Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >
Experiencing a Breach?
BLOG
CMMC 2.0 Compliance
What Defense Contractors Must Do Before October 2025
JUMP TO: INTRO | BACKGROUND | THE i6 APPROACH
After years of speculation, shifting timelines and industry-wide uncertainty, the Department of Defense (DoD) has finalized the Cybersecurity Maturity Model Certification (CMMC) rule.
According to Inversion6 CISO Jack Nichelson, the message to defense contractors is now crystal clear:
"It's go time."
"For the longest time, people didn’t believe this was really going to happen," Nichelson said. "There were delays, revisions and even talk that the whole thing might get scrapped. But it’s all happening. In fact, contractors are now getting direct letters from the DoD telling they either need to be CMMC compliant—or they’re out."
Background
The journey from CMMC conceptualization to enforcement has been years in the making.
CMMC was originally designed to strengthen cybersecurity across the defense industry, building on the foundations of other efforts like the DFARS clauses and NIST 800-171. Th key difference here is enforcement. What was once a self-attested system is now a third-party certified mandate.
The original version of the rule was introduced in 2020 and the initial framework proposed five certification levels and a complex scoring structure. This proved difficult for many contractors to navigate and feedback from industry stakeholders prompted the DoD to simplify the model in 2021,
The result was CMMC 2.0—a more flexible, transparent system focused on alignment with existing federal standards.
"The first version of CMMC was ambitious, but overly complicated," Nichelson said. "With 2.0, the DoD listened. Now, it’s clearer, better aligned to NIST 800-171, and more achievable for contractors who start early."
CMMC 2.0 introduces a three-level model, with Level 2 aligning directly with the 110 controls in NIST 800-171. Contractors handling Controlled Unclassified Information (CUI) must prepare to demonstrate:
A comprehensive System Security Plan (SSP)
An accurate and high SPRS score
Realistic and actionable Plans of Action & Milestones (POA&Ms)
Documented evidence and continuous monitoring
The DoD published the final CMMC 2.0 rule in September 2025, setting October 2025 as the official start of CMMC’s phased enforcement. In plain English, this means contractors will begin seeing certification requirements in new DoD contracts from that point forward.
"The October 2025 enforcement date might sound like it’s still far off, but we’re already seeing flow-down requirements in contracts right now," Nichelson said. "And it’s not just a checkbox exercise. This is about building a defensible, auditable cybersecurity program."
"Right now, we’re getting our first wave of panic calls from companies that got caught off guard," Nichelson added. "Many of them were on the fence, waiting for clarity. Well, here it is. The rule is final. So you either get compliant, or you risk losing business."
The Inverstion6 Approach to CMMC Compliance
According to Nichelson, Inversion6 follows a clear Plan-Do-Check-Act (PDCA) model. Here’s how it works:
Plan: "We start by identifying where your data is, what your current exposure looks like, and how ready you are to meet your required CMMC level," Nichelson explained. "That includes a third-party NIST risk assessment, mapping your CUI and building business buy-in."
Do: "Next, we help clients develop POA&Ms, align their policies with NIST standards and implement governance structures," he continued. "It’s not about doing everything at once—it’s about doing the right things first."
Check: "This is where we validate," added Nichelson. "We conduct follow-up assessments, rebuild your SSP, and make sure your documentation stands up to an auditor’s scrutiny."
Act: "Finally, we help you engage a C3PAO for the official (audit) assessment," he said. "And we don’t walk away after that, because monitoring, evidence collection and reassessment are ongoing needs."
Now that contractors have a final rule and firm enforcement date, Nichelson expects the floodgates to open for CMMC registered practitioners like himself and fellow Inversion6 CISO Craig Burland.
"There’s definitely going to be a rush," he said. "C3PAOs don’t have unlimited resources, and their availability for auditing is going to get tight. That means the people who get started early will be audit ready. But those who wait will risk getting stuck in a queue."
"It’s also important to remember the firm helping you build your CMMC program can’t be the same one who audits it," he added. "That’s by design. The DoD wants an unbiased assessment, which is why C3PAOs are completely separate from Registered Practitioners like Craig and myself.”
“Our role is to get you ready—fully documented and fully prepared,” concluded Nichelson. “When your auditor walks in, there shouldn’t be any surprises."
