Earlier this year, the Department of Defense issued a key memorandum titled “Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements.” 

As contractors wait for the final Title 48 Defense Federal Acquisition Regulation Supplement (DFARS) rule, 2019-D041, to be published, this document is the clearest signal yet of how the DoD plans to enforce cybersecurity standards for its defense industrial base (DIB) through CMMC 2.0.

The memo outlines when and how contractors must meet one of three CMMC levels and introduces clearer guidance on exceptions and waivers. Here’s what defense contractors need to know, starting with an overview of the tiered model.

CMMC 2.0: The three levels of compliance

The CMMC framework is designed to protect sensitive unclassified information, including Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and Security Protection Data (SPD) within the DIB and reduce the risk of cyber attacks. 

Under CMMC 2.0, the model is streamlined into three tiers of compliance based on the type and sensitivity of the information a contractor handles. Here’s a brief overview of those levels.

Level 1: Foundational

Level 1 applies to contractors handling only Federal Contract Information (FCI). It requires an annual self-assessment against 17 basic safeguarding practices from FAR 52.204-21. These are common-sense hygiene practices like using strong passwords and limiting system access. No third-party certification is required.

Level 2: Advanced

Level 2 applies to contractors with access to Controlled Unclassified Information (CUI) or Security Protection Data (SPD). This level aligns with the 110 controls in NIST SP 800-171. There are different assessment requirements depending on the sensitivity of the CUI:

1. Triennial third-party assessments for "prioritized acquisitions" involving critical programs or high-value CUI.
2. Annual self-assessments for "non-prioritized acquisitions" where the CUI is considered lower risk.
3. Triennial assessments for organizations that don’t store CUI, but must be compliant to support their customer’s CMMC needs and be part of the DoD supply chain. 

Level 3: Expert

Level 3 is reserved for contractors supporting the most sensitive programs. This level will require compliance with NIST SP 800-171 plus a subset of 24 NIST SP 800-172 controls designed to protect against Advanced Persistent Threats (APTs). Assessments will be performed by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Key takeaways from the CMMC implementation memo

In addition to signaling the DoD’s commitment to CMMC, the memo offers clarity on several fronts. Most notably, it includes attachments that clarify how the DoD will determine the required CMMC level for solicitations and issue waivers when assessments aren’t feasible.

Here’s an overview of the key takeaways:

1. Confirms that enforcement will occur through the procurement process

The memo reinforces that CMMC requirements will be embedded in solicitations and contract awards once rulemaking for the 48 CFR CMMC Acquisition rule is complete. Meaning, defense contracts will have to undergo CMMC assessments of covered information systems prior to contract award. 

It specifies:

• All procurement requests that may result in a contract where the contractor may process FCI shall include CMMC Level 1.
• All procurement requests that may result in a contract where the contractor may process CUI shall include CMMC Level 2 or for Organizations Seeking Certification (OSCs) that will be obtaining a Level 2 certification assessment in accordance with 32 CFR § 170.17.
• All procurement requests that may result in a contract where the contractor may process CUI associated with mission critical or unique technologies and programs shall include CMMC Level 3.

The 48 CFR rulemaking process is expected to be completed this year so contractors need to be ready to prove compliance, especially those who fall into phase 1 of the rollout (i.e. Level 1 and Level 2 self-assessments).

2. Requires more precise matching of CMMC levels to risk

DoD program managers must justify which CMMC level is required based on the type and sensitivity of information and mission impact, particularly for Level 2 and Level 3. The goal is to avoid the overuse of both Level 2 self-assessments and Level 3 requirements. 

The memo states:

• Level 2 self-assessments are sufficient only for CUI outside of the National Archive' s CUI Registry Defense Organizational Index Grouping or OSCs that will be obtaining a Level 2 certification assessment in accordance with 32 CFR § 170.17.  
• Level 2 certification assessments are required for CUI categorized under the CUI Registry Defense Organizational Index Grouping. 
• Level 3 certification assessments are required for limited circumstances, including:
• a) CUI associated with a breakthrough, unique, and/or advanced technology
• b) If there is a significant aggregation or compilation of CUI in a single information system or IT environment
• c) when an attack on a single information system or IT environment would result in widespread vulnerability across DoD

This gives contractors clearer expectations early in the procurement process and limits overreach.

