Get Ready for CMMC Enforcement: Essential Steps to Secure CUI

The U.S. Department of Defense (DoD) introduced its Cybersecurity Maturity Model Certification (CMMC) program in early 2020 to strengthen cybersecurity across the Defense Industrial Base (DIB) and ensure that contractors handling Controlled Unclassified Information (CUI) meet strict cybersecurity standards defined by the National Institute of Standards and Technology (NIST).

On November 10, 2025, the DoD’s final acquisition rule for the CMMC program officially took effect, meaning DoD contracts will begin to include mandatory CMMC requirements that will phase in over the next few years.

CMMC has three levels, and the requirements vary by level. CMMC Level 1 has 15 controls and is required for contracts with only Federal Contract Information (FCI) but no CUI. The contractor must perform a self-assessment; no third-party assessment is required. CMMC Level 2 has 110 controls and aligns with NIST SP 800-171 controls. It is required for contracts with CUI. Many contracts will require a CMMC Level 2 certification via a third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO). Finally, CMMC Level 3 requires 24 additional enhanced security controls, and all contracts will require a third-party assessment.

The new CMMC timeline

The DoD plans to roll out CMMC over the next several years. Here is what each phase means for contractors handling CUI and the current timeline:

• Phase 1 has already started, and contractors handling CUI must self-assess that they meet CMMC Level 2 to qualify for DoD contracts. The DoD may also require third-party audits for Level 2 in some cases. 
• Phase 2 will begin in November 2026, and Level 2 contracts will require third-party certification rather than just self-assessment.
• Phase 3 will begin in November 2027, and CMMC Level 3 third-party certifications will be required for all new contracts unless delayed. The DoD may delay CMMC Level 3 requirements to option periods for some contracts.
• Phase 4 is the last phase and starts in November 2028. CMMC requirements will apply to all applicable contracts.

What this means now for contractors

If your organization handles CUI or FCI, future solicitations will include CMMC requirements. To prepare, focus on these steps:

• Verify cloud compliance: CMMC requires FedRAMP Moderate (or an equivalent) for any cloud service that stores or processes CUI. Organizations that use cloud service providers should evaluate each of their cloud service contracts and verify that the provider has FedRAMP Moderate certification.
• Define your CUI environment: Map where CUI resides, and identify the systems, networks, applications and users that interact with it.
• Review all 110 Level 2 controls: Identify gaps, note which categories need additional support and prioritize remediation. Some of the Level 2 categories include Access Control (AC), Awareness and Training, Audit and Accountability (AU) and Configuration Management (CM).
• Document everything: Maintain clear records of access policies, audits and configurations. Whether you’re doing a self-assessment or preparing for a third-party assessment, having clear documentation will reduce the amount of time it takes to achieve full CMMC compliance.

Why privileged access management matters and how Keeper can help

Privileged Access Management (PAM) solutions manage and secure accounts that have permissions to access highly sensitive systems and data, reducing the risk of cyber attacks. A PAM solution can help organizations meet many of the CMMC controls, particularly those related to Access Control (AC), Identification and Authentication (IA) and System and Communications Protection (SC).

A typical security team today often lacks full visibility into the strength of the organization’s password posture. Keeper Security Government Cloud (KSGC) closes that gap by providing visibility into password reuse and compromised credentials, and by enabling organizations to set and monitor password policies. KSGC also monitors and alerts administrators to weaknesses, enabling proactive risk management before cyber incidents occur.

KSGC is FedRAMP High Authorized, making it a strong fit for DoD contractors needing to protect sensitive information. Keeper helps businesses comply with these evolving CMMC controls by addressing key password security and access management requirements, reducing the burden of demonstrating compliance with CMMC controls.

To help organizations understand where Keeper fits into the CMMC framework, Keeper recently worked with a third-party CMMC expert to map Keeper’s capabilities to specific CMMC controls. That expert, Jacob Hill, is the CEO of TEKFused, which is a company that offers Governance, Risk and Compliance (GRC) certifications. Hill has 17+ years of experience, a master’s degree in cybersecurity from WGU and several certifications, including CMMC Certified Assessor, CMMC Provisional Instructor, CISSP-ISSEP and CySA+. He has also published CVEs, and his security research has been featured by Brian Krebs and Infosecurity Magazine.

*Disclaimer: Clicking the button above will download a file to your computer.

By combining intentional cybersecurity practices, strong access management policies and platforms like KSGC, contractors can accelerate readiness, stay ahead of compliance requirements and be ready for DoD contracts. Request a demo today to learn more.