Defense Department to Roll Out CMMC 2.0 in Q1 2025

A Department of Defense official confirmed that the second iteration of a program that aims to improve the defense industrial base’s cyber posture is on track to roll out in early 2025.

Speaking at the Potomac Officers’ Club’s Cyber Summit on Thursday, David McKeown, DOD’s deputy chief information officer for cybersecurity and senior information security officer, discussed the department’s plan to implement the Cybersecurity Maturity Model Certification 2.0 initiative in the first quarter of 2025, and the roadblocks and resistance that popped up during its development, Breaking Defense reported. 

The ability for contractors and subcontractors to do self-assessments or be evaluated by a third-party assessment organization or government evaluators is one of the significant changes brought about by CMMC 2.0.

However, McKeown, a past Wash100 awardee and past POC event speaker, said the self-assessment capability will only be an option for contractors on level 1 and some on level 2.

In December, the Pentagon issued a new proposed rule for CMMC 2.0, an initiative that addresses the private sector’s complaint, which includes being too costly and restrictive. Despite addressing cost concerns, the Pentagon expects that defense industrial base companies could spend about $4 billion over 20 years to implement CMMC 2.0.