The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is a Department of Defense (DoD) initiated standard meant to assess defense contractor compliance with existing information safeguarding requirements for federal contract information (FCI), as defined in section 4.1901 of the Federal Acquisition Regulations (FAR), and controlled unclassified information (CUI), as outlined in Title 32 CFR 2002.4(h).

The Rule requires all entities who store information classified as FCI or CUI to comply with cybersecurity standards set in CMMC 2.0.

The Issue

Over the last five years, CMMC 2.0 felt like a “someday” problem, with regular delays, comments, and changes. That all changed on Nov. 10, 2025, when we officially entered Phase 1 CMMC 2.0. While the finalized CMMC requirements will roll out over three years, by the fourth year every contractor will be required to be fully compliant.

While this may seem like needlessly abbreviated jargon that only applies to business entities that directly contract with DoD, its impact on non-Defense-related businesses is far reaching, potentially implicating any company that receives or stores FCI or CUI through the unwaivable flowdown requirements of government contracts.

CMMC requirements from government contractors (Primes) flow down to subcontractors as outlined in 32 CFR 170.23. Primes must flowdown CMMC requirements to all lower-tier subcontractors that will store, process, or transmit FCI or CUI on unclassified contractor information systems.

Contractors cannot be awarded DoD contracts or maintain existing contracts when option periods require compliance verification without proper CMMC 2.0 certification.

Further, there is liability under the False Claims Act, including qui tam enforcement, for misrepresenting CMMC compliance.

Long story short, if your business or client is a Prime or a subcontractor to a business engaged in government contracting, and receives or stores information relating to government procurement and vending in its regular course of business, your cybersecurity standards will need to become compliant with this DoD-created initiative, even if the scope of the business seems tangential to the defense industry.

For in-house counsel, this means managing and mitigating a new risk and costly liability to remain viable for government contract work.

CMMC Compliance in Practice

It is important to know which CMMC level applies to your business or client.

CMMC assesses compliance with cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the FCI or CUI. There are three CMMC levels:

• Level 1 (lowest) intending to protect FCI;
• Level 2 intending to protect, broadly, CUI; and
• Level 3 (highest) seeking to provide higher-level protection of CUI against advanced, persistent threats.

By Nov. 10, 2028, following a three-year, tiered “phase-in” of CMMC 2.0, CMMC compliance will become mandatory on all government contracts.

We are currently in Phase 1, which began in November 2025 and requires Level 1 self-assessments through Supplier Performance Risk System (SPRS) system. The annual Level 1 self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21 is sufficient only for companies that do not create, handle, store, or receive CUI.

Phase 2, beginning Nov. 10, 2026, is when the real “teeth” arrive. Level 2 requires either a self-assessment or an independent assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO) every three years, as specified in the contract solicitation and applicable flowdown requirements. While there are some carveouts for self-assessments if provided for in the contract instrument, non-prioritized acquisitions where CUI is deemed lower risk, or in other limited circumstances, most contractors receiving DoD contracts directly, as well as subcontractors subject to CMMC 2.0 flowdown obligations, will be required to satisfy Level 2 requirements through a C3PAO rather than through a self-assessment. Additionally, Level 2 compliance requires an annual affirmation verifying compliance with the 110 security requirements in NIST SP 800-171.

Level 3 requires compliance with all requirements in Level 2, with the addition of undergoing an assessment every three years by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), as well as providing an annual affirmation verifying compliance with the 24 additional, identified requirements from NIST SP 800-172.

Practice pointer: For small businesses new to government contracting, the DoD Office of Small Business Programs has resources specifically designed to help small and medium-sized businesses with CMMC compliance.

Project Spectrum, a comprehensive platform to provide the tools and training needed to increase cybersecurity awareness and maintain compliance with DoD contracting requirements, is available to help businesses navigate CMMC compliance with training, tools, and expert support.

More broadly, the Small Business Administration (SBA) expanded the Made in America Loan Guarantee to extend to manufacturers and contractors that are going through the implementation and audit process.

And, when advising Wisconsin businesses, the Wisconsin APEX Accelerator is set up to help provide a free gap analysis.

