CMMC in Q2 2025: Your Top Questions Answeredc

June 10, 2025

Table of Contents

Last Updated on June 10, 2025

As the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 program grinds on towards full implementation, it becomes increasingly challenging for defense industrial base (DIB) contractors to sort through all the outdated, superseded, and conflicting information.

Based on frequently asked questions from our client base, this article shares the latest and most relevant CMMC updates you need to stay on track for compliance and certification.

Could Trump’s deregulation push derail CMMC 2.0?

While deregulation introduces uncertainty into CMMC’s implementation timeline, the program’s central importance to national security should buffer it from significant changes or outright cancellation. Along with other cybersecurity initiatives, CMMC has enjoyed wide bipartisan support and was introduced during Trump’s first administration. Further, it aligns with contractual cybersecurity obligations that defense suppliers have been self-attesting to since 2016.

The overall CMMC 2.0 final rule has been published. However, the DFARS 7021 clause that puts CMMC language into government contracts are still in process and could be subject to review.

But while the CMMC 2.0 rollout may be delayed, DIB orgs should not put off preparations for CMMC compliance. CMMC is a comprehensive standard and many defense SMBs acknowledge that they need one to two years or more to achieve CMMC Level 2 certification.

What is the current CMMC rollout schedule?

CMMC 2.0 will be implemented in contracts when the DFARS 7021 clause is finalized, and following a 60-day waiting period after publication of the final 48 CFR rule in the Federal Register.

From there, CMMC clauses will be included in new DoD contracts as part of a three-year phased rollout process:

Phase 1—Beginning on the effective date of the 48 CFR rule, the DoD will begin requiring CMMC Level 1 and CMMC Level 2 self-assessments for specific contracts. This includes an up-to-date score in the DoD’s Supplier Performance Risk System (SPRS) database along with an affirmation from a senior leader that your score is accurate.
Phase 2—Beginning one year after Phase 1, the DoD will begin requiring CMMC Level 2 certification based on third-party assessments.
Phase 3—Beginning one year after Phase 2, the DoD will begin requiring CMMC Level 3 certification for specific contracts requiring higher security.
Phase 4—Beginning one year after Phase 3, CMMC requirements will be in full force across all DoD contracts.

Can we bid on DoD contracts if we’re not CMMC certified yet?

As of now (April 2025), the Title 48 CFR rulemaking required to update contract requirements in the Defense Federal Acquisition Regulation (DFARS) to implement the CMMC 2.0 program is not yet complete. Therefore, CMMC 2.0 compliance requirements cannot yet appear in DoD contracts, and CMMC certification is not yet a prerequisite for bidding.

Prior to finalizing the 48 CFR rule, no CMMC clauses can appear in contracts, including existing contracts. Nor is there a mechanism for CMMC requirements to be applied retroactively.

But once CMMC 2.0 requirements start appearing in contracts, contractors need to have the required CMMC certification or a self-assessed compliance attestation with executive affirmation in SPRS. Once under contract, DIB orgs must maintain their CMMC certification and compliance for the life of the contract.

Can we still get CMMC certified early?

The CMMC 2.0 final rule went into effect on December 16, 2024, which allowed the DoD to make official CMMC assessments and certifications available to DIB orgs through certified third-party assessor organizations (C3PAOs).

Companies can now get CMMC certified at CMMC Level 2 in advance of future contract requirements. CMMC Level 1 requires self-assessment only. CMMC Level 3 certification can be performed on request by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) with CMMC Level 2 certification by a C3PAO as a prerequisite.

Some of the benefits of early CMMC certification include:

Differentiation from competitors that are not yet CMMC certified
Peace of mind for prime contractors looking for partners
Peace of mind for stakeholders looking for proof that your organization can protect CUI and other sensitive data
Enhanced cybersecurity and compliance/governance to reduce business risk

What is the latest on CMMC Level 2 self-assessments?

As of February 28, 2025, DIB orgs can enter CMMC Level 2 self-assessment data in SPRS, similar to the NIST 800-171 compliance self-attestation process.

Should your business conduct a CMMC Level 2 self-assessment and share the results with the DoD? This could make sense for either or both of two reasons:

You want to demonstrate a robust cybersecurity posture and the ability to protect CUI to support competitive opportunities ahead of CMMC contract obligations and your upcoming CMMC Level 2 audit with a C3PAO.
Yours is one of a small minority of companies that qualify for a CMMC Level 2 self-assessment as a path to CMMC Level 2 certification, and you want to get the jump on your certification.

Many DIB contractors that handle CUI would benefit from a CMMC Level 2 self-assessment to identify and proactively address compliance gaps and cybersecurity weaknesses, with an SPRS entry being optional. Your SPRS score is a pivotal factor in the DoD’s view of your cybersecurity posture and must be accurate to avoid legal sanctions such as False Claims Act prosecution.

The CMMC Level 2 Assessment Guide offers guidance on how to conduct a self-assessment. You’ll need to assess cyber risks and scope your CUI environment prior to self-assessment.

Who can self-attest their way to CMMC Level 2 certification? Only those few companies that do not handle controlled technical information (CTI) or any other form of defense CUI.

Firms that can use self-assessment to achieve CMMC Level 2 certification need to self-assess every three years and enter the results in SPRS. An affirmation by a senior company officer of your SPRS score’s correctness is required annually.

What is the latest on getting CMMC certified with POA&Ms?

Under CMMC 2.0, Plans of Action & Milestones (POA&Ms) are acceptable on a limited basis for CMMC Level 2 certification, but must be closed out within 180 days to transition from conditional to final certification. The DoD requires full compliance with all 110 NIST SP 800-171 controls for final CMMC Level 2 certification unless nonconformities have otherwise been approved.

