What Is CMMC and Who Needs to Comply?

A 2025 Guide for Defense Contractors and Suppliers

CMMC is now fully in effect. As of November 10, 2025, the Cybersecurity Maturity Model Certification is active within the Department of Defense contracting ecosystem, and organizations across the Defense Industrial Base are expected to meet the required level of compliance. For companies that handle Federal Contract Information or Controlled Unclassified Information, this shift marks the beginning of a new standard for cybersecurity accountability.

If your organization works directly with the Department of Defense or supports those who do, understanding what CMMC requires is essential. The program is no longer a future rule to prepare for. It is a live requirement that affects manufacturers, integrators, software companies, staffing firms, and any business connected to the defense supply chain.

Understanding CMMC in a Post-Launch Environment

CMMC was developed to strengthen the protection of sensitive defense information and reduce the frequency of successful cyberattacks targeting the Defense Industrial Base. The framework establishes three maturity levels that reflect the sensitivity of the data an organization handles.

Level 1 focuses on basic safeguarding for Federal Contract Information and allows companies to self-assess. Level 2 applies to organizations that handle Controlled Unclassified Information and requires either a third-party assessment or a government-led assessment depending on the contract. Level 3 is reserved for programs with the highest sensitivity and is assessed only by the government. If your business processes or stores Controlled Unclassified Information, you are almost certainly expected to meet Level 2 requirements.

The launch of CMMC 2.0 brought clarity and alignment. The program now reflects existing federal standards rather than introducing new or unique CMMC controls. It also aligns closely with NIST SP 800-171, which forms the backbone of Level 2 requirements. The most important change now, however, is enforcement. Contracting officers can include CMMC requirements directly in solicitations and awards, and contractors must complete the necessary assessment before they can be selected.

How CMMC Relates to NIST 800-171

Many organizations already follow NIST SP 800-171, especially those that have supported defense contracts for several years. NIST outlines the rules for protecting Controlled Unclassified Information, but CMMC is the mechanism that verifies compliance. Following NIST alone is no longer enough. Without the required CMMC assessment, an organization is considered non-compliant even if its controls appear to align with the NIST standard.

Who Must Comply Now That CMMC Is Active

Any business that bids on or holds Department of Defense contracts, handles Controlled Unclassified Information or Federal Contract Information, or supports a prime contractor is now expected to meet the appropriate CMMC level. This includes subcontractors that may not interact with the government directly. Many prime contractors are already requiring CMMC readiness from their vendors, since the responsibility for safeguarding sensitive information extends throughout the supply chain. Companies that delay compliance may find themselves excluded from new opportunities or removed from teaming arrangements.

The Risks of Non-Compliance

The consequences of not being CMMC compliant are immediate now that enforcement has begun. Organizations risk losing eligibility for new contracts, losing subcontracting opportunities, and facing the possibility of termination for non-performance. There is also greater potential for financial and legal exposure if a breach occurs and the organization cannot demonstrate compliance. Beyond the contractual risks, there is reputational damage to consider. Prime contractors will increasingly expect their partners to demonstrate readiness, and companies that cannot do so may find themselves replaced by competitors who have invested in compliance.

Moving Forward

CMMC has shifted from a regulatory concept to a practical requirement. Defense contractors and suppliers that take early action will be better positioned for renewals, recompetes, and new opportunities as compliance language appears in more solicitations.

Cyberleaf works with organizations of all sizes to complete readiness assessments, map controls to NIST SP 800-171, identify and close gaps, organize documentation, and prepare for third-party assessments. Our team can help you understand your current standing and develop a clear path to certification.

If you want clarity on where you stand now that CMMC has officially launched, you can schedule a readiness consultation with Cyberleaf’s professional services team.