The Cybersecurity Maturity Model Certification (CMMC) represents a fundamental shift in Department of Defense (DoD) cybersecurity requirements. While the program currently operates on a voluntary basis, mandatory requirements are expected to begin appearing in contracts in 2025. This change means defense contractors must move beyond documenting security policies to actively demonstrating their controls protect sensitive information. For organizations just starting their CMMC journey, understanding the framework’s requirements, its current status, and available implementation tools is crucial.

Understanding the Basics

CMMC establishes clear security baselines for companies working with the DoD. At its core, CMMC requires defense contractors to implement specific security practices across 17 capability domains, ranging from access control to system monitoring. Unlike previous self-attestation models, CMMC mandates third-party verification of these security controls. Companies must achieve one of three certification levels, based on the sensitivity of information they handle:

• Level 1 (Basic Cyber Hygiene) focuses on the protection of Federal Contract Information (FCI). This foundational level requires implementation of 17 practices corresponding to the basic safeguarding requirements specified in FAR Clause 52.204-21. At this level, organizations demonstrate basic cyber hygiene through annual self-assessment and affirmation of compliance.
• Level 2 (Intermediate Cyber Hygiene) addresses the protection of Controlled Unclassified Information (CUI) and encompasses all 110 security requirements from NIST SP 800-171 Rev 2. Organizations at this level must undergo either a self-assessment or certification by a C3PAO every three years (as specified in the solicitation), depending on the type of information processed, transmitted, or stored on their systems. Annual affirmations verifying compliance are also required.
• Level 3 (Good Cyber Hygiene) is designed for critical defense programs requiring protection against Advanced Persistent Threats (APTs). This highest level builds on Level 2 certification and introduces additional requirements from NIST SP 800-172. Organizations must achieve a final Level 2 status first, then undergo assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), along with annual affirmations verifying compliance with 24 identified requirements from NIST SP 800-172.

Two key differences separate CMMC from traditional cybersecurity frameworks. First, CMMC eliminates self-certification for higher levels, requiring verified proof that security controls work rather than simple documentation. This shift means companies can’t just write policies and hope for the best. Second, CMMC builds compliance into contract requirements. Unlike frameworks like SOC 2 or ISO 27001, where certification is often optional, CMMC makes security standards mandatory for defense contracts. Companies that want to work with the DoD must meet these standards before they can bid on contracts.

The CMMC Program also allows limited use of Plans of Action and Milestones (POA&Ms) for Levels 2 and 3, giving organizations 180 days to address identified gaps after receiving a Conditional CMMC Status. However, POA&Ms are not permitted for Level 1, and certain critical requirements cannot be deferred at any level.

Current State and Implementation

CMMC stands at a key transition point in 2025. While the program is currently in effect and operating on a voluntary basis, mandatory requirements are on the horizon. The DoD expects to publish the final 48 CFR rule by summer 2025, which will trigger the official phase rollout of CMMC requirements in defense contracts. More than 30 Certified Third Party Auditing Organizations (C3PAOs) are currently authorized to conduct assessments, with many reporting months-long backlogs, as companies prepare for certification. The program expects to certify at least 500 Level 2 contractors by year’s end, creating competitive pressure for organizations that haven’t started their certification journey.

Contractors need to take several practical steps to prepare for CMMC Level 2 certification. First, assess your current security practices against the CMMC model’s 110 practices across the 17 domains. Document how your organization handles CUI and identify all systems that store, process, or transmit this data. Next, implement required technical controls spanning access management, system monitoring, and incident response. Develop and maintain security policies and procedures that demonstrate your organization’s mature cybersecurity practices.

How Rhythmic Supports CMMC Compliance

AWS has built a comprehensive foundation for CMMC compliance through FedRAMP-authorized services across both commercial and GovCloud environments, with built-in tools to automate security configurations and monitor compliance. At Rhythmic, we help organizations take full advantage of these capabilities through a comprehensive approach that starts with properly architected infrastructure.

We build CMMC-ready environments from the ground up using Infrastructure as Code (IaC) and GitOps practices. This approach ensures consistent, reproducible infrastructure that meets security requirements from day one. By implementing multi-account strategies and automated deployment pipelines, we create isolated environments that align with CMMC controls while streamlining your operational workflow. We leverage advanced management tools like AWS Systems Manager for systematic compliance management, making security a built-in feature rather than an add-on.

Our approach to continuous monitoring and security maintenance goes beyond basic dashboard checks. We understand that effective infrastructure monitoring means feeling the rhythm of your systems—detecting even subtle variations that could impact your security posture. This deep understanding helps us maintain CMMC compliance while maximizing system availability and reliability without introducing unnecessary burden and noise.

We achieve this through a comprehensive monitoring strategy that supports CMMC requirements:

• Implementation of advanced visualization tools, dashboards, and Application Performance Monitoring (APM) to enhance security observability
• Collaboration with your engineering teams to ensure appropriate security logs and telemetry are collected across all infrastructure components
• Establishment of layered security alerts with specific thresholds and anomaly detection guided by compliance requirements
• Continuous optimization of monitoring systems to improve coverage while maintaining compliance with CMMC controls
• Development of detailed incident response processes and documentation, including security runbooks and compliance-focused operational procedures

This proactive approach leverages AWS’s built-in security tools alongside our managed services expertise to protect your data and maintain your compliance posture over time.

As the DoD moves toward mandatory CMMC requirements in 2025, organizations need more than just documentation and basic security tools—they need infrastructure built for compliance and sustainability. By implementing robust security controls through proven cloud infrastructure, supported by continuous monitoring and proactive maintenance, contractors can focus on their core mission while maintaining the security standards that protect our nation’s defense information.

Photo credit: Department of Defense, CIO