The DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 requires defense contractors to meet stringent security requirements by early 2025. For a comprehensive overview of certification requirements and timelines, check out our CMMC deadline 2025 complete guide.
Panel Moderator: John Breeden, Fed Insider
CMMC 2.0 Webinar
Expert Panel
Dr. Alan Dinerman
Senior Manager for Cyber Strategy Policy and Privacy
Jeff Adorno
Field Chief Compliance Officer
Sean Fraser
Federal Chief Security Officer
Chad Koslow
CEO
Key CMMC Insights from Each Expert
Dr. Alan Dinerman, MITRE
Key points:
- Level 1: Annual self-assessment for FCI data only (15 security requirements)
- Level 2: Implementation of 110 cybersecurity requirements from NIST 800-171 with external C3PAO assessment every 3 years
- Level 3: Additional 24 requirements from NIST 800-172 with DIBCAC assessment
For organizations handling CUI data, our CMMC timeline implementation checklist provides a structured approach to meeting Level 2 requirements.
CMMC 2.0 establishes three levels of certification that align with escalating requirements for cybersecurity implementation based on the sensitivity of the data.
Jeff Adorno, Zscaler
CMMC is a hydra. There's a business perspective, there's a cybersecurity perspective, there's a legal contractual obligation.
Implementation recommendations:
- Use browser isolation to de-scope endpoints and reduce assessment boundaries
- Enable operational flexibility while maintaining security
- Consider AI usage risks in your security framework
- Implement seamless system interoperability between CMMC enclaves and business systems
Sean Fraizer, Okta
Critical focus areas:
- Know thy data: Understand where CUI/FCI resides and how it’s protected
- Focus on security fundamentals before audit preparation
- Consider phishing-resistant authentication (beyond SMS-based MFA)
- Leverage inheritance from FedRAMP-certified solutions for faster compliance
To implement phishing-resistant authentication, check out our CMMC compliance with Zero Trust.
Don't let the tail wag the dog. You don't do the audit to tell you what you're supposed to do from a security perspective. You do the security things, and the audit gives you the thumbs up.
Chad Koslow, Ridge IT Cyber
We've been supporting CMMC for five years since it's been in draft form. We signed some of our first DIB customers five years ago, and we're working inside the DoD implementing Zero Trust controls for multiple DoD branches.
Implementation insights:
- Start documenting evidence early in your compliance journey
- Expect cultural resistance to new security controls
- Begin with Version 1 processes and improve iteratively
- Leverage DoD-approved technologies for easier assessment
Not sure where to start? Our guide on when CMMC will be required can save you significant remediation costs.
The Data Challenge: FCI vs. CUI
One critical topic discussed was the distinction between Federal Contract Information (FCI) and Controlled Unclassified Information (CUI):
The federal contract data is data that they won't normally or necessarily have to share out to anybody. CUI is controlled and classified data. It's basically stuff that's controlled, must have a protection around it, must have a protective designation, but it's not classified.
The Cultural Shift
Chad Koslow on cultural challenges:
We hire brilliant people, brilliant engineers, brilliant project managers, and when we implemented CMMC inside of our organization, it wasn't a good fit for them and they were very upset and they left. It could show you have brilliant people, but the security was too much, the extra steps they had to take, they felt it was inefficient.
Looking Ahead: Beyond CMMC 2.0
Alan Dinerman on future developments:
In May, NIST published 800-171-R3. Presumably, future iterations of CMMC would consider R3 versus R2. R3 includes some additional control families like system service acquisitions and supply chain risk management and planning.
The experts agree that starting your CMMC journey early is critical for success. With requirements appearing in contracts beginning in early 2025, organizations need 12-18 months to properly implement controls and generate sufficient evidence for assessment.
Last Updated: February 12, 2025
CMMC DEADLINE & Compliance
Frequently Asked Questions
How long does CMMC Certification take?
Most organizations need 12-18 months to achieve full certification. The process includes 3-6 months implementing military-grade security controls through our proven implementation framework. Then, as outlined in our maturity requirements guide, you must demonstrate these practices are embedded in your culture - typically requiring 3-6 months of documented operational evidence. Only then can you begin the formal assessment process.
Can I self certify for CMMC?
Self-certification is only available for CMMC Level 1 and requires annual renewal with a senior official affirmation. Our certification requirements guide explains why Level 2 requires third-party assessment from an authorized C3PAO assessor, while Level 3 mandates direct government evaluation. The DoD implemented these stricter requirements after finding only 10-15% of self-assessed companies actually met compliance standards.
Will CMMC requirements be delayed?
No. The Final Rule is published and deadlines are set for 2025.
What happens if you miss the CMMC deadline?
After the Final Rule takes effect December 16, 2024, non-certified contractors lose DoD contracts immediately. Our military-grade compliance solutions ensure you maintain contract eligibility.
How are CMMC assessments different from self-certification?
Third-party CMMC assessments are now mandatory because self-certification proved unreliable - DoD audits found only 10-15% compliance. Review our assessment requirements guide and learn how our C3PAO certification process ensures compliance.
What’s the real difference between CMMC 1.0 and CMMC 2.0?
While CMMC 2.0 reduces levels from five to three, it demands more sophisticated controls than ISO 27001 or HIPAA. See the complete version comparison and learn how our military-grade implementation addresses these elevated requirements.
How does CMMC affect my existing NIST compliance?
CMMC enforces NIST SP 800-171 and 800-172 requirements through verification. Review our NIST compliance guide and see how our Zero Trust architecture streamlines both frameworks.
Do subcontractors need CMMC Certification?
Yes, but our unique approach can help. While flow-down typically requires matching certification levels, our subcontractor compliance guide explains how our Zero Trust architecture can eliminate this requirement.
What’s the CMMC rollout schedule after the Final Rule?
How do you choose between CMMC compliance companies?
Can I meet CMMC security requirements with my current IT team?
Most internal IT teams lack the specialized expertise for CMMC security controls. Our managed IT brings proven security control frameworks that map directly to certification requirements. While basic security tools focus on alerts, we prevent breaches through automated remediation and continuous compliance validation.
What CMMC mistakes should my team look for?
After hundreds of defense contractors achieve certification, we've seen how costly DIY CMMC compliance mistakes can be. The DoD found only 10-15% of self-assessed companies actually met requirements. Learn which mistakes fail certification and how to prevent them.
The most critical errors include:
- Trusting DIY assessments when CMMC deadline 2025 requires expert guidance
- Missing CUI boundary documentation that auditors require for CMMC compliance contractors
- Treating compliance like an annual event instead of continuous monitoring, which the December 16 Final Rule demands
When do DoD CMMC requirements start?
After December 16, 2024, CMMC compliance becomes mandatory for DoD contractors. See critical timeline mistakes contractors make during implementation.
