top of page

Preparing for CMMC 2.0 Compliance

  • Writer: Shomo Das
    Shomo Das
  • Jan 18
  • 3 min read

Updated: Aug 30

After years of development, the Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) 2.0, a new framework designed to ensure cybersecurity across its supplier base.


In June 2024, DoD Deputy CIO for Cybersecurity, David McKeown, announced that CMMC 2.0 compliance would be mandatory starting in the first quarter of 2025. Some defense industrial base (DIB) companies have already encountered this requirement in recent requests for proposals.


As CMMC compliance becomes a critical requirement for federal contractors, businesses must begin preparations now to achieve certification. Proactively addressing compliance will help companies avoid scrambling when faced with a proposal including CMMC requirements or the need to provide affirmative attestations on existing contracts. More importantly, it will ensure they maintain a competitive edge in the industry.


The journey to compliance will vary depending on the required level and the assessments involved, but there are ample resources available to guide organizations through the process, including those resources here at Das Technology Partners.


ree

What Are the Different Levels of CMMC 2.0 and What Do They Mean?

All contractors working with the US government must adhere to specific regulations, but those handling sensitive information face even more stringent requirements. The Cybersecurity Maturity Model Certification (CMMC) aims to classify contractors based on the level of sensitivity of the data they manage.


CMMC certification has three levels, with Level 1 being the most basic.


According to Sanchez, "Level 2 will apply to the vast majority of DIB companies," and these organizations will have the most resources to comply, given the size of the market. Level 2, which affects around 80,000 organizations, mandates that companies establish a formal management plan to implement cyber hygiene practices to protect controlled unclassified information (CUI). This includes adhering to all NIST SP 800-171 r2 security requirements and processes.


Level 3, which applies to contractors handling the most sensitive, high-value information, impacts only about 600 companies.


"Smaller companies with limited resources will need strong, CMMC-fluent partners to help them achieve compliance," says Sanchez. "Fortunately, the Level 2 ecosystem is growing rapidly," with numerous solutions and partners emerging to assist companies in their CMMC compliance journey.


To determine where compliance support is needed, the DoD offers a self-assessment tool for DIB contractors. However, for Level 2 and higher compliance, companies must undergo a third-party certification process to verify their compliance level. This process may take several weeks, depending on the size of the organization, the volume of data, and the availability of staff to support the auditor.


The assessment results in a score indicating how well a contractor meets CMMC requirements. The higher the score, the better. As Sanchez explains, "At some point, you are your score. It will become a real differentiator for companies."


Steps to Take Now

"Looking ahead, CMMC will be the cornerstone for engaging with the government," says Sanchez. "This will necessitate a cultural shift in how many companies conduct business."


While the journey to compliance may seem daunting, Sanchez identifies four straightforward actions that DIB suppliers can take immediately:


  1. Commit to the CMMC Journey – Achieving CMMC compliance requires a fundamental shift in mindset and is an ongoing process, not a one-time event. Organizations must embrace compliance as a long-term commitment and integrate it into both current and future business operations.

  2. Conduct a Self-Assessment – Where are the gaps? Even if a company will eventually need a third-party validator for Level 2 compliance, using the DoD’s self-assessment tool can help identify key areas in need of support.

  3. Identify Supportive Vendors – Building an in-house compliance team can be costly and may divert attention from the core business. Outsourcing to trusted vendors is a smart strategy for many suppliers. By creating a short list of potential partners now, companies can streamline the process when the time comes to implement compliance measures.

  4. Standardize and Automate – Where feasible, transition to solutions that deliver consistent, predictable results. These solutions simplify compliance tasks, help maintain a secure environment, and ultimately reduce the cost of achieving and sustaining CMMC compliance.


As the CMMC 2.0 deadline nears, neglecting compliance becomes increasingly risky. Contractors that fail to meet the requirements may lose competitive opportunities. The silver lining, according to Sanchez, is that a growing ecosystem of resources and partners is ready to assist.


"CMMC is here, and companies that don't yet have it will need to act swiftly," says Sanchez. "Building strong partnerships with the right vendors will enable you to stay focused on your core mission while ensuring compliance."

 
 
Line pattern.png
Das-Technologyyy-2_edited.png

"Here’s to the crazy ones, the misfits, the rebels, the troublemakers, the round pegs in the square holes… the ones who see things differently — they’re not fond of rules… You can quote them, disagree with them, glorify or vilify them, but the only thing you can’t do is ignore them because they change things… they push the human race forward, and while some may see them as the crazy ones, we see genius, because the ones who are crazy enough to think that they can change the world, are the ones who do."

— Steve Jobs, 1997

+1 (206) 473-8917

info@dastechnologypartners.com

1201 2nd Ave Suite 900, Seattle, WA 98101

© 2025 by Das Technology Partners, LLC

bottom of page