The Department of War has started implementing Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements in select new contracts as of November 10, 2025, according to a blog post from Amazon Web Services.

The rollout follows the finalization of federal regulations establishing the CMMC program. The 32 CFR CMMC Final Rule was published October 15, 2024, and became effective December 16, 2024. The 48 CFR rule integrating CMMC requirements into the Defense Federal Acquisition Regulation Supplement has also been completed.

Under the new framework, all contracts involving Federal Contract Information and Controlled Unclassified Information will require cybersecurity assessments of contractors and subcontractors. Organizations must achieve certification before contract awards, marking a shift from previous practices.

The Defense Industrial Base affected by these requirements includes organizations in aerospace, defense satellite, healthcare, manufacturing, and higher education that conduct business with the Department of Defense. Full implementation is expected by fiscal year 2028.

Prime contractors must ensure their subcontractors meet appropriate CMMC levels, creating compliance requirements throughout supply chains. The framework restricts Plans of Action and Milestones, requiring organizations to demonstrate proactive compliance rather than reactive planning approaches.

CMMC 2.0 requires ongoing maintenance of cybersecurity practices through continuous monitoring, moving beyond traditional point-in-time certification models. Organizations must conduct gap analyses, develop compliance strategies, work with certified third-party assessment organizations, and implement training programs to meet requirements.