Mergers, Acquisitions, & Divestiture and the Far-reaching Breadth of Government Procurement

DoD estimates that hundreds of defense companies undergo mergers and acquisitions (M&A) each year.^[1] Venture capital investment in defense has increased more than eighteenfold over the past decade, from $500 million in 2014 to an estimated $8.7 billion in 2024.^[2]

In an increasingly consolidated market, FCI and CUI are being stored on increasingly consolidated cybersecurity systems. While this is a great opportunity for companies going to market or expanding to acquire new streams of revenue, it poses an unforeseen compliance hazard for outside counsel navigating the transaction, and in-house counsel mitigating the internal compliance risk.

As consolidation increases within the defense contractor and subcontractor ecosystem, the resulting compliance and data-security risks are amplified by the breadth and scale of the federal government's procurement activity. To that point, many industries are partners to – or directly or indirectly benefit from – government contracting, and the federal procurement system includes a wide range of vendors from small businesses to large, multinational corporations.

In fiscal year 2025, the federal government committed about$793 billionon contracts, a $17.8 billion increasefrom fiscal year 2024 after adjusting for inflation.

Sidebar for the Transactional Attorney: Due Diligence Checklist

In 2026, a target company’s cybersecurity posture is critical. Failure to meet the November 2026 Phase 2 audit deadline could result in the immediate loss of DoD contracts, rendering an acquisition target’s valuation inaccurate overnight.

This checklist is a starting point to verify that compliance is more than just a checked box on a disclosure schedule:

• Data Categorization: Has the company identified all FCI and CUI in their possession? Can they produce a Data Discovery Audit?
• Boundary Definition: Is there a documented CMMC Strategy?
• Practice Pointer: Look for an “Enclave” strategy. If they have segmented their defense work from their commercial work, audit costs and legal risks are significantly lower.
• Asset Inventory: Do they have a complete hardware/software inventory that distinguishes between “Security Protection Assets” and “Out-of-Scope Assets”?
• System Security Plan (SSP): This is the “Holy Grail” of CMMC. If a potential target doesn’t have a written SSP, they are effectively noncompliant.
• SPRS Score: What is the company’s current score? Practice Pointer: SPRS scores are numerical grades ranging from -203 to +110. Level 1 is typically reviewed as “met” or “unmet,” however, the total score must be uploaded into SPRS regardless if all elements are met. A “perfect” score of 110 is required for Level 2.
• Plan of Action & Milestones (POA&M): Review list of unimplemented controls and pay special attention to the dates. There is a strict 180-day limit on POA&Ms, if uncompleted milestones are older than 6-months, they could be in breach of current DFARS clauses.
• Multifactor Authentication (MFA): Is MFA deployed for all local and network access to CUI?
• FIPS-Validated Encryption: Are they using FIPS 140-2 or 140-3 validated modules at rest and in transit?
• Cloud Provider (FedRAMP): If they use cloud storage (Box, Azure, GCC High), is the provider FedRAMP Moderate equivalent?
• Subcontractor Management: Does the acquisition target have a process to flowdown DFARS 252.204-7012/7021 to their suppliers?
• Vendor Risk Assessment: Have they performed due diligence on their own Tier 3 suppliers?

Looking Forward

The phased rollout of CMMC 2.0 will cause many businesses to be faced with costly, onerous and technical requirements to self-assess, externally audit, and implement cybersecurity measures to protect and safeguard sensitive information relating to government contracts.

Counsel for companies that are involved, even tangentially, in the government procurement process must be aware of any requirements imposed by CMMC 2.0 upon their cybersecurity systems and ensure compliance with these new administrative requirements to ensure continued viability for existing government contracts and continued eligibility for future contracts.

CMMC 2.0 is here to stay, and the timeline for proactive compliance is drawing nearer as we reach Year 2 in November 2026. For companies and clients that did not have cybersecurity on their radar, the second-best time to start is today.

This article was originally published on the State Bar of Wisconsin’s Business Law Blog. Visit the State Bar sections or the Business Law Section webpages to learn more about the benefits of section membership.

Endnotes

[1] U.S. Government Accountability Office (GAO), “Defense Industrial Base: DOD Needs Better Insight into Risks from Mergers and Acquisitions,” Oct. 17, 2023. ↩

[2] Michael Sion, et al., “M&A in Aerospace & Defense: How Incumbents Can Respond to Well-Funded Disrupters,” Bain & Company, Feb. 4, 2025. 3. ↩