WinAContractUS
Home/Blog
Compliance & moneyCMMCCybersecurityDoD

CMMC 2.0: what DoD’s cybersecurity rules mean for small contractors

WinAContract Team · May 30, 2026 · 7 min read

For years, defense contractors self-attested their cybersecurity and everyone pretended that worked. CMMC — the Cybersecurity Maturity Model Certification — ends that era: compliance is becoming a condition of award across the defense industrial base, phasing into solicitations from November 2025 onward. If DoD or its primes are in your plan, this is now part of your cost of doing business.

The three levels, in practice

  • Level 1 — for Federal Contract Information (FCI): 15 basic safeguards, annual self-assessment with an executive affirmation.
  • Level 2 — for Controlled Unclassified Information (CUI): the 110 controls of NIST SP 800-171; most contracts handling CUI require a third-party (C3PAO) assessment, valid three years.
  • Level 3 — for the most sensitive programs: additional controls, government-led assessment. A small minority of contractors.

The rollout reality

Requirements are phasing into new DoD solicitations over roughly a three-year schedule, contract by contract — and primes are pushing flow-down demands to subcontractors ahead of the official timeline, because their own awards depend on the supply chain being clean. “We will deal with it when it shows up in an RFP” means discovering the requirement when it is too late to certify.

CMMC rollout timeline
132 CFR program ruleEffective Dec 2024
248 CFR acquisition ruleEffective Nov 10, 2025
3Phase 1From Nov 2025 — L1 & L2 self-assessments
4Phases 2–4To ~Nov 2028 — C3PAO certs + L3
Phases begin roughly one year apart. Source: DoD 48 CFR final rule, Sep 2025.

ℹ️ Know what data you touch

Your level is set by the information in your environment, not your size. A machine shop receiving controlled drawings handles CUI (Level 2). A landscaping firm invoicing a base likely touches only FCI (Level 1). Classify your data flows first — it is the whole game.

A sane path for a small firm

  1. Scope ruthlessly: shrink where CUI lives (an enclave or compliant cloud workspace) so you certify a small environment, not your whole company.
  2. Run a NIST 800-171 self-assessment, post your score in SPRS, and burn down the gaps with a POA&M.
  3. Budget realistically — small-business Level 2 programs commonly run into five figures with ongoing upkeep — and treat it as overhead recovered in your rates.
  4. If Level 2 is your market, book the C3PAO early; assessment capacity tightens as deadlines bite.

Related

Win the next one with AI

WinAContract searches every SAM.gov opportunity and drafts your RFP response. Founding members lock 50% off for life.

Claim a founding seat · $999

← All posts