5 CMMC 2.0 Requirements Every FSO Should Know in 2025

Graphic with a cybersecurity-type background with our CMMC 2.0 implementation timeline starting in 2025 going to 2028 for MathCraft Security Technologies.

CMMC 2.0 Rulemaking Progress

The Department of Defense (DoD) published the final CMMC 2.0 rule in the Federal Register on October 15, 2024. It became effective on December 16, 2024, formally launching the DoD’s revamped approach to cybersecurity maturity certification.

However, full enforcement is pending a second critical step: the finalization of the Title 48 Defense Federal Acquisition Regulation Supplement (DFARS) rule. As of May 2025, this DFARS rule is still under review, with publication expected in mid to late 2025. Once finalized, it will begin the formal inclusion of CMMC language in new DoD contract solicitations (DoD CIO).

Updated Implementation Timeline

The DoD will roll out CMMC 2.0 requirements in four phases, beginning 60 days after the Title 48 DFARS rule is finalized:

  • Phase 1 (Expected Mid/Late 2025)
     Annual self-assessments will be required for CMMC Levels 1 and 2 contractors before award of new contracts. These must be submitted to the Supplier Performance Risk System (SPRS).
  • Phase 2 (2026)
     Third-party assessments become mandatory for Level 2 contractors handling Controlled Unclassified Information (CUI), conducted by certified C3PAOs (Cyber AB).
  • Phase 3 (2027)
     Level 2 certification becomes required for contract renewals and option periods. Level 3 requirements will begin to appear in high-security solicitations.
  • Phase 4 (2028)
     Full enforcement of all CMMC 2.0 requirements. Contractors without appropriate certification levels will be ineligible to compete for new DoD contracts.

At MathCraft Security Technologies, we encourage Facility Security Officers (FSOs) and compliance managers to prepare ahead of these phases, rather than wait for contract language to mandate action.

CMMC 2.0 Assessment Requirements by Level

While the three maturity levels remain intact under CMMC 2.0, the updated model offers greater clarity on how assessments are conducted:

  • Level 1 (Foundational)
     Requires annual self-assessments against 17 basic safeguarding practices. Must be submitted in SPRS. No third-party review is required.
  • Level 2 (Advanced)
     Aligns with all 110 security requirements in NIST SP 800-171 Rev. 3,

    • If handling CUI: Triennial third-party assessment required.
    • If not handling CUI: Annual self-assessment permitted during early rollout but will transition to third-party audits in later phases (Wiley Law).
    • Level 3 (Expert) Applies to critical national security programs and aligns with NIST SP 800-172.
       Requires a DoD-led triennial assessment. This level is reserved for a small subset of defense contractors.

Note: Plans of Action and Milestones (POA&Ms) are not allowed for Level 1. For Levels 2 and 3, POA&Ms are permitted under certain conditions, but high-priority controls (such as multifactor authentication and endpoint protection) must be fully implemented before contract award.

What This Means for Contractors

With the final rule already in effect and enforcement on the horizon, all defense contractors need to act now:

  • Self-assessments will become a gatekeeping requirement for new contracts.
  • Third-party audits will be mandatory for Level 2 contractors handling CUI.
  • Government-led reviews will become the norm for high-level security work.
  • Contract language will increasingly reference CMMC compliance as a prerequisite (Morgan Lewis).

At MathCraft, we recommend preparing for compliance as part of your core security operations—not as a last-minute checkbox activity.

What FSOs and Compliance Teams Should Do Now

Here’s how to prepare for compliance before CMMC requirements become fully enforceable:

  1. Conduct a Gap Analysis
    Compare your current security posture against NIST 800-171 (for Level 2) or 800-172 (for Level 3) to identify weaknesses.
  2. Complete a Self-Assessment
    For Levels 1 and 2, document your controls and upload your assessment into SPRS. This is your baseline for contract eligibility.
  3. Get Ready for Third-Party Certification
    Level 2 contractors handling CUI must plan for a C3PAO audit in 2026 or earlier, depending on DFARS timing.
  4. Train Your Team
     Ensure all personnel with access to FCI or CUI are trained in cybersecurity awareness and secure handling practices.
  5. Monitor Contract Updates
     Keep an eye on DFARS changes to ensure you’re not caught off guard by contract clauses that require immediate compliance.

Want to simplify this process? Our Access Commander software was designed to help FSOs manage secure facility operations while meeting evolving federal requirements.

What’s next…? 

CMMC 2.0 is no longer theoretical—it’s here, and enforcement is rapidly approaching. With the Title 48 DFARS rule likely to be finalized by late 2025, the countdown has already begun.

Contractors must take proactive steps now to secure their future eligibility. Whether you need a platform to manage personnel vetting, compliance checklists, or secure access workflows, MathCraft is here to help.

For more updates on CMMC 2.0, facility security guidance, and federal compliance best practices, read our MathCraft Industrial Security News blog or reach out to our team.

Scroll to Top