Beginning on Nov. 10, 2025, the U.S. Department of Defense (DoD) will enact a new set of cybersecurity standards for contractors and subcontractors.
With the arrival of CMMC 2.0, the DoD is taking steps to transform compliance from a manual, point-in-time practice to an always-on cycle of constantly-improving security, while raising the bar for assessment to demonstrate that systems are aligned with the high standards of national security.
While this step is critical for cybersecurity, it will require contractors to become familiar with a new set of requirements. While it has been years in the making and will be formally rolled out over three years, the DoD sent a signal through its publication of the final rule in September, 2025. Now is the time to assess contracts, systems, and processes to achieve compliance.
With that in mind, let’s take a closer look at CMMC, and what it means for DoD compliance.
The Cybersecurity Maturity Model Certification (CMMC) was first enacted in 2019 as a means to safeguard sensitive military data in contractor environments, while protecting the defense industrial base from cyber attacks of growing volume and sophistication.
Building on the initial version, CMMC 2.0 ushers in a new framework for all contractors and subcontractors that store and interact with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
CMMC 2.0 will rapidly reset the norms of DoD cybersecurity. Let’s take a look at what’s new:
Chief among the changes from the initial version of CMMC is a shift from five levels of protection to three. Each level has the answers to two questions built into it:
These levels incorporate familiar standards, but will require a review for any contractor The new levels are as follows:
Satisfying these requirements will leave contractors with a number of tasks to achieve compliance. Fortunately, however, determining which level will not be their job. CMMC levels will be spelled out in contracts. This makes achieving the CMMC level a condition of receiving a contract. In other words, cybersecurity is literally mission-critical.
CMMC 2.0 was not developed overnight. In fact, it was years in the making. So it’s fitting that the new rule will not be implemented all at once, either.
CMMC 2.0 will be rolled out in four phases over four years. Here’s a look at what to expect in each phase:
Phase 1: Beginning on November 10, 2025, CMMC Level 1 and Level 2 self-assessment will be required for specific contracts.
Phase 2: Beginning on November 10, 2026, CMMC Level 2 third-party certification will be required in applicable contracts.
Phase 3: Beginning on November 10, 2027, Level 3 will be required for specific contracts.
Phase 4: As of Nov. 10, 2028, all DoD contracts must include CMMC requirements.
Looking to make sense of how CMMC 2.0 will impact complex IT infrastructure? Don’t start with the new levels and phases.
Rather, it’s important to focus on how this constant cycle of standards and assessments adds up.
To meet the requirements and bolster cybersecurity in the process, the defense industrial base must move toward a new mode that trades in manual tasks and irregular assessments for a dynamic cycle of compliance that is embedded into operations.
Through continuous compliance, organizations can introduce a new set of building blocks to stay ahead of assessments and threats, and spend less time satisfying contract requirements in the process.
The foundations of continuous compliance include:
Tailoring controls to your CMMC level, your contract, and your environment.
Continuous monitoring to find issues, including configuration drift and missed patches.
Enforcement to fix issues, and keep them fixed.
Assessment and validation to provide required evidence of compliance.
To implement continuous compliance, organizations will need tools and processes that are built for the pace of technology, and the high standards of national security.
Security Control Management encompasses the tools that automate compliance across every phase of a system’s lifecycle, ensuring the infrastructure deployed to protect and defend America is secure by design.
Security Control Management includes:
A policy-first approach, featuring security policies that are customized and dynamically updated over time.
Automated remediation that goes beyond scanning and mapping to fix issues when they arise.
Seamless integration with engineering workflows such as DevSecOps and GRC tools.
Flexible deployment across on-prem, hybrid, and airgapped environments.
Today, infrastructure compliance is plagued by fragmentation and time-consuming workarounds. CMMC 2.0 presents an opportunity to bring long-overdue change that makes the entire defense industrial base safer in the process.
Want to learn more about Security Control Management for CMMC 2.0? Book a demo with Sicura today.
