CMMC 2.0: Requirements for compliance are looming, and the consequences are real | Constangy, Brooks, Smith & Prophete, LLP

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Part 1 of a multi-part series.

The Cybersecurity Maturity Model Certification framework, now in its revamped form known as CMMC 2.0, has crossed the threshold from regulatory aspiration to enforceable reality.

Phase 1 went live on November 10, meaning CMMC requirements are already appearing in new Department of War solicitations and contracts. CMMC 2.0 was announced by the Department of Defense (now Department of War) in 2021 and became effective at the end of 2024. The next deadline in the multi-year rollout is November 2026, meaning the window to act is swiftly closing and organizations should expect little to no tolerance for noncompliance. A December 2025 indictment of a former employee of a government contractor makes clear that authorities are willing to hold individuals personally and criminally liable for misrepresenting cybersecurity compliance:

ENFORCEMENT SPOTLIGHT: United States v. Hillmer. A federal grand jury indicted Danielle Hillmer, a former senior manager at a Virginia-based government contractor, on charges of government fraud, wire fraud, and obstruction of a federal audit. According to the U.S. Department of Justice, Ms. Hillmer carried out a scheme from approximately March 2020 through November 2021 to defraud the United States by obstructing federal auditors and falsely representing that her employer’s cloud-based platform — which was used by the U.S. Army, the Departments of State and Veterans Affairs, and other agencies — had required security controls in place. The indictment further alleges that Ms. Hillmer instructed others to conceal the true state of the system during testing and demonstrations, and that the contracts at issue exceeded $250 million in value. Ms. Hillmer has pleaded not guilty.

The Hillmer indictment is a landmark development. For years, cybersecurity misrepresentation was addressed primarily through civil settlements or contract remedies. The government has now demonstrated that it is willing to bring criminal charges against individuals (as well as businesses) for allegedly lying about their security posture.

Today’s post has two aims for every senior manager, compliance officer, executive, and any others who sign off on cybersecurity: (1) sharpen awareness among organizations subject to CMMC 2.0 to avoid potential disruptions or loss of business, and (2) alert organizations across all sectors that attestation-based compliance is rapidly being replaced by strict standards for independent assessments backed by aggressive enforcement from stringent regulators.

From Self-Attestation to Independent Audit: What has changed

CMMC 2.0 establishes three compliance tiers:

Level 1 covers basic safeguards for Federal Contract Information, known as FCI, and requires annual self-assessment.

Level 2 requires full implementation of all 110 security controls in the NIST SP 800-171 and, for most contracts, independent certification by a Certified Third-Party Assessment Organization, better known as C3PAO. A majority of organizations fall within this tier.

Level 3 adds 24 enhanced controls from NIST SP 800-172 and mandates government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center of the Defense Contract Management Agency.

The phased rollout for compliance and enforcement is now under way:

Phase 1 (November 10, 2025): Level 1 and Level 2 self-assessments are required in new DoW solicitations and contracts. The DoW may also require Level 2 Certified Third-Party Assessment Organization certifications at its discretion.
Phase 2 (November 10, 2026): Mandatory Certified Third-Party certification for Level 2 contracts.
Phase 3 (November 10, 2027): Level 3 DIBCAC certifications introduced for the most sensitive programs.
Phase 4 (November 10, 2028): Full CMMC implementation across all applicable Department of War contracts and option periods.

It is critical to note that existing contracts are not permanently exempt. Any triggers for renewal, option exercise, or “recompete” competitive bidding triggers CMMC requirements at the applicable phase. Prime contractors are already imposing these requirements on their subcontractors, often well ahead of regulatory deadlines, to protect themselves.

The structural shift from self-attestation is deliberate. If a control is not documented, tested, and demonstrable, auditors will treat it as absent. Claiming otherwise is not only a compliance gap but also can be the predicate for a False Claims Act enforcement action.

Common Internal Risks: Noncompliant systems and “scoping” failures

One of the most common problems that organizations encounter when preparing for CMMC 2.0 is reliance on enterprise tools that are not authorized by the Federal Risk and Authorization Management Program or a FedRAMP equivalent, and that commingle defense-related work with general business operations.

Many organizations have built workflows around familiar commercial platforms without recognizing that those platforms may not meet the security baseline required for handling Controlled Unclassified Information.

As a result, organizations are faced with the daunting task of untangling their existing environments and designing a properly “scoped” CUI enclave. In addition to technical reconfiguration, careful legal analysis is required to evaluate the data in scope, systems that touch that data, and contractual obligations that are implicated. Improper definition, from either a technical or legal standpoint, creates the risk of being targeted for an audit as well as the risk of exposure based on the audit outcome, and can dramatically increase compliance costs.

Counsel should be involved early in defining the enclave boundary. These decisions carry long-term legal consequences. Proper definition is analogous to data mapping exercises required under other regulatory frameworks. However, in the case of defining enclave boundaries, there are the added consequences of contract ineligibility and potential exposure under the False Claims Act when the mapping is wrong.

