CMMC 2.0 Final Rule Explained: Compliance Requirements for Contractors

CMMC 2.0 Final Rule: What Defense Contractors Need to Know

Vanessa Booth

Policy Analyst

With a new rule taking effect in November, the Department of Defense (DoD) is raising the stakes for more than 300,000 contractors, making the newest version of their cybersecurity certification a condition of doing business with the U.S. military.

The DoD finalized the rule that makes the Cybersecurity Maturity Model Certification (CMMC) 2.0 a requirement for defense contracts. This moves the program from a framework into an enforced contractual obligation.

Although the program itself was finalized in October 2024, the DoD took a major step toward enforcement on September 9, 2025, when it published an amended Defense Federal Acquisition Regulation Supplement (DFARS) rule.

CMMC 2.0 compliance will be mandatory in defense contract solicitations and awards starting November 10.

What CMMC 2.0 Requires and Who Must Comply

CMMC 2.0 ensures contractors follow baseline cybersecurity practices tailored to the sensitivity of the data they handle by submitting either self-assessments or third-party certifications before awarding or extending contracts. Contractors that fail to comply will no longer be eligible.

The requirements apply to both federal contract information (FCI) and controlled unclassified information (CUI), with assessment levels determined by the sensitivity of the data.

In total, the final DFARS rules are expected to affect about 330,000 contractors and subcontractors, including primes, subs, software vendors, and service providers.

The framework currently has three levels with distinct scoping guidance for those impacted:

CMMC 2.0 Level	Scope of Practices	Impacted Contractors (Expected)
Level 1 (Foundational)	Protects FCI with basic cyber hygiene and annual self-assessments.	210,000
Level 2 (Advanced)	Focuses on protecting CUI with controls based on NIST SP 800-171. Depending on sensitivity, contractors must complete self-assessments or third-party audits.	125,000
Level 3 (Expert)	Applies to the most sensitive contracts. It requires government-led assessments and penetration testing.	3,300

Levels 4 and 5 are still in draft form, but they emphasize advanced penetration testing and red teaming.

Contractors must maintain CMMC 2.0 compliance throughout the contract period and report assessment scores to the Supplier Performance Risk System (SPRS).

Prepare for Future CMMC 2.0 Requirements

The September rule defines clear requirements through Level 3, with draft guidance for Levels 4 and 5 signaling even more advanced testing in the future. Practices such as penetration testing and red teaming simulate real-world attacks to strengthen defenses and improve readiness, critical for protecting national security.

At HackerOne, we view these practices as essential to a healthy security program, not just a compliance checkbox. Our offensive security programs help contractors of all sizes go beyond compliance to achieve resilience, across all CMMC 2.0 levels:

Level 1: HackerOne supports contractors with vulnerability disclosure programs (VDPs) that help identify and fix weaknesses continuously.
Level 2: HackerOne strengthens compliance by automating vulnerability reporting, triage, and remediation, making audit prep more efficient.
Level 3: HackerOne’s penetration testing and continuous security testing help contractors meet these standards and build stronger defenses.

As CMMC continues to evolve, HackerOne is here to help you stay aligned with current requirements and prepare for what comes next.

Strengthen your defenses and meet CMMC 2.0 requirements with HackerOne

Public Policy

Pentest as a Service

Research Report

Benchmarks & insights from 500K vulnerability reports.

Download the Report

The latest from HackerOne

Thanks for signing up!