CMMC 2.0 for Texas defense contractors: What you need to know
If you're a defense contractor in Central Texas—or anywhere else—CMMC compliance just became mandatory. Not "coming soon." Not "under consideration." Mandatory, as of November 2025.
The Department of Defense published the final CMMC 2.0 rule in September 2025, and contract clauses started appearing in November. If you do business with the DoD, or you're a subcontractor for someone who does, this affects you.
Let me cut through the acronyms and tell you what actually matters.
What is CMMC and why does it exist?
CMMC stands for Cybersecurity Maturity Model Certification. It's the DoD's way of making sure contractors actually protect sensitive information instead of just saying they do.
For years, defense contractors self-certified compliance with NIST 800-171 security requirements. Problem: a lot of contractors weren't actually compliant, adversaries kept stealing defense data, and the DoD got tired of it. So they created CMMC to add third-party verification.
Translation: You can't just check a box anymore. Someone's going to verify you actually did the work.
The three levels (and which one applies to you)
CMMC has three tiers based on what kind of data you handle:
| Level | Data Type | Requirements | Assessment |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) only | 15 basic security practices | Self-assessment |
| Level 2 | Controlled Unclassified Information (CUI) | All 110 NIST 800-171 requirements | Self or third-party (C3PAO) |
| Level 3 | Critical national security programs | 110+ requirements with advanced protections | Government assessment (DIBCAC) |
Most contractors will need Level 2. The DoD estimates 62% will be Level 1, but if you touch anything marked CUI, you're Level 2. That includes technical data, export-controlled information, acquisition documents, and a bunch of other categories.
Key point: If you already have DFARS 252.204-7012 in your contracts (the NIST 800-171 clause), you're heading toward Level 2. CMMC doesn't add technical requirements—it adds verification.
The rollout timeline
The DoD is phasing this in over three years:
Phase 1 (November 2025 - November 2026): Self-assessments for Level 1 and Level 2. Some contracts may require third-party assessments at DoD's discretion.
Phase 2 (November 2026 - November 2027): Third-party C3PAO assessments become the standard for Level 2.
Phase 3 (November 2027+): Level 3 requirements kick in for high-priority programs.
Here's the catch: prime contractors aren't waiting for Phase 2. They're already telling subs to get certified now. If you wait until your contract renewal, you might find yourself scrambling while your competitors already have their certification.
What Level 2 actually requires
Level 2 is built on NIST 800-171, which covers 110 security requirements across 14 families. In plain English, you need to:
- Control who accesses your systems. Multi-factor authentication, least privilege access, audit logs.
- Protect data in transit and at rest. Encryption for CUI, secure communications.
- Monitor and respond to threats. Security monitoring, incident response plans, vulnerability management.
- Manage your supply chain. Vet vendors, flow down requirements to subs.
- Train your people. Security awareness for everyone handling CUI.
If that sounds like a lot, it is. The average time to prepare for a Level 2 assessment is 6-12 months. That's not scare tactics—it's reality for organizations starting from scratch.
The Plan of Action and Milestones (POA&M) option
Here's a lifeline: you can get conditional certification if you're not 100% compliant yet. Document what you haven't met in a POA&M, show how you'll fix it, and you get 180 days to close the gaps.
This isn't a free pass—you still need to meet most requirements. But it gives you a way to bid on contracts while you're finishing the work.
Important: POA&Ms have limits. You can't POA&M your way around major security gaps. And that 180-day clock is firm—miss it and your certification is gone.
What this means for Texas contractors
Central Texas has a strong defense contracting presence—Fort Cavazos (formerly Fort Hood), aerospace suppliers, IT services, manufacturing. If you're in that ecosystem, CMMC affects you.
If you're a prime: Your contracts will specify CMMC requirements. You need to flow those down to subs and verify they're compliant. The DoD isn't interested in excuses about your supply chain.
If you're a sub: Your primes are going to ask for proof of certification. Some already are. Being the cheapest bid won't matter if you can't show CMMC compliance.
If you're thinking about defense work: Factor CMMC prep into your decision. It's not impossible, but it's not free either—budget time and money.
How to get started
Step 1: Figure out your level
Look at your active contracts and what data you handle. If you're not sure whether something is CUI, assume it is until you verify otherwise.
Step 2: Do a gap assessment
Compare your current security posture against NIST 800-171 (for Level 2) or the 15 basic practices (for Level 1). Be honest. Most contractors find gaps.
Step 3: Build your plan
Prioritize fixes based on risk and contract timelines. Some things (like multi-factor authentication) are quick wins. Others (like rebuilding your network architecture) take months.
Step 4: Document everything
Assessors want evidence. Policies, procedures, configurations, audit logs, training records. If it's not documented, it doesn't count.
Step 5: Get assessed
For Level 2 self-assessments, you score yourself and upload results to SPRS (the DoD's system). For C3PAO assessments, you hire a certified third-party assessor who validates your compliance.
The cost question
Everyone wants to know: what does this cost? Honest answer: it depends on where you're starting from.
If you're already mostly compliant with NIST 800-171, you might just need documentation cleanup and an assessment. Budget $20K-$50K for a third-party assessment, plus whatever remediation you need.
If you're starting from scratch, figure 6-12 months of effort and anywhere from $50K to $200K+ depending on your environment's complexity, whether you need consultants, and how much you can do in-house.
Expensive? Yes. More expensive than losing DoD contracts? No.
Common mistakes to avoid
Waiting until your contract renewal. Start now. Your competitors are.
Treating this like a checklist. CMMC assessors dig into your actual implementation. Having a policy isn't enough—you need to prove you follow it.
Assuming your IT person can do this alone. Unless they've done NIST 800-171 compliance before, they probably need help. This is specialized work.
Ignoring your subcontractors. If you're a prime, your subs' compliance is your problem. Verify it before contracts are on the line.
Bottom line
CMMC is here. It's mandatory. And if you want to keep doing defense work, you need to deal with it.
The good news: plenty of contractors are figuring this out, and the framework is clearer now than it was a year ago. The DoD wants you to succeed—they need a strong industrial base. But they're serious about security, and they're done with self-attestation theater.
Start your gap assessment. Build your plan. Get certified before your competitors do.
Need help with CMMC compliance?
We help Texas defense contractors conduct gap assessments, build compliance roadmaps, and prepare for CMMC certification.
Let's talk →