CMMC 2.0: What You Need to Know

Estimated reading time: 1 minute

Tenets of the Department of Defense's (DoD) Cybersecurity Maturity Model Certification Program (CMMC) 2.0 went into effect on Nov. 10. What are the primary differences between 1.0 and 2.0 compliance, and what exactly must be in place now?

CMMC 2.0 is now being written into DoD contracts and enforced through DFARS (Defense Federal Acquisition Regulation Supplement), with a three-year phased rollout. For PCB and electronics manufacturers in the defense supply chain, this is now a real gate to doing business with the DoD, not a “nice to have.”

About CMMC
According to the Department of Defense (Department of War) Chief Information Officer (DODCIO), “Cybersecurity is a top priority for the DoD. The defense industrial base (DIB) faces increasingly frequent and complex cyber-attacks. To strengthen DIB cybersecurity and better protect DoW information, the Department developed the CMMC Program, which assesses defense contractor compliance with existing information safeguarding requirements for federal contract information (FCI) and controlled unclassified information.”

A Look Back: CMMC 1.0
CMMC Version 1.0, issued in early 2020, created a five-level maturity model with 17 domains and 171 practices, ranging from basic cyber hygiene to advanced/progressive security. Every contractor, including small manufacturers, was expected to obtain a third-party certification at the level specified by their contract.

Although the framework was detailed, it proved to be heavy and expensive, especially for small and mid-sized manufacturers, and was never fully implemented in contracts at scale. This experience directly informed the redesign of CMMC 2.0.

To read the entire article, which originally appeared in the December 2025 edition of PCB007 Magazine, click here.