The Department of Defense (DoD) has officially begun enforcing Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), shifting from voluntary cybersecurity guidelines to mandatory compliance for defense contractors.
With rising cyber threats targeting the Defense Industrial Base (DIB), contractors and vendors must understand the new certification levels, key deadlines, and procedural requirements—or risk losing eligibility for DoD contracts.
The CMMC 2.0 Enforcement Timeline
Phase 1 began November 10, 2025, and runs through November 9, 2026. During this period, contractors and subcontractors must complete Level 1 and Level 2 self-assessments and submit compliance affirmations in the Supplier Performance Risk System (SPRS).
Phase 2 begins November 10, 2026, with mandatory Certified Third-Party Assessment Organization (C3PAO) assessments for Level 2. Contractors handling Controlled Unclassified Information (CUI) must be ready for external verification. Phase 2 concludes November 9, 2027.
Phase 3 starts November 10, 2027, with Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) reviews for Level 3. This phase targets the highest-sensitivity contracts, including programs requiring protection against advanced persistent threats. Phase 3 ends November 9, 2028.
Phase 4 begins November 10, 2028, marking full CMMC 2.0 implementation. At this stage, all new DoD contracts will enforce certification requirements across applicable levels.
The DoD may also accelerate requirements. Certain high-value or sensitive contracts may require Level 2 C3PAO certification during Phase 1 or Level 3 compliance in Phase 2.
Plans of Action and Milestones (POA&Ms) offer limited flexibility for minor compliance gaps at Level 2 and Level 3. Once an organization achieves conditional CMMC status, it has 180 days from that date to close all POA&Ms. Failure to do so results in expiration of conditional certification. Only one closeout attempt is allowed.
What Contractors and Vendors Must Do Now
Contractors and vendors should immediately assess which CMMC level applies to their contracts: Level 1 for Federal Contract Information (FCI), Level 2 for CUI, and Level 3 for high-value programs requiring enhanced protection.
Once the required level is identified, organizations must complete the appropriate assessment—self-assessment for Level 1 and some Level 2, C3PAO assessment for Level 2, or DIBCAC assessment for Level 3. POA&Ms can address minor gaps, but organizations must meet at least 80% of weighted security practices during their initial assessment to qualify, and remediation must occur within 180 days from conditional status.
Finally, because the DoD may accelerate certification requirements, contractors should review each solicitation carefully to ensure compliance before bidding.
What This Means for ERP Insiders
Security controls evolve with CMMC 2.0 rollout. ERP systems processing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must align with the certification level required during each enforcement phase. Level 2 and 3 systems need stronger access controls, encryption, and audit logging to meet requirements.
Compliance reporting depends on new SPRS mandates. With Phase 1 enforcement beginning November 10, 2025, organizations must track and submit CMMC affirmations in SPRS. ERP modules now play a critical role in collecting evidence, managing workflows, and generating reports to demonstrate compliance on time.
ERP configuration shapes deployment and subcontractor oversight. As CMMC requirements roll out, ERP systems must secure data, restrict access, and monitor subcontractors. Affected organizations managing supply chains through ERP need to ensure subcontractor systems meet mandated CMMC levels to prevent non-compliance.
