CMMC 2.0 Is Here: What DoD Suppliers Need to Know Now?
Sponsored
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) is the organization’s way of assessing defense contractor compliance with existing information safeguarding requirements for federal contract information and controlled unclassified information (CUI). As the latest iteration, CMMC 2.0 streamlines the framework into three cybersecurity levels and aligns the requirements of each one with well-established National Institute of Standards and Technology (NIST) standards. However, applicable parties must familiarize themselves with a recent obligation.
What has changed with CMMC 2.0 enforcement in November? As of November 10, 2025, the Department of Defense began its phased implementation of CMMC requirements, with a focus on Level 1 and 2 self-assessments. What does this mean, and how should DoD suppliers prepare? To get those answers, you’ll hear from John Verry, Managing Director and Chief Information Security Officer of CBIZ Pivot Point Security. Since 2001, this company has provided B2B clients with a full range of cybersecurity assessments and guarantees results for its clients.
What Are the Advantages of Complying With CMMC 2.0?
“Achieving CMMC certification delivers substantial benefits beyond simply retaining existing Defense Industrial Base (DIB) contracts or qualifying for new ones”. DoD suppliers can enhance their security posture by following the CMMC, which is a comprehensive, risk-based cybersecurity framework. That benefit meaningfully reduces the likelihood and impact of security incidents across organizations.
CMMC compliance also delivers a reputational boost through increased market trust and competitive differentiation. Having a mature cybersecurity program attested by a third party strengthens your credibility with customers, partners and investors. You then have more opportunities to grow the business inside and beyond the DIB.
Who Must Follow CMMC Compliance Requirements?
All contractors within the DoD’s supply chain that handle CUI must abide by CMMC compliance requirements. A compliant organization must either self-assess or obtain third-party certification before bidding on DoD contracts.
CMMC 2.0 breaks compliance requirements into three levels. Level 1 (Foundational) indicates that a company can perform basic safeguarding of federal contract information, as outlined in NIST 800-171. Then, Level 2 (Advanced) indicates that the organization protects CUI by applying 110 security controls found in NIST 800-171. Level 3 (Expert) compliance requires meeting the prior two levels, along with additional requirements stipulated in NIST 800-172.
You may have heard more about CMMC 2.0 lately due to the phased compliance that began in November 2025. However, as Verry explains, CMMC 2.0 represents a return to the 2016 baseline. It has always required DIB contractors to implement NIST 800-171 when handling CUI.
CMMC 2.0 introduces changes not directly related to the security requirements themselves, but it formalizes the process of compliance validation.This most notably occurs through the introduction of independent, third-party assessments of higher-risk contractors. These occur through a Certified Third Party Assessment Organization (C3PAO).
How Can Contractors Understand Compliance and Avoid Mistakes?
Many affected parties understandably want to know how to accelerate the CMMC certification process. According to Verry, many organizations get ahead of themselves and skip valuable steps, which can lead to problems down the line.
This happens because businesses “[often]...jump directly into a gap assessment against the 110 CMMC security controls. What they overlook is that these requirements apply only to CUI Assets.”
He continues, “If you haven’t defined these assets in your System Security Plan (SSP), you cannot meaningfully assess your control implementation, which is what your C3PAO auditor will do. Furthermore, without clearly identifying your Security Protection Assets, Contractor Risk Managed Assets and Specialized Assets, you cannot determine which requirements apply to each asset type.”
Here’s a closer look at each asset type covered under CMMC 2.0:
- Controlled Unclassified Information Assets: Process, store or transmit CUI
- Security Protection Assets: Provide security functions or capabilities to aspects within the contractor’s CMMC, regardless of if they process, store or transmit CUI
- Contractor Risk Managed Assets: Have relevant policies, procedures and practices applied to them so they could process, store or transmit CUI,
but do not
- Specialized Assets: Include items such as government property, Internet of Things devices, operational technology assets and test equipment
Each category has specific obligations for contractors to meet and CMMC assessment requirements associated with them. Contractors must also document how they fulfill the requirements in their System Security Plans.
