New Cybersecurity Requirement for Defense Contractors 

The Cybersecurity Maturity Model Certification 2.0 framework (CMMC 2.0) is a mandatory requirement for defense contractors, and it will take effect on November 10, 2025. It applies to contractors who deal with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Compliance with its 3 levels is mandatory: 

Recommendations for Contractors 

• Access Current Cybersecurity Practices: Contractors must become familiar with this new rule and conduct a thorough review of their systems to determine their current level of compliance with CMMC 2.0 standards. 

• Determine Your CMMC Level: Contractors must identify whether their contracts involve FCI or CUI and the corresponding CMMC level required. 

• Prepare for Certification: Begin preparations for self-assessment, third-party assessment, or DIBCAC certification as applicable. 

• Develop POA&Ms: If gaps exist in a contractor’s compliance, a detailed plan is required. 

• Ensure subcontractor compliance: Prime contractors are responsible for verifying that their subcontractors maintain the same level of compliance for handling the contract’s FCI or CUI. 

• Monitor SPRS compliance: Contractors must regularly and accurately report their compliance status in the Supplier Performance Risk System.