To help the Department of Defense (DoD) protect controlled unclassified information (CUI) within its supply chain, about 300,000 defense suppliers that are part of the Defense Industrial Base (DIB) must now comply with rigorous cybersecurity standards before being eligible to win DoD contracts. Subcontractors will also be expected to comply with the appropriate maturity level. To meet this challenge, in 2020, the federal government announced Cybersecurity Maturity Model Certification (CMMC) 1.0, a framework for protecting data handled by defense contractors from cyber attacks. CMMC guidelines are still not finalized, and much remains unknown. In response to almost 1,000 public comments, in late 2021, the DoD decided to make compliance easier and less costly by introducing CMMC 2.0, which significantly streamlined the requirements of CMMC 1.0. As of this writing (June 2022), the rulemaking process is still ongoing, and CMMC 2.0 is expected to be finalized by the end of 2022. In the interim, this guide will help answer some questions and provide clarity around CMMC 2.0 standards and the expectations, costs, and hurdles that come with it.