Beginning on Nov. 10, 2025, the U.S. Department of Defense (DoD) will enact a new set of cybersecurity standards for contractors and subcontractors.
With the arrival of CMMC 2.0, the DoD is taking steps to transform compliance from a manual, point-in-time practice to an always-on cycle of constantly-improving security, while raising the bar for assessment to demonstrate that systems are aligned with the high standards of national security.
While this step is critical for cybersecurity, it will require contractors to become familiar with a new set of requirements. While it has been years in the making and will be formally rolled out over three years, the DoD sent a signal through its publication of the final rule in September, 2025. Now is the time to assess contracts, systems, and processes to achieve compliance.
With that in mind, let’s take a closer look at CMMC, and what it means for DoD compliance.
The Cybersecurity Maturity Model Certification (CMMC) was first enacted in 2019 as a means to safeguard sensitive military data in contractor environments, while protecting the defense industrial base from cyber attacks of growing volume and sophistication.
Building on the initial version, CMMC 2.0 ushers in a new framework for all contractors and subcontractors that store and interact with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
CMMC 2.0 will rapidly reset the norms of DoD cybersecurity. Let’s take a look at what’s new:
Chief among the changes from the initial version of CMMC is a shift from five levels of protection to three. Each level has the answers to two questions built into it:
These levels incorporate familiar standards, but will require a review for any contractor The new levels are as follows:
Satisfying these requirements will leave contractors with a number of tasks to achieve compliance. Fortunately, however, determining which level will not be their job. CMMC levels will be spelled out in contracts. This makes achieving the CMMC level a condition of receiving a contract. In other words, cybersecurity is literally mission-critical.
CMMC 2.0 was not developed overnight. In fact, it was years in the making. So it’s fitting that the new rule will not be implemented all at once, either.
CMMC 2.0 will be rolled out in four phases over four years. Here’s a look at what to expect in each phase:
Phase 1: Beginning on November 10, 2025, CMMC Level 1 and Level 2 self-assessment will be required for specific contracts.
Phase 2: Beginning on November 10, 2026, CMMC Level 2 third-party certification will be required in applicable contracts.
Phase 3: Beginning on November 10, 2027, Level 3 will be required for specific contracts.
Phase 4: As of Nov. 10, 2028, all DoD contracts must include CMMC requirements.
Looking to make sense of how CMMC 2.0 will impact complex IT infrastructure? Don’t start with the new levels and phases.
Rather, it’s important to focus on how this constant cycle of standards and assessments adds up.
To meet the requirements and bolster cybersecurity in the process, the defense industrial base must move toward a new mode that trades in manual tasks and irregular assessments for a dynamic cycle of compliance that is embedded into operations.
Through continuous compliance, organizations can introduce a new set of building blocks to stay ahead of assessments and threats, and spend less time satisfying contract requirements in the process.
The foundations of continuous compliance include:
Tailoring controls to your CMMC level, your contract, and your environment.
Continuous monitoring to find issues, including configuration drift and missed patches.
Enforcement to fix issues, and keep them fixed.
Assessment and validation to provide required evidence of compliance.
To implement continuous compliance, organizations will need tools and processes that are built for the pace of technology, and the high standards of national security.
Security Control Management encompasses the tools that automate compliance across every phase of a system’s lifecycle, ensuring the infrastructure deployed to protect and defend America is secure by design.
Security Control Management includes:
A policy-first approach, featuring security policies that are customized and dynamically updated over time.
Automated remediation that goes beyond scanning and mapping to fix issues when they arise.
Seamless integration with engineering workflows such as DevSecOps and GRC tools.
Flexible deployment across on-prem, hybrid, and airgapped environments.
Today, infrastructure compliance is plagued by fragmentation and time-consuming workarounds. CMMC 2.0 presents an opportunity to bring long-overdue change that makes the entire defense industrial base safer in the process.
Want to learn more about Security Control Management for CMMC 2.0? Book a demo with Sicura today.
Ready to maintain secure and compliant infrastructure focused on cost, automation, and consistency?