The Cybersecurity Maturity Model Certification (CMMC) is quickly becoming a core requirement for doing business with the U.S. Department of Defense (DoD). With the formalization of 32 CFR Part 170 and the anticipated finalization of 48 CFR updates around Labor Day 2025, CMMC is transitioning from a planning concern to a DoD procurement and compliance mandate.

As CMMC is integrated into DoD acquisition processes, contractors must demonstrate cybersecurity maturity not only to win new contracts but also to maintain eligibility for renewals, extensions, and options. This shift underscores the importance of a structured, proactive approach to compliance.

Understanding the Certification Framework

CMMC 2.0 is structured into three levels:

• Level 1: For organizations handling only Federal Contract Information (FCI); allows for annual self-assessment.
• Level 2: For organizations managing Controlled Unclassified Information (CUI); generally requires third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO).
• Level 3: For organizations with higher-value assets or more sensitive missions; requires a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) after completing a Level 2 certification conducted by a C3PAO.

Each level builds upon the last. While Level 1 organizations may self-assess, most entities that store, process, transmit, or generate CUI will be required to undergo a formal Level 2 assessment. A limited subset of organizations may be permitted to self-assess at Level 2, but only under narrowly defined conditions related to clearance status and the sensitivity of CUI handled.

According to the 2025 GAUGE report, 20% of government contractors estimate that they are currently at CMMC Level 1, 31% said they estimate they are Level 2, and 11% said they estimate that they are Level 3.

Preparing for Certification: A Phased Approach

Achieving CMMC compliance is a multi-phase process, particularly for those targeting Level 2 certification. Common steps include:

• Confirming Scope and Boundary: Identify where CUI enters, flows, and resides. Map systems, data flows, and asset categories.
• System Security Plan (SSP): Create or update your SSP with clear documentation of all 110 controls and supporting evidence. This is the cornerstone of the CMMC process.
• Readiness Assessment: Engage a Registered Provider Organization (RPO) or a trained and certified internal expert to assess your current practices against the CMMC requirements.
• Remediation and Operationalization: Address technical, policy, and procedural gaps, ensuring controls are actively in place and documented.
• Formal Assessment: When ready, engage a C3PAO for a Level 2 assessment. Certification requires demonstrating both control implementation and evidence of regular operational use.

A typical readiness and certification timeline for a medium-sized contractor is approximately 12 to 18 months for organizations that may not have started its CMMC journey, though duration varies based on organizational complexity and resource capacity.

Best Practices for CMMC Readiness and Certification

Several best practices emerged from the discussion that can help organizations streamline their path to compliance:

1. Engage a Registered Provider Organization (RPO)
   Early Organizations that bypass RPOs often miss critical elements of the compliance journey. RPOs bring trained professionals, proven methodologies, and templates that can accelerate readiness and reduce risk.

2. Define and Document System Boundaries

   Thoroughly Scoping must clearly identify the flow of CUI and the systems that touch it. Assets should be categorized into five types: CUI assets, security protection assets, contractor risk-managed assets, specialized assets, and out-of-scope assets.

3. Keep the SSP Accurate and Up to Date

   Assessors begin every engagement with your SSP. If it’s incomplete or inconsistent with observed controls, certification may fail before it begins.

4. Ensure External Service Providers (ESP) Meet Compliance Requirements

   Cloud Solution Providers (CSP), Managed Service Providers (MSPs), and Managed Security Services Providers (MSSPs) must either be independently CMMC Level 2 certified or participate in your assessment. Their systems may be in-scope depending on their interaction with CUI or their role as security protection assets.

5. Demonstrate Continuous Monitoring

   Controls must be actively in use. This includes vulnerability management, security incident response, log review, policy updates, and regular testing of safeguards.

6. Build and Organize a Body of Evidence 

   A centralized repository—or assessment playbook—should include documented policies, procedures, logs, test results, and shared responsibility matrices when ESP or CSP are leveraged. Clear evidence speeds the review process and supports scoring.

7. Understand the Scoring System 
   CMMC Level 2 uses a 110-point scale. Missing any 3- or 5-point control results in automatic failure. A conditional pass (minimum score: 88) is possible only if missed controls are 1-point items. In such cases, organizations have up to six months to remediate and undergo a close out assessment.

Funding & Support Opportunities

While implementation can be resource-intensive, particularly for small businesses, some states are offering grants to help defray costs. Maryland, Virginia, and Michigan have launched programs in collaboration with their departments of commerce. These are often capped and competitive, but they can provide relief for eligible businesses. Federally, proposed legislation to expand funding is under discussion but has not yet been enacted.

Looking Ahead

As of mid-2025, over 100 Level 2 certifications have been issued, with many more in progress. The forthcoming 48 CFR rule is expected to define a phased implementation schedule, clarifying when and how CMMC requirements will be enforced across new contracts and contract modifications.

Organizations that act now by assessing their readiness, engaging qualified partners, and aligning with the latest guidance will be better positioned to compete for DoD contracts and demonstrate their commitment to cybersecurity.