Important Update: What CMMC 2.0 Means for Your DoD/DoW Contracts

If your company works with the Department of Defense (DoD/DoW) or subcontracts under a prime, you need a clear understanding of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework: what it requires, when it becomes enforceable, how much it might cost, and how long it takes to comply.

1. What is CMMC 2.0 and Why It Matters

CMMC 2.0 is the DoD/DoW’s cybersecurity certification program that ensures contractors and subcontractors who process, store, or transit Controlled Unclassified Information (CUI) meet defined cybersecurity standards. It will become a condition of award for many DoD/DoW contracts.

Many don’t know if they have received CUI or from the Federal government for the purposes of their contracts. Common examples include:

  • Technical drawings & blueprints
  • Engineering schematics
  • Maintenance manuals
  • Financial or proprietary data provided by the DoD/DoW

Older documents labeled “For Official Use Only (FOUO)” can also be considered CUI. If your organization handles CUI and the solicitation includes a CMMC clause, you must meet the required level of certification to be eligible for that contract.

2. Rollout and Implementation Timeline

Here are the key milestones:

  • Final Rule Published: September 10, 2025
  • Effective Date / Phase 1 Begins: November 10, 2025 – contracting officers will start including CMMC clauses in new contracts, requiring at least self-assessments.
  • Phase 2 Begins: November 10, 2026 – third-party certifications become mandatory for Level 2 contracts.
  • Phases 3 and 4: Expected between 2027 and 2028 – full implementation for all applicable contracts.

3. Ballpark Costs and Timelines for Compliance

Estimated Costs (based on DoD/DOW and industry data):

  • Level 1 (Self-Assessment): Typically, a few thousand dollars in readiness and process updates.
  • Level 2 (Third-Party Certification): Common range between $50,000 and $180,000+ in the first year, with small firms budgeting around $100,000–$200,000.
  • Level 3: Costs can exceed $140,000–$375,000+ due to more extensive requirements.

Estimated Timelines to Prepare Environment for Audit:

  • Level 1 (Self-Assessment): 3–6 months if you already meet most NIST SP 800-171 controls.
  • Level 2 (Third-Party Certification): 6–18 months depending on readiness and complexity.

It is not realistic to wait until a solicitation is released to start preparing. Remediation and assessment both take time.

5. Next Steps to Prepare

  1. Conduct a gap assessment to determine where you stand versus the required controls.
  2. Define your data scope to identify which systems handle CUI.
  3. Develop a roadmap with priorities, timelines, and budgets.
  4. Engage an experienced compliance consultant early to avoid last-minute delays.
  5. Review upcoming contracts for CMMC clauses and plan accordingly.
  6. Plan for ongoing maintenance costs such as monitoring, training, and annual attestations.

 

At WingSwept, we help DoD/DOW contractors assess, plan, and achieve CMMC compliance efficiently. Our experts guide you through readiness assessments, remediation, and certification support so you can protect your contracts and your data.

Schedule a 15-minute consultation to discuss your path to compliance.

chatsimple