As of October 2024, the final rule for CMMC 2.0 has been published, marking the next step in its rollout. The updated CMMC 2.0 reduces the number of compliance levels from five to three, simplifying the process, especially for small and medium-sized businesses. Contractors handling federal contract information (FCI) or controlled unclassified information (CUI) must now undergo self-assessments for the lowest level of certification (Level 1). More critical CUI, particularly when at risk from advanced persistent threats, will require third-party assessments for Levels 2 and 3.

Additionally, new Plans of Action and Milestones (POA&Ms) allow contractors a 180-day window to achieve full compliance under certain conditions. Contractors must meet ongoing certification requirements and monitor any changes in their cybersecurity posture, as any failure to report security lapses could have legal and contractual repercussions.

The rule is expected to be fully incorporated into defense contracts in 2025, and contractors are advised to stay on top of these new compliance requirements to ensure they meet the necessary standards when competing for DoD contract