CMMC 2.0 Implementation Begins for Defense Contractors

Severity: Medium (Score: 42.0)

Sources: Industrialcyber.Co, Aws.Amazon, Streetinsider

Summary

The Department of War has initiated the phased rollout of Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements, starting with select contracts on November 10, 2025. This rollout follows the finalization of federal regulations, including the 32 CFR CMMC Final Rule and the 48 CFR rule, which integrate CMMC into the Defense Federal Acquisition Regulation Supplement. All contracts involving Federal Contract Information and Controlled Unclassified Information will now require cybersecurity assessments. Contractors must achieve certification before contract awards, shifting the compliance landscape significantly. Prime contractors are responsible for ensuring their subcontractors meet CMMC levels, creating cascading compliance requirements. The full implementation of CMMC 2.0 is expected by fiscal year 2028, emphasizing ongoing maintenance of cybersecurity practices through continuous monitoring. Organizations are advised to conduct gap analyses and develop compliance strategies to meet the new requirements. Key Points: • CMMC 2.0 requirements are now being rolled out for defense contractors. • All contracts with Federal Contract Information and Controlled Unclassified Information require cybersecurity assessments. • Full implementation of CMMC 2.0 is expected by fiscal year 2028.

Key Entities

• Aerospace (industry)
• Defense (industry)
• Government (industry)
• Healthcare (industry)
• Higher Education (industry)
• Education (company)
• AWS (company)
• Azure (company)