Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
If you’re a defense contractor or subcontractor, 2025 isn’t just another year—it’s the year the Cybersecurity Maturity Model Certification (CMMC) becomes a contract-shaping reality. On November 10, 2025, the Department of Defense (DoD) began incorporating the Cybersecurity Maturity Model Certification (CMMC) requirement into its contracts. However, are defense contractors ready?
The Cybersecurity Maturity Model Certification
The DoD relies on hundreds of thousands of contractors and subcontractors, many of which handle highly sensitive Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). Previous requirements, such as compliance with NIST SP 800-171, were often self-attested, leaving gaps in accountability.
With constantly evolving cybersecurity threats, the DoD recognized the need to protect sensitive defense information across contractors and suppliers. The DoD introduced the CMMC to strengthen the security posture of the Defense Industrial Base (DIB), a group of over 100,000 organizations that compose the supply chain for the Department of Defense.
CMMC Certification Levels
The CMMC version 2.0 model measures the implementation of cybersecurity requirements at three levels. Each level consists of a set of CMMC practices:
- Level 1: CMMC Level 1 is a foundational level, focusing on basic cyber hygiene and applies to organizations handling FCI, requiring 17 security practices and an annual self-assessment.
- Level 2: CMMC Level 2 is an advanced level, designed for organizations handling CUI, requiring compliance with 110 security practices based on NIST SP 800-171, and either self-assessments or third-party assessments by a CMMC Third Party Assessor Organization (C3PAO) depending on contract requirements.
- Level 3: CMMC Level 3 is the highest level, for organizations managing the most sensitive data, requiring certification on 24 advanced cybersecurity practices and processes based on NIST SP 800-172 and government-led assessments.
The CMMC levels and associated sets of practices across domains are cumulative. More specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels.
What changed November 10th 2025?
The CMMC version 2.0 model measures the implementation of cybersecurity requirements at three levels. Each level consists of a set of CMMC practices:
- Level 1: CMMC Level 1 is a foundational level, focusing on basic cyber hygiene and applies to organizations handling FCI, requiring 17 security practices and an annual self-assessment.
- Level 2: CMMC Level 2 is an advanced level, designed for organizations handling CUI, requiring compliance with 110 security practices based on NIST SP 800-171, and either self-assessments or third-party assessments by a CMMC Third Party Assessor Organization (C3PAO) depending on contract requirements.
- Level 3: CMMC Level 3 is the highest level, for organizations managing the most sensitive data, requiring certification on 24 advanced cybersecurity practices and processes based on NIST SP 800-172 and government-led assessments.
The CMMC levels and associated sets of practices across domains are cumulative. More specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels.
Biggest Challenges of CMMC Level 2
The CMMC level 2 very prescriptive, built on the 110 security requirements from NIST SP 800-171 Rev. 2. Its goal is to protect CUI against increasingly sophisticated cyber threats. Some of the requirements of CMMC level 2 that represent big challenges include:
Access Control
- Multi-Factor Authentication (MFA) required for local and remote access to systems handling CUI.
- Least Privilege: Users should only have access to the information they need.
- Session Management: Automatic logoff/lock after inactivity.
- Account Management: Disabling unused accounts quickly.
System & Communications Security
- Encrypt CUI in Transit and at Rest: Strong cryptographic methods must be used.
- Boundary Protection: Firewalls, intrusion detection/prevention, segmentation of networks.
Audit & Accountability
- Logging & Monitoring: Collect logs for user activity, system events, and security-relevant events.
- Audit Log Protection: Ensure logs can’t be tampered with.
- Audit Reviews: Regularly review and analyze logs.
Risk & Security Assessment
- Risk Assessment: Identity vulnerabilities and data that may be at risk.
- Security Assessment: Identify current state of security compliance, documenting gaps, and providing remediation steps.
- Continuous Monitoring: Ongoing evaluation of controls, not “one and done.”
Incident Response
- Incident Response Plan: Must be documented, tested, and actionable.
- Reporting & Tracking: Ability to detect, respond, and report security incidents quickly.
How can Thales help
Thales solutions can help organizations that are part of the Defense Industrial Base comply with the CMMC requirements by simplifying compliance and automating security reducing the burden on security and compliance teams. We help address essential cybersecurity risk-management requirements for CMMC 2.0 level 2 addressing application security, data security and identity & access management requirements across multiple categories.
White Paper
CMMC 2.0 Compliance with Thales Solutions
Explore how Thales supports CMMC 2.0 compliance with data, application, and identity security tools designed for DoD contractors and the DIB.