Common External Risks: False sense of security in MSPs and outsourced IT

Businesses — particularly small and mid-sized organizations — frequently rely on Managed Service Providers for their IT infrastructure, often assuming their MSPs will handle CMMC compliance. In practice, this assumption is one of the most common and costly errors in the Defense Industrial Base.

MSPs vary widely in their understanding of CMMC requirements. A general IT services agreement is not a “compliance program.” Organizations frequently discover, often too late, that their provider’s responsibilities were never formally defined, that key controls were never implemented, and that the business itself bears full legal and regulatory responsibility. Ultimately, the organization — not the MSP — signs the attestation, meaning ignorance is not a defense.

Organizations must scrutinize what the MSP actually does, what the provider is or is not obligated to do under the contract, and who bears the legal risk for any deficiencies. Existing MSP agreements should be reviewed for gaps in risk allocation and to verify whether representations already made to prime contractors or to the government can be substantiated.

Robust risk management is essential, especially as contracts with the government and prime contractors are incorporating more stringent data protection provisions, strict liability clauses, and costly indemnification obligations (which is representative of broader trends seen in contracting across all industries).

Audit Evidence and Timing Challenges: Compliance cannot be “retrofitted”

One of the most underappreciated compliance challenges is timing. Auditors typically expect to review four to six months of evidence to determine whether a security program has been operating as designed. Log data, access reviews, incident response tests, vulnerability scans, and policy enforcement records cannot be manufactured after the fact.

THE MATH IS UNFORGIVING: Phase 2 will begin November 10, 2026. If your audit is six months away, your program needs to be fully operational today. You cannot wait until after the next budget cycle. Even if the audit is three months away, the evidence record may already be too thin for auditors.

Under compressed timelines, the immediate priority shifts from building a clean compliance program to managing legal risk. That means an honest assessment of demonstrable capabilities, a clear-eyed inventory of gaps, and documentation of good-faith remediation progress that is legally defensible even if certification is not yet achievable.

Under CMMC, and other regulatory frameworks for cybersecurity, regulators consistently treat documented genuine effort more favorably than silence or misrepresentation.

Exposure risks are both legal and personal

The DOJ’s Civil Cyber Fraud Initiative, launched in 2021, has been accelerating. Several civil settlements in 2025 illustrate the pattern and the financial stakes:

The Hillmer indictment further raises the stakes by introducing criminal liability at the individual level. The charges carry significant potential penalties, including up to 20 years in prison on each wire fraud count alone. The government’s theory is straightforward: knowingly misrepresenting compliance to win or retain government business, especially while directing others to participate, is criminal fraud and not just a contract dispute.

Under the False Claims Act, civil liability does not require a cyber breach. A contractor that certifies NIST SP 800-171 compliance when controls are not actually in place may face treble damages and per-claim civil penalties, even if no data was ever compromised. Annual affirmation requirements under CMMC 2.0 mean that each affirmation is a fresh representation to the government and a fresh point of potential exposure.

Prime contractors are responding by pushing compliance responsibility to their subcontractors, and inserting termination and indemnification clauses tied to cybersecurity performance. The DFARS 252.204-7012 clause already requires incident reporting within 72 hours. That means the organization is under a contractual obligation to have functional logging and incident response capabilities.

These reporting obligations are representative of wider trends across cybersecurity, with both statutory and contractual requirements increasingly imposing stricter notification demands within uncompromisingly short timeframes.

What to do now

Organizations should be taking the following steps immediately:

Conduct a gap analysis against NIST SP 800-171 and applicable CMMC level. Understand precisely where the program stands before making any representations to prime contractors or to the government.
Prioritize high-impact cybersecurity controls. Multi-factor authentication, centralized logging, access management, encryption, and incident response capabilities are all industry standard practices and expected to be in place.
Carefully delineate your CUI boundary, and proactively involve legal counsel. Narrowing the boundary reduces audit complexity and cost, whereas scoping it incorrectly can create a wide array of new risks.

Audit the allocation and flow of compliance obligations in existing contracts with the government, prime contractors, and subcontractors. Scrutinize managed service provider agreements in particular for gaps in responsibility and risk allocation.
Start building evidence trails immediately. Auditors require months of operating history. Every day without a functioning, documented program means losing evidence that cannot be recovered, in addition to compounding amounts of time and effort required to satisfactorily complete an audit.
Review all representations already made to your prime contractors or to the government. If prior attestations are not fully supportable, understand your exposure and what actions may be necessary before the next assessment cycle.

These steps demand close coordination between technical and legal teams, meaning that counsel must be engaged at the outset and not as a final review step. The decisions made now about scoping, documentation, attestations, and vendor relationships will determine potential legal exposure. The Hillmer indictment is a reminder that cybersecurity compliance has become a matter of personal, not just corporate, liability.

Organizations that act with discipline and proper guidance will protect their people and contracts, thereby protecting their revenue and operational success.