How Should Contractors Start Their CMMC Compliance Efforts?
Verry suggests a practical approach, stating that rather than beginning with a control-by-control gap analysis, they should conduct a scoping exercise using the CMMC Scoping Guidance. Those documents appear on a dedicated DoD resources and documentation page. Relevant parties can access PDFs for the associated CMMC compliance requirements depending on the level.
He also clarified that the scoping exercise culminates in a well-structured SSP. Having that foundation helps contractors perform accurate and efficient gap assessments, as well as the necessary remediation efforts.
What Are the Most Common Challenges and Prevention Methods?
“Most organizations struggle with time, expertise or a combination of both,” John Verry explained. “[It is easier to hire] a consulting firm with proven expertise to guide you through the process, but that comes at an expense that isn’t within some organizations’ budgets.”
To overcome the challenges of implementing CMMC 2.0, he suggests, “[using] a combination of the CMMC Scoping Guide to inform scoping and NIST 800-171A to provide a thorough understanding” of how third-party auditors will assess the controls you implement. That approach will jump-start the CMMC compliance efforts.
He added, “There are great resources at the DoD Chief Information Officer’s CMMC Resources & Documentation and the Defense Logistics Agency’s Cybersecurity Resources for Vendors sites. Lastly, many Manufacturing Extension Partnerships have CMMC support programs.”
Organizations must also prioritize cybersecurity training for the workforce. He said, “Because humans represent both the largest attack surface and the most powerful detection and mitigation asset within any organization, employee training and awareness are critical and explicitly required elements of CMMC and all major cybersecurity frameworks.”
These efforts pay off because “a well-trained workforce reduces the likelihood of human error, improves consistent adherence to security controls and procedures, and enhances the ability to recognize, report and respond to threats in real time.”
Does CMMC Compliance Overlap With Other Cybersecurity Frameworks?
Many businesses already use cybersecurity frameworks like ISO 27001 or SOC 2. Fortunately, you can learn how to accelerate the CMMC certification process requirements by determining the shared characteristics between it and other frameworks with which you run your business. Verry explains, “It’s entirely possible to align CMMC with other control frameworks by cross-mapping requirements, either manually or using tools such as the Secure Controls Framework.”
Entities already using ISO 27001 to inform their cybersecurity efforts are in a particularly favorable position. Verry clarifies, “this framework offers a unique advantage because it functions as both an Information Security Management System (ISMS) and a control framework. This makes it an ideal foundation for operating a single, unified cybersecurity program that can simultaneously address ISO 27001, CMMC, and any additional regulatory or contractual obligations.”
“ISO 27001 also provides the flexibility to consolidate artifacts across frameworks, reducing duplication and lowering the overall level of effort required to manage the program.” For example, “your CMMC System Security Plan (SSP) could serve as your ISO 27001 ISMS Scope Statement. You can also adopt the NIST SP 800-171 control set in place of Annex A, which enables you to maintain one consolidated set of NIST-aligned policies and a Statement of Applicability based on NIST 800-171.”
How Should DoD Suppliers Prepare for CMMC-Related Developments?
“Several significant changes are on the horizon for CMMC,” according to Verry. He considers the expected transition to NIST SP 800-171 Revision 3 the most notable of them, which will likely occur in late 2026 or early 2027.
He offers the following advice for organizations that want to stay ahead of the curve, “[Businesses] should begin familiarizing themselves with Revision 3’s shift to a threat-informed, NIST SP 800-53-aligned structure and the expanded use of Organization-Defined Parameters. Understanding these concepts now will make the eventual transition far smoother… Additionally, with the rapid rise of both artificial intelligence adoption and AI regulation, affected parties should reasonably anticipate that the DIB will soon face requirements or guidance governing the use of that technology, and that the requirements could align with the NIST AI Risk Management Framework.”
Getting Support With CMMC Compliance
Although affected DoD suppliers have many excellent resources, some may wish to hire professional guidance while working toward their CMMC requirements. CBIZ Pivot Point Security offers highly complementary cyber, technology and attestation services, enabling businesses to get everything from a single service provider.
Sponsored