Overview of DOD Cybersecurity Model Certification 2.0 – Updated October 2025

The document provides an overview of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0, which establishes revised standards to ensure contractors—including universities working with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI)—appropriately protect sensitive data. CMMC 2.0 simplifies compliance by reducing certification levels from five to three, allowing for self-assessment at lower levels, and aligning more closely with NIST SP 800-171 standards, with conditional certification options and phased implementation starting November 2025. The document details new scoping guides, assessment procedures, implementation phases, and factors influencing compliance costs, emphasizing the importance of resource planning and providing guidance and resources for affected organizations.