TL;DR: CMMC 2.0 entered enforcement on November 10, 2025, and DoD contractors handling FCI or CUI now need to demonstrate the right maturity level through self-assessment, third-party assessment, and current SPRS evidence, according to Exostar. The compliance question has shifted from whether controls exist to whether they are operationalised, documented, and sustainable over time.
NHIMG editorial — based on content published by Exostar: CMMC Maturity Levels: How CMMC 2.0 Affects Cybersecurity Maturity
By the numbers:
- As of November 10, 2025, CMMC 2.0 officially entered its enforcement phase.
- CMMC Level 1 applies 15 basic cybersecurity requirements and an annual self-assessment.
- CMMC Level 2 requires compliance with all 110 cybersecurity controls from NIST SP 800-171.
Questions worth separating out
Q: What breaks when CMMC maturity is treated as a paperwork exercise?
A: Treating CMMC as paperwork creates stale evidence, inconsistent control operation, and weak accountability across teams and suppliers.
Q: Why do IAM and privileged access controls matter in CMMC programmes?
A: IAM and privileged access controls matter because they shape whether security processes remain effective between assessments.
Q: How do organisations know if their CMMC programme is actually working?
A: A working CMMC programme produces current SPRS data, complete SSPs, tracked remediation, and consistent control ownership across teams.
Practitioner guidance
- Confirm the required CMMC level for each contract Map each DoD solicitation to the applicable level before work begins, then align internal control scope, evidence collection, and assessment planning to that requirement.
- Keep SPRS scores and evidence current Refresh SPRS inputs, System Security Plans, and remediation records on a recurring cadence so the score reflects the current control state rather than a stale assessment snapshot.
- Tighten POA&M governance Track every POA&M to a named owner, expiry date, and closure path, and escalate items that cannot be resolved within the limited time window permitted under CMMC.
What's in the full article
Exostar's full blog covers the operational detail this post intentionally leaves for the source:
- How the CMMC Final Rule maps to Level 1, 2, and 3 assessment expectations across DoD solicitations.
- How the Certification Assistant calculates SPRS scores and structures SSP and POA&M workflows.
- How Managed Microsoft 365 and GCC High handling support CUI-related operating requirements.
- How the dashboards present compliance status across teams, suppliers, and contracts.
👉 Read Exostar's blog on CMMC maturity levels and DoD contract eligibility →
CMMC maturity levels and contract eligibility: what teams must prove?
Explore further
CMMC maturity is becoming an evidence problem, not only a control problem. The article correctly frames maturity as repeatability, documentation, and operational consistency, which is where many programmes fail in practice. That shifts the burden from one-time compliance projects to sustained governance. For practitioners, the real question is whether control operation can be proven continuously, not whether the control exists on paper.
A question worth separating out:
Q: Who is accountable when CMMC gaps remain open past the remediation window?
A: Accountability sits with the control owner, programme lead, and executive sponsor who accepted the gap. Because POA&Ms are time-bound, unresolved items should be escalated through formal risk governance rather than left open indefinitely. For regulated defence work, indefinite exception management is a maturity failure, not a temporary inconvenience.
👉 Read our full editorial: CMMC 2.0 maturity levels now shape DoD contract eligibility