With the Department of Defense (DoD) rolling out important details of CMMC 2.0 over the coming months and years, 2025 marks a pivotal moment in cybersecurity compliance for federally-affiliated businesses. Understanding recent rulemaking and the phased rollout timeline is critical, not just to maintain eligibility for DoD contracts, but to gain a strategic edge in cybersecurity. Here’s what you need to know and do.
The final rule for CMMC 2.0 (32 CFR Part 170) officially took effect on December 16, 2024. This rule authorizes certified third-party assessment organizations (C3PAOs) to begin conducting official CMMC assessments. However, contractual enforcement of certification requirements will begin only once a corresponding DFARS clause is implemented, expected in early to mid-2025. Once in place, this clause will allow the DoD to begin requiring CMMC certifications in certain solicitations throughout the year.
To ease the transition, the DoD is rolling out CMMC 2.0 in four distinct phases over the next three years:
Phase 1 (mid-to-late 2025): Contractors subject to Level 1 or Level 2 must complete and submit self-assessments through the Supplier Performance Risk System (SPRS) to be eligible for award.
Phase 2 (2026): Level 2 contractors handling Controlled Unclassified Information (CUI) will require third-party assessments conducted by C3PAOs.
Phase 3 (2027): All Level 2 contractors will be fully subject to CMMC mandates. Level 3 requirements will begin to appear in new contract solicitations.
Phase 4 (2028): CMMC 2.0 will be fully enforced. Contractors not certified at the required level will be ineligible to compete for new DoD contracts.
The DoD has also introduced new pilot initiatives to streamline compliance. These pilots show that using cloud service providers (CSPs) and managed service providers (MSPs) can allow organizations to meet 80–90% of Level 2 controls via shared services, often at significantly reduced cost. In one pilot, a small business achieved full Level 2 compliance in just nine weeks for around $32,000, or $1,300 per user. A dedicated marketplace of qualified CSP/MSP partners is expected by late 2025, helping organizations accelerate adoption through pre-vetted solutions.
CMMC 2.0 retains its three-tiered structure:
Level 1: Basic cybersecurity hygiene for organizations handling Federal Contract Information (FCI); requires an annual self-assessment.
Level 2: Advanced security for CUI environments; currently allows self-assessments but will require third-party assessments every three years starting in 2026.
Level 3: Reserved for contractors handling the most sensitive CUI; will involve triennial government-led assessments.
Importantly, Plans of Action and Milestones (POA&Ms) are now restricted. They are prohibited entirely at Level 1 and allowed only for non-critical controls at Levels 2 and 3, reinforcing the need to close key security gaps before assessment.
The impact on contract eligibility is clear and immediate. Without appropriate self-assessment submissions or third-party certifications, organizations will be disqualified from bidding on contracts that require CMMC. Prime contractors will also be responsible for ensuring their subcontractors meet the necessary certification levels. Additionally, organizations must submit annual affirmations via SPRS to maintain their certification status—failure to do so will result in expiration and a loss of eligibility.
To prepare for these changes, organizations should act now. Recommended next steps include:
Determine your required CMMC level based on whether you handle FCI, CUI, or both.
Map your data environment to identify where sensitive information resides and how it flows.
Conduct a gap analysis comparing your current security posture to the relevant CMMC requirements.
Explore shared service options with CSPs and MSPs to quickly implement compliant controls.
Begin annual self-assessments and submit results to SPRS.
Engage with a C3PAO for a pre-assessment or readiness review.
Establish internal compliance workflows to ensure annual affirmations and documentation updates are maintained.
The benefits of early action are significant. By getting ahead of certification deadlines, organizations can secure uninterrupted contract eligibility, avoid last-minute disruptions, and build a resilient cybersecurity posture that serves both compliance and operational goals. Proactive contractors will also be better positioned to strengthen supply chain relationships and serve as trusted partners within the DIB.
Prescott is here to help guide that process. Our advisors specialize in CMMC 2.0 readiness, offering tailored assessments, documentation support (including SSP and POA&M development), SPRS submission guidance, and advisory services for subcontractor alignment. We also partner with proven Managed Service Providers (MSPs) to deliver cost-effective pathways to CMMC certification. Whether you are a small business pursuing Level 1 or a prime preparing for a Level 2 audit, Prescott’s expert team helps reduce uncertainty and streamline your path to compliance.
CMMC 2.0 is no longer optional or hypothetical, it is active, evolving, and increasingly tied to business continuity in the federal contracting space. The decisions organizations make in 2025 will determine their place in the defense supply chain for years to come.
Contact Prescott today to build your tailored roadmap to CMMC 2.0 certification:
https://www.prescott.us/contact-us