Is CMMC 2.0 Here?

Eric Byrd, Senior Procurement Consultant, Kentucky APEX Accelerator

This article was originally published in our monthly Kentucky APEX Accelerator Newsletter. If you have any questions about this topic, your regional procurement consultant is here to help! Not a client? Sign up here.

The Cybersecurity Maturity Model Certification (CMMC) is no longer a future requirement. It is here, and it is about to impact federal contractors in a major way. This certification has been a hot topic in the defense industrial base for many years. There have been many updates to the implementation of the cybersecurity requirements for contractors in the defense industrial base.

While CMMC may seem new to some, it has been evolving since 2019. There has been a phased approach to implementation over the last several years, and we have seen versions of cybersecurity self-assessments that have been required for some contracts. These self-assessments were scored based on the requirements of the NIST SP 800-171 Revision 2.

In October 2024, the U.S. Department of Defense published the final rule (32 CFR Part 170) to set up the framework for CMMC 2.0. According to this rule, self-assessments will still be accepted for CMMC Level 1 or any Federal Contract Information (FCI). For companies that are CMMC Level 2, an assessment will likely be required by a Certified Third-Party Assessor Organization (C3PAO). This requirement will apply to any federal contractor that will receive, handle or submit any Controlled Unclassified Information (CUI).

Where does CMMC policy stand today? On July 22, 2025, the Department of Defense officially sent the final rule 48 CFR to the Office of Information and Regulatory Affairs (OIRA) for review. The OIRA typically reviews for approximately 60 days before issuing the final rule. This paves the way for CMMC 2.0 to be implemented in contracts as early as October 1, 2025.

As a federal contractor, you may ask, “What does the 48 CFR rule mean for me?”

This rule allows Defense agencies to add the DFARS 252.204-7021 clause into contracts. It also allows contracting officers to include CMMC 2.0 language in solicitations. Furthermore, certification issued by a C3PAO could be required before receiving an award as early as Q4 2025. The U.S. Army Corps of Engineers (USACE) has already provided an updated public notice in the System for Award Management (SAM) regarding CMMC implementation.

What are the possible risks of not being compliant with CMMC? At a minimum, you could be ineligible to receive certain future contracts. That can limit your company's revenue stream. However, this is not the worst-case scenario. Recent news headlines have featured False Claims Act lawsuits by the Department of Justice for $1.75 million in penalties against a small defense contractor for negligence in their cybersecurity compliance.

Do not let this be an overwhelming process to understand. If you are unsure about your cybersecurity compliance status, do not wait until it costs you contracts. Contact the Kentucky APEX Accelerator today to prepare your compliance journey and protect future opportunities for your business. You can email us at kyapex@kstc.com or visit our website at www.kyapex.com to request support.