CMMC 2.0 in 2025: What Defense Contractors Are Doing Now
EXECUTIVE BRIEF
The Department of Defense (DoD) isn’t waiting, and neither are the defense contractors leading the way in readiness. In 2025, the Cybersecurity Maturity Model Certification (CMMC) moves from planning to enforcement.
- The final CMMC 2.0 program rule is in effect under Title 32 of the Code of Federal Regulations (32 CFR) Part 170. Its companion rule, 48 CFR, is currently under final review by the Office of Management and Budget (OMB). Once approved, contract clauses are expected to follow quickly.
- Contractors handling Controlled Unclassified Information (CUI) must align with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and prepare for third-party assessments.
- Proactive firms are conducting gap assessments, launching remediation projects, and narrowing environments to reduce audit scope and cost.
- Many are adopting artificial intelligence (AI)-powered tools to accelerate compliance using models like SecureBERT, CYLENS, and Security Copilot. These tools help automate evidence classification, identify gaps, and track remediation.
Want to see what forward-leaning contractors are doing to prepare? Dig deeper below.
Why 2025 Is a Critical Year for CMMC 2.0
The final CMMC 2.0 regulation (32 CFR Part 170) became effective in December 2024. The 48 CFR rule, currently under OMB review, will initiate contract-level enforcement by adding certification requirements as a condition of accepting award of new contracts. Most contractors handling CUI will require CMMC Level 2, which includes implementation of all 110 NIST SP 800-171 controls.
What Defense Contractors Are Doing Now
Mapping Compliance Objectives
Contractors identify the type of data they handle and confirm which maturity level will be required. For many, Level 2 will be the baseline.
Conducting Gap Assessments
Organizations are evaluating how their current security controls align with NIST SP 800-171. This assessment informs tool selection, project planning, and budget allocation.
Building Remediation Plans
Plans of Action and Milestones and System Security Plans are being developed or updated. Many teams are scheduling remediation over a 6 to 18-month timeline to align with contract demands.
Using AI to Accelerate Compliance
AI tools are helping teams reduce manual work and accelerate time-to-readiness:
- SecureBERT automates parsing of regulatory text and documentation.
- CYLENS identifies vulnerabilities and recommends remediation paths.
- Security Copilot (GPT-4 with Microsoft tools) summarizes incidents and manages compliance reporting.
- Conductor AI helps organize evidence and map it to relevant controls.
These tools enhance workflows and reduce overhead, particularly when used in tandem with structured compliance programs.
Scoping and Segmentation
Organizations are documenting CUI data flows and segmenting networks to minimize the in-scope environment. This approach helps reduce audit complexity and cost.
Preparing for Third-Party Assessments
Contractors are engaging CMMC Third-Party Assessment Organizations (C3PAOs) to confirm readiness. Teams are also aligning documentation and evidence with expected audit checkpoints.
Monitoring Flow-Downs and Regulatory Shifts
Prime contractors increasingly require subcontractors to demonstrate CMMC readiness. Suppliers are responding by working with Registered Provider Organizations, tracking Cybersecurity Accreditation Body updates, and proactively communicating their status.
2025 Timeline: What’s Coming
- Late 2025 (Projected): The 48 CFR rule is expected to be published and become effective immediately.
- 2026: Expanded C3PAO assessments and audit activity.
- 2027: CMMC Level 3 required for mission-critical programs.
- By 2028: All DoD solicitations will include a required CMMC level.
Why Contractors Can’t Wait
- Preparing for CMMC Level 2 takes time, tools, and internal training.
- C3PAO assessors are limited in number, and demand is growing.
- Early movers often stand out to primes and reduce delays during project onboarding.
- AI tools can improve efficiency but are most effective when implemented alongside a strategic plan.
AI is reshaping how defense contractors approach cybersecurity. However, it must be guided by clearly defined objectives and human oversight to ensure sustainable compliance.
Ready to accelerate your CMMC Level 2 readiness?
FAQs
What kind of assessment will most contractors need to prepare for?
If you handle CUI, you will almost certainly need a third-party assessment conducted by a C3PAO. The Level 2 (C3PAO) certification requirement will apply to roughly 95% of contractors seeking this maturity level.
What AI tools are safe to use in CMMC environments?
Use platforms hosted in environments that meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate Authorized or equivalent standard. Make sure they provide clear data handling policies, access controls, and explainable outputs.
Do we need both an AI platform and a traditional governance, risk, and compliance (GRC) tool?
Many contractors benefit from using both. AI tools accelerate evidence collection and task tracking. GRC platforms help centralize documentation and demonstrate compliance. The right solution depends on your current environment and maturity level.