To be eligible for conditional CMMC Level 2 certification with POA&Ms, these conditions apply:

Your total compliance score in SPRS must be at least 88 out of 110.
Any POA&Ms can apply only to controls worth 1 point. You cannot attain certification if any of your POA&Ms relate to “high importance” controls that are assigned 3 or 5 points in SPRS.

Does our MSSP need to participate in our CMMC Level 2 assessment?

Managed service providers (MSPs) and managed security service providers (MSSPs) that process, store, or transmit CUI themselves are required to achieve CMMC Level 2 or CMMC Level 3 certification, depending on the level specified for their customer(s).

If an MSP or MSSP that is not CMMC certified works with a DIB org seeking CMMC Level 2 or Level 3 certification, the service provider must also pass the assessment along with their client.

This creates a conundrum for MSPs/MSSPs with DIB customers. Should they:

Obtain their own CMMC certification.
Remain uncertified and participate in all their clients’ assessments.

For many service providers with multiple DIB clients, getting CMMC certified once can be more cost- and resource-effective than participating in multiple individual CMMC assessments.

Adding to the potential complexity of MSP/MSSP certification and participation in CMMC assessments is the flowdown of compliance requirements from your service providers to their service providers. If an MSP/MSSP outsources services to another vendor, such as a cloud service provider or help desk provider, that company may also need to take part in assessments if they are not CMMC certified at the required level.

Making sure you have identified and covered any such issues in your CMMC environment, notably the potential need to replace noncompliant vendors, is a major reason not to delay your CMMC certification journey.

Do we need to post a CMMC Level 1 self-assessment in SPRS?

As of now (April 2025), the DoD’s SPRS system is prompting all DIB orgs to conduct a CMMC Level 1 self-assessment. Here’s why:

With a very few exceptions pertaining to off-the-shelf items, all entities that do business with the US government handle federal contract information (FCI) and must comply with the FAR 52.204-21 clause to demonstrate they can protect the FCI on their systems.
Defense suppliers participating in DoD contracts must now abide by CMMC, which mandates annually self-assess their in-scope CMMC environment against FAR 52.204-21 and report the results in SPRS.
FAR 52.204-21 covers 15 basic cybersecurity controls, which NIST 800-171 Rev. 2 and CMMC Level 1 extrapolate into 17 practices and 59 associated assessment objectives.

While FAR 52.204-21 is included in all US government contracts and flowdowns, the DoD is the first and so far the only agency to require compliance verification. The CMMC program gives the DoD a methodology to enforce accountability.

Note that no CMMC certification is awarded for CMMC Level 1 compliance. A DIB org can only be compliant or noncompliant at CMMC Level 1, whether you self-assess or base your SPRS score on a third-party assessment.

What is the latest on CMMC Level 3 certification?

On January 17, 2025, the DoD issued new guidance on how it will determine what CMMC level should apply to a given contract. Regarding CMMC Level 3 (Expert), the DoD seeks to “avoid overuse of the CMMC Level 3 requirement” and has emphasized that very few contracts will require CMMC Level 3 certification.

According to the DoD, one of these three situations may indicate the need for CMMC Level 3:

The contractor will receive CUI associated with a breakthrough, unique, and/or advanced technology.
The contract involves aggregating an unusually large amount of CUI in a single IT system or environment.
An attack on a single IT system or environment would result in widespread vulnerability across the defense supply chain.

If your company participates in contracts involving R&D on new and sensitive defense technology and/or collects large amounts of CUI for contract performance purposes, it is advisable to proactively check in with contracting officials about the need for a CMMC Level 3 certification.

At CMMC Level 3, an organization must meet all the CMMC Level 1 and Level 2 requirements, plus implement the 24 NIST 800-172 controls. Organizations seeking a CMMC Level 3 certification will also face a two-phase assessment process. After passing a CMMC Level 2 certification with a C3PAO, a DIBCAC team will conduct a CMMC Level 3 assessment.

When will the CMMC requirements match NIST 800-171 Revision 3?

The current CMMC 2.0 rulemaking (specifically 32 CFR) revolves around NIST 800-171 Revision 2. Therefore, to update the CMMC requirements to NIST 800-171 Revision 3, the DoD will need another round of rulemaking in the future.

In the meantime, the DoD has issued a class deviation to the DFARS 7012 clause to support CMMC assessments against NIST 800-171 R2 until the R3 rulemaking is complete. This is intended give DIB orgs, C3PAOs, and the DoD itself sufficient time to make a planned transition to the NIST 800-171 R3 controls.

What should we do now to prepare for CMMC 2.0 compliance?

Here are some key steps that will be part of every DIB org’s CMMC Level 2 roadmap:

Analyze your projected DoD business and current contracts to identify your desired CMMC level.
Identify your CMMC environment scope based on how CUI flows in and out of your systems.
Communicate flowdown requirements to your critical vendors and gauge their CMMC compliance status by checking their SPRS scores.
Conduct a gap assessment.
Prioritize and remediate vulnerabilities and other issues based on your gap assessment.
Document your cybersecurity policies and procedures (e.g., system security plan, incident response plan, risk management plan)
Begin building a compliance reporting/governance program so you can demonstrate compliance to third-party auditors and validate your self-attested score in SPRS.
Partner with a C3PAO and schedule your third-party CMMC Level 2 certification assessment.
Undergo your CMMC audit and address any findings/POA&Ms to achieve final CMMC certification.