CMMC 2.0 Phase 1 Is Now Live: What Defense Contractors Need to Know

The Department of Defense has rolled out Phase 1 of CMMC 2.0, a significant update on how defense contractors handle and secure federal contract information (FCI) and controlled unclassified information (CUI). This launch sets new expectations for CMMC 2.0 compliance, affecting both prime contractors and subcontractors.

CMMC 2.0 Levels and Their Focus

There are three CMMC 2.0 levels (Level 1, Level 2, Level 3). Each level corresponds to the sensitivity of the information.

• Level 1 focuses on basic protection for FCI. It will require 17 practices and an annual self-assessment.

• Level 2 supports CUI and adheres to NIST SP 800-171 controls. You will either complete a self-assessment each year or undergo a third-party review every three years by a C3PAO. The DoD decides which one you need based on the sensitivity of the information.

• Level 3 applies to the most critical national security work. It will include more than 110 controls from NIST SP 800-172, and the government will conduct the assessment every 3 years. The final list of requirements is still pending.

Comparing CMMC 2.0 vs CMMC 1.0 shows that the new version is more streamlined than its predecessor. One key difference is that CMMC 2.0 removes the old maturity processes and clarifies the assessment rules. Also, the DoD may allow limited waivers that remove CMMC requirements for urgent contracts. These waivers are meant for situations where delays could harm mission needs.

What Phase 1 Means for CMMC 2.0 Requirements

With Phase 1 of the CMMC 2.0 implementation active, new DoD contracts now include CMMC 2.0 requirements. As mentioned, many organizations need to complete a CMMC 2.0 self-assessment and submit the results to the Supplier Performance Risk System (SPRS). Some Level 2 situations may also require a CMMC 2.0 self-assessment & third-party assessment, depending on the type of CUI involved.

These steps also apply to subcontractors. Anyone who handles sensitive data must prepare for a CMMC 2.0 assessment at their assigned level. Full third-party reviews and Level 3 enforcement will come in later phases.

Building Your CMMC 2.0 Readiness Plan

If your team handles many DoD contracts, take a close look at the security measures your team already uses and then check whether they comply with the official rules outlined in Phase 1. 

Start with a CMMC 2.0 gap analysis and assess where your safeguards fall short. If something is missing, outdated, or weaker than the current program, you’ll need to fix it so your team can meet CMMC 2.0. Once you know the gaps, you can put together an implementation plan that lines up with your level and contract requirements.

To help you prepare, CBT Nuggets now offers a full CMMC Readiness and Compliance training. The lessons break down each requirement in a clear, step-by-step way and show you how real assessments work. The new training includes risk reviews, policy updates, and day-to-day security planning. 

The course also includes hands-on resources you can revisit anytime, so you can study at your own pace and stay on track as you prepare for CMMC 2.0.

It's Time to Future-Proof Your Policies

Phase 1 implementation of CMMC 2.0 has begun, marking the start of a broader rollout that will continue over the next several years. It’s time to update your policies, train your team, and prepare for future assessments.

Explore the CBT Nuggets CMMC Readiness and Compliance training and start building a clear plan to meet CMMC 2.0 requirements. Start with a free 7-day trial today.