3. Confirms phased rollout of CMMC requirements in contracts

The memo confirms that CMMC 2.0 requirements will roll out according to the phased implementation plan described in Title 32 of the Code of Federal Regulations (CFR) § 170.3 (e):

• Phase 1: CMMC Level 1 and Level 2 self-assessment requirements will be included in certain contracts upon publication of the final 48 CFR rule. 
• Phase 2: CMMC Level 2 certification assessment requirements will be included in certain requirements one year after the publication of the final 48 CFR rule.
• Phase 3: CMMC Level 3 certification assessment requirements will be included in certain contracts two years after the publication of the final 48 CFR rule.

4. Clarifies role for DoD program managers 

The memo charges DoD program managers with identifying CUI and FCI that resides in or transits contractor unclassified information systems and determining the appropriate CMMC assessment level to include in each DoD solicitation and contract. This is particularly important for determining if CMMC Level 3 is warranted. This shift toward accountability at the government level could help the industry by reducing inconsistent application of standards.

This memo also clarifies that program managers, not contracts, may request to waive CMMC assessment requirements. 

5. Defines waiver process

While CMMC assessments will be required before contract award, the memo allows for limited waivers when mission-critical operations could be disrupted. Waivers must be:

• Coordinated through the component Chief Information Officer,
• Requested by program managers through Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) approval,
• Accompanied by a mitigation plan, and
• Time-bound (not open-ended exceptions).

This codifies what was previously a gray area and removes guesswork.

6. Indicates that waivers will be rare

The memo states that waivers are highly unlikely to apply to CMMC Level 1 or CMMC Level 2 self-assessments and may only be applicable to CMMC Level 2 third-party assessments and CMMC Level 3 third-party assessments in “rare circumstances.” 

It also specifies when waivers are not appropriate, including:

• For Level 2 contracts requiring performance by a cleared defense contractor.
• For Level 3 contracts or work statements requiring access to both unclassified and classified DoD information.

7. Announces non-FAR based grants will include CMMC requirements

Finally, the memo announces that DoD program managers are still expected to select appropriate CMMC level requirements for requests that are expected to result in award of a non-FAR based grant or other legal agreement, just as they do for any DoD solicitation and contract.

What this means for contractors

The DoD’s memo signals a more disciplined rollout of CMMC—but not a delay. As CMMC is moving from concept to contract requirement, and the DoD is tightening expectations across the board, the direction is clear: prepare now.

For contractors that haven’t yet taken cybersecurity seriously, this is the final warning shot. For those already invested, it’s a sign that preparation will pay off.

Here’s what we recommend: 

• Determine if your contracts involve FCI or CUI.
• Start preparing for third-party assessments if handling significant CUI or supporting customers/organizations within the DIB. Do not assume self-assessment will suffice long-term — the DoD has made it clear that they will determine that, not you. Read the CMMC Scoping Guidance from the DoD CIO and determine what applies to your organization. 
• Engage with a C3PAO or vCISO early if you expect to need a third-party Level 2 assessment.
• Monitor solicitations for CMMC clauses—waivers will be rare and scrutinized.
• Stay up to date on when CMMC requirements begin appearing in contracts (expected in 2025).
• Review internal security controls now—don’t wait for a solicitation.

CMMC 2.0 is here and the time to act is now

The DoD’s latest memorandum on CMMC assessments isn’t just an administrative update—it’s a signal. The era of voluntary cybersecurity is ending for defense contractors. CMMC 2.0 is real, targeted, and moving toward full implementation. The contractors that act early, understand their data environment, and prepare for the appropriate assessment will be the ones ready to compete—and win—under the new rules.

If you're doing business with the DoD, it's time to get serious about CMMC readiness.