Back in January 2020, the Department of Defense (DoD) introduced the first version of the Cybersecurity Maturity Model Certification, better known as CMMC, a unified cybersecurity standard for companies in the defense industrial base (DIB). A lot has changed since then. The framework has been simplified, the enforcement rules have been finalized, and as of today, CMMC is no longer a future requirement companies can plan around eventually. It’s an active condition of winning and keeping DoD contracts.

Before CMMC existed, contractors were responsible for assessing their own cybersecurity against NIST Special Publication 800-171 and self-attesting that they met it, with no requirement to prove it. That self-certification model allowed companies with real security gaps to continue holding defense contracts, which contributed to breaches, disruptions, and theft of intellectual property across the defense supply chain. CMMC was built to close that gap by requiring independent verification.

How CMMC 2.0 differs from the original self-certification model

The core shift from the old self-certification approach is verification: for most Level 2 contracts involving Controlled Unclassified Information (CUI), a company must now be assessed by an accredited Certified Third-Party Assessment Organization (C3PAO), not just attest to its own compliance. Once granted, certification is valid for three years, though an annual affirmation from a senior company official is required in the years between assessments to confirm controls are still in place.

CMMC 2.0, finalized under the DoD’s 32 CFR Part 170 rule in late 2024, also simplified the framework considerably. The original version used five maturity levels. CMMC 2.0 condenses that down to three, and reintroduces limited flexibility, such as Plans of Action and Milestones (POA&Ms) for select gaps, that the original version didn’t allow.

CMMC 2.0 uses three levels to fairly certify defense contractors of all sizes

CMMC is designed to scale with the sensitivity of the information a contractor handles, not with the size of the company. A small precision machine shop and a large manufacturing facility can face very different requirements depending on what data flows through their systems, and CMMC’s three levels are built to reflect that:

  • Level 1 (Foundational): 15 basic cyber hygiene practices, for companies that handle only Federal Contract Information (FCI). Verified through an annual self-assessment.
  • Level 2 (Advanced): 110 practices aligned to NIST SP 800-171 Rev. 2, for the large majority of contractors that handle CUI. Most Level 2 contracts require a C3PAO third-party assessment; a smaller subset involving less critical CUI may qualify for self-assessment.
  • Level 3 (Expert): Level 2’s 110 practices plus 24 additional controls from NIST SP 800-172, reserved for the most sensitive programs and highest-value targets for nation-state threats. Assessed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government body, rather than a C3PAO.

Your specific DoD contract will specify which level applies based on the sensitivity of the information involved. That requirement flows down the supply chain too: if a prime contractor shares CUI with you as a subcontractor, the corresponding CMMC level applies to you regardless of your company’s size.

CMMC controls build a cybersecurity foundation that scales with your risk

Each level builds on the one before it, so the practices required at Level 1 form the foundation for Level 2, and Level 2 forms the foundation for Level 3. The intent is to let organizations invest in security proportional to the risk of the information they actually handle, rather than applying a single, one-size-fits-all bar to every contractor regardless of role. The open questions for most companies at this point aren’t about the framework’s design. They’re about which level applies to your specific contracts, and where your organization currently stands against it.

The CMMC phased rollout is underway now, not pending

The DoD’s CMMC Acquisition Rule (48 CFR, implemented through DFARS clause 252.204-7021) took effect on November 10, 2025, formally beginning a four-phase rollout:

  • Phase 1 (November 10, 2025 – November 9, 2026): Level 1 and Level 2 self-assessment requirements are now appearing in new DoD solicitations. The DoD retains discretion to require Level 2 C3PAO certification earlier for high-priority contracts.
  • Phase 2 (begins November 10, 2026): Level 2 C3PAO third-party certification becomes required for most contracts involving CUI, replacing self-assessment as the default path.
  • Phase 3 (begins November 10, 2027): Level 3 DIBCAC-led assessments are introduced for the most sensitive programs, and Level 2 C3PAO certification extends to contract option periods.
  • Phase 4 (begins November 10, 2028): Full implementation across all applicable DoD contracts and option periods.

The practical timeline matters here more than the phase labels do. Most organizations need 6 to 12 months to move from a standing start to assessment-ready, and fewer than 100 organizations nationwide are currently authorized to perform C3PAO assessments, against a DoD estimate of roughly 80,000 companies that will eventually need Level 2 certification. That gap between demand and assessor capacity means scheduling delays are already a real risk for companies that wait until a contract deadline forces the issue.

How ADNET can help

It’s worth being clear about what ADNET does and doesn’t do here. ADNET does not perform your formal CMMC gap assessment, write your System Security Plan, or conduct your certification assessment. That readiness and assessment-preparation work is handled by our compliance partner, Cyber74, and certification itself can only be issued by an accredited C3PAO.

What ADNET does is operate the New Charter Trust Enclave, a secured, segmented environment built to support the technical controls CMMC Level 2 requires, and deliver the managed IT and security services, including a certified help desk, access management, patching, and security monitoring, that keep your environment compliant every day, not just on the day of your assessment. Cyber74 gets you to a certification-ready state. ADNET is what keeps you there through your next reassessment.

If you’re not yet sure which CMMC level applies to your business, or where your current environment stands against it, talk to a CMMC expert at ADNET. We’ll help you understand your specific requirements and connect you with the right resources to get, and stay, compliant.