EXECUTIVE BRIEF
The final Cybersecurity Maturity Model Certification (CMMC) rule is now in effect, providing clarity and actionable requirements for businesses across the Defense Industrial Base (DIB). From managing Controlled Unclassified Information (CUI) to understanding certification levels, here’s what small-to-medium-sized defense contractors must know to stay compliant, safeguard sensitive information systems, and remain competitive under the CMMC program.
Dig deeper and continue reading below.
The CMMC final rule establishes a mandatory framework for protecting Federal Contract Information (FCI) and CUI. The U.S. Department of Defense (DoD) published the proposed rule on December 26, 2023. Now released in the Federal Register, the rule enforces cybersecurity standards derived from NIST (National Institute of Standards and Technology) SP 800-171. Codified under Defense Federal Acquisition Regulation Supplement rules (DFARS rules) and the Code of Federal Regulations (CFR), the CMMC 2.0 framework features three certification levels with phased implementation from 2025 to 2028.
CMMC rulemaking is officially final, and CMMC 2.0 is now being implemented across the DIB. With mandatory assessments and phased rollouts, contractors need a clear plan to comply. Department of Defense (DoD) contracts will begin including CMMC requirements starting Q2 2025, with full implementation by 2028.
CMMC 2.0 is the streamlined version of the original framework, designed to simplify compliance while maintaining robust security. It features three certification levels:
Why does this matter to you? There are technically two Level 2 certifications available to subcontractors. However, if your prime contractor is required to be either Level 2 (DIBCAC) or Level 2 (C3PAO) certified, all subcontractors handling CUI will be required to become Level 2 (C3PAO) certified as well.
Rule Subsection: §170.23
How does this impact you? CMMC certification is now a condition of contract award. However, the DoD believes it is paramount to national security for SMBs to become compliant since 73% of the DIB are small-to-medium-sized contractors. While the upfront investment may seem significant, compliance ensures eligibility for lucrative DoD contracts, protecting national security and securing your business’s future.
To help offset the costs, many SMB contractors plan to bake the CMMC-associated costs into their proposals.
Keep in mind: Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) before the award of a CMMC Level 1 contract or subcontract.
What you need to know about POA&Ms: Yes, CMMC levels 2 and 3 do allow for POA&Ms, but only for conditional certification status. All requirements that are scored as “not met” are identified in a POA&M. Conditional status is better than failing your certification assessment, but it is not something you should shoot for. Conditional status requires contractors to remediate all controls listed on the POA&M and pass a closeout assessment within 180 days of their conditional status being posted.
Additionally, not all controls are allowed to be listed on your POA&M document. Only “less critical controls” (those that score as 1 point of your SPRS) are permitted.
When should you schedule your audit? It is better to be early than late. However, it is important to make sure you are allotting enough time to address any deficiencies and prepare for your audit. Our advice is to begin with a self-assessment and gap analysis, determine how long your remediation and preparation efforts will take, and schedule your audit with some cushion time. A great starting point is the CMMC Readiness Signal, a free resource from ISI to help determine your current compliance posture.
Why does early preparation matter? Certified Third-Party Assessment Organizations (C3PAOs) will play a pivotal role in verifying compliance. Early scheduling is key to ensuring readiness. Defense contractors need to adapt to the CMMC program rule proactively. Early planning ensures:
ISI Insight: SMBs should allocate 9–12 months for preparation, depending on their current CMMC status. ISI offers security controls and expert-managed services to streamline this process.
Why does this matter to you? The final rule does not require External Service Providers (ESPs), including Cloud Service Providers (CSPs) to be CMMC-certified. However, working with non-certified ESPs will broaden your scope which will likely increase the cost due to the increased risk and unpredictability.
On the other hand, choosing a CMMC-certified Managed IT provider simplifies your scope, and poses less risk. With fewer assets and a predictable environment, your audit will likely take less time and, in turn, cost less.
Clip from our CMMC Final Rule Webinar explaining potential cost savings.
Achieving CMMC certification isn’t just about meeting cybersecurity requirements; it’s about gaining a competitive edge. Non-compliance could result in lost contracts, reputational damage, and legal risks under the False Claims Act.
ISI brings 15+ years of experience in cybersecurity compliance and has supported over 900 contractors. Our tailored services include:
By integrating solutions across the supply chain, ISI helps clients meet the demands of CMMC assessments, mitigate risks, and gain a competitive edge.
Did you know? ISI has completed over 180 NIST SP Gap Assessments and supported 900+ contractors in their compliance journeys. Our security control platform greatly reduces administrative burdens by automating compliance processes.
Learn how ISI can support your organization during its compliance journey.
The final CMMC 48 CFR rule, which activates the government's three-year phased rollout, is set to begin on November 10, 2025. Phase 1 will largely be focused on Level 1 and Level 2 self-assessments, but the DoD is allowed to add Level 2 (C3PAO) certifications during this period as well for certain contracts. To mitigate any risk of losing lucrative defense contracts, it is in your best interest to become CMMC compliant as early as possible. Starting in November 2025, solicitations will include CMMC requirements. Early compliance ensures readiness for phased implementation.
There are two quick ways to determine if your organization handles CUI:
When you are ready to schedule your assessment, go to the CyberAB.org website to find a list of certified CMMC 3rd-Party Assessment Organizations (C3PAOs) who can conduct your assessment. We highly encourage our customers to interview at least three C3PAOs before choosing one.
Yes, even if you are a non-possessing facility, CMMC certification will be a contractual obligation for contractors mainly through flow-down requirements (e.g. DFARS 7012, 7019, 7020, 7021).
Use CyberAB.org to locate certified CMMC assessors. Interview multiple C3PAOs to select the best partner for your organization.
The CMMC final rule requires contractors to submit an annual affirmation of their cybersecurity status. This declaration confirms that a company maintains compliance with the required CMMC level and continues to meet all security requirements. Annual affirmation helps the DoD monitor and enforce accountability by ensuring contractors uphold their cybersecurity measures throughout the contract period. The organization’s senior leadership or designated compliance officer must submit the affirmation as part of the company's ongoing compliance obligations under the CMMC program rule. Failure to submit could lead to a lapse in certification status, potentially jeopardizing eligibility for DoD contracts and triggering penalties under the False Claims Act.