The Department of Defense is advancing the Cybersecurity Maturity Model Certification 2.0 program from policy to contractual enforcement. While the 32 CFR rule officially established the CMMC framework, it's the upcoming 48 CFR rule, currently in proposed status that will mandate CMMC certification as a condition for contract awards and renewals. This change is anchored by DFARS clause 252.204-7021, which requires defense contractors and their subcontractors to maintain a valid CMMC certification aligned to contract requirements. With rollout starting as early as Q3 2025 and full enforcement across all contracts expected by 2028, the message is clear that contractors must act now. Prime contractors are already preparing their supply chains and won’t wait for the final rule to be enacted. Subcontractors that delay readiness risk losing opportunities. Ultimately, CMMC 2.0 is not just about compliance it’s about competitiveness. Defense contractors that treat cybersecurity as a core business capability, rather than a box checking exercise, will be best positioned to secure contracts and grow in the DoD supply chain.
Think of ODPs like cybersecurity “fill-in-the-blanks” tailored to your business. This post breaks down how CMMC lets you define certain control values based on your risk, resources, and operations with new DoD guidance helping clarify what’s expected. Practical, plain-English examples show how to strike the right balance between compliance and common sense.
