Security Plan (SSP)

• Define system boundary, architecture, and control implementations
• Assign roles, responsibilities, and document external service providers

3. Create a Plan of Action & Milestones (POA&M)

• Document gaps, assign owners, and set remediation timelines
• Track progress and update POA&M regularly

4. Implement Required Controls

• Deploy technical, administrative, and physical controls
• Maintain evidence for each implemented control

5. Select an Appropriate Assessor

• Choose a DoD-accredited C3PAO for third-party assessments
• Consider preliminary consultations to address potential challenges
• Refer to the CMMC-AB marketplace for approved assessors DoD CIO CMMC

6. Conduct Employee Training

• Provide security awareness and role-based training
• Perform phishing simulations and CUI handling exercises

7. Perform Pre-Assessment Testing

• Conduct mock assessments using the CMMC Assessment Guide
• Test controls through vulnerability assessments and penetration tests

8. Leverage DoD Resources

• Access SSP and POA&M templates, assessment guides, and reference architectures
• Find resources on the DoD CIO CMMC website DoD CIO CMMC

FAQ

Q: What are the three CMMC 2.0 levels?

A: Level 1 is Foundational, Level 2 is Advanced mapping to NIST SP 800-171, and Level 3 is Expert with additional NIST SP 800-172 controls.

Q: When does CMMC 2.0 become mandatory for contractors?

A: CMMC clauses began appearing in solicitations in late 2023, with full implementation required by November 10, 2026 for Level 2 self-assessments and immediate requirements for third-party assessments.

Q: How do I determine which CMMC level my organization needs?

A: Assess the type of information you handle: FCI only requires Level 1, CUI requires Level 2, and high-priority or sensitive programs require Level 3.

Q: What steps should small businesses take to prepare for CMMC 2.0?

A: Conduct a gap analysis, develop an SSP and POA&M, implement required controls, and, if needed, engage with a C3PAO for preliminary assessments.