On Sept. 10, 2025, the U.S. Department of Defense (DOD) completed the Cybersecurity Maturity Model Certification (CMMC) rulemaking process. In an amendment to the Defense Federal Acquisition Regulation Supplement (DFARS), the final rule (DFARS rule) establishes DFARS policies, contract clauses, and other provisions to implement the program’s requirements. On Nov. 10, 2025, CMMC becomes effective and will begin appearing in DOD solicitations. This leaves many DOD contractors facing a stark truth: with CMMC implementation deadlines in place, delaying compliance is no longer risky — it’s setting your organization up for failure. Start working toward compliance now to ensure you’re qualified to bid in the months to come.
The CMMC framework
The CMMC framework was developed by the DOD to ensure that contractors and subcontractors in the Defense Industrial Base (DIB) adequately protect sensitive government information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It sets in place tiered cybersecurity requirements that organizations must meet to be eligible for DOD contracts. CMMC builds on existing standards such as NIST SP 800-171 and introduces a certification process to validate compliance. The DFARS rule establishes three levels for the CMMC model.
- Level 1 is the foundational level for companies that handle FCI only in unclassified contractor information systems. It requires the 15 basic cybersecurity controls required by FAR 52.204-21 and a current self-assessment. A self-assessment is current if it was performed within the past year.
- Level 2 is the advanced level for companies that handle CUI in unclassified contractor information systems. It requires organizations to meet level 1 requirements and be in full compliance with the NIST SP 800-171 cybersecurity framework. A current self-assessment or CMMC Third-Party Assessor Organization (C3PAO) certification is required, with the applicable certification depending on DOD risk requirements. A CMMC level 2 assessment is current if it was performed within the past three years, there have been no changes in compliance, and the contractor’s affirming official affirms continuous compliance within the past year.
- Level 3 is the expert level for companies working on the most sensitive DOD programs. It requires organizations to meet level 2 requirements plus 24 additional controls established in the NIST SP 800-172 framework. It requires a government-led certification assessment.
CMMC applies to all contractors and subcontractors in the DIB (other than contracts exclusively for commercially available off-the-shelf (COTS) software), as well as any organization that stores, processes, or transmits FCI or CUI on behalf of the DOD. This includes prime contractors, subcontractors, and vendors — even small businesses.
The CMMC rollout
DOD is implementing the CMMC framework through a four-phase process.
- Phase 1: Beginning Nov. 10, 2025, the DOD will include level 1 and level 2 self-assessment requirements in applicable solicitations and new contracts as a condition of contract award. The DOD has discretion to include C3PAO certification assessment requirements. This means that contractors bidding on certain contracts must conduct at least a basic CMMC self-assessment and upload results into the Supplier Performance Risk System (SPRS). Contracting officers aren’t permitted to award an offeror without a current CMMC status in SPRS at the level required by the solicitation.
- Phase 2: Beginning Nov. 10, 2026, phase 1 requirements are mandatory, plus contracts involving CUI will in most cases require a third-party CMMC level 2 certification by an accredited C3PAO as a condition of winning the award. Self-attestations will no longer suffice for CUI; the government wants independent validation of cybersecurity. For levels 2 and 3, a conditional CMMC status may be accepted for up to 180 days (per 32 CFR references implemented in DFARS) with final status achieved upon plan of action and milestones closeout.
- Phase 3: Beginning Nov. 10, 2027, phase 1 and phase 2 requirements are mandatory. This phase also introduces level 3 assessments conducted by the DOD’s Defense Industrial Base Cybersecurity Assessment Center team for the highest-risk contracts involving the most sensitive information.
- Phase 4: Beginning Nov. 10, 2028, the DOD will incorporate CMMC requirements into all applicable solicitations and contracts. At this point, every applicable DOD solicitation or contract will include the required CMMC level as a condition of award, flowing DOD to subcontractors as needed. DFARS clause usage in contracts shifts from “program-determined” during the first three years to a broader prescription beginning three years and one day after the effective date (excluding awards solely for COTS items).
The cost of waiting: Missed contracts and a scramble for scarce resources
Waiting until the last minute to address CMMC compliance could put your business in jeopardy. The most immediate risk is loss of business opportunities. Once CMMC requirements appear in solicitations, you’ll need to have a self-assessment or certification in the SPRS to be eligible to bid or win those contracts. The CMMC requirements also apply to contract renewals. The DOD has made clear that CMMC is a pass/fail requirement — no certification means no contract. If your company relies on defense contracts, being caught unprepared could result in a significant revenue loss.
Note that if you try to “wing it” at the last minute, you could face legal and financial perils leading to lost contracts, future debarment, and False Claims Act liability for misrepresenting your cybersecurity posture. For example, in the recently concluded MORSECORP case, a DOD contractor falsely claimed compliance with federal cybersecurity standards under the CMMC framework. Under a False Claims Act prosecution, the Department of Justice (DOJ) asserted that MORSE submitted a System Security Plan (SSP) and a SPRS score of 104 for its implementation of the NIST SP 800-171 security controls, but a third-party audit revealed a score of -142, indicating severe noncompliance. In addition, the company failed to fully implement required cybersecurity controls, used noncompliant cloud services, and lacked proper documentation. The outcome? The case was resolved with a $4.6 million settlement, and the whistleblower — MORSE’s former head of security — received $851,000 under the False Claims Act’s qui tam provisions. As illustrated by this case, the DOD and DOJ are taking false attestations seriously. Pretending to comply isn’t an option — you either meet the requirements, or you don’t, and the consequences of not meeting them are severe.
Schedule carefully, certification takes time
The importance of starting now can’t be stressed enough. Achieving CMMC certification (especially level 2) isn’t an overnight task — it requires policies, technical controls, possibly new tools, workforce training, and an assessment process. This takes time and resources. If you delay, you could be joining hundreds of companies simultaneously scrambling for qualified C3PAOs and consulting help. It’s far more cost-effective to spread the effort out calmly now than to pay expediting fees or suffer business downtime in a rushed effort later.
Prime contractors are already demanding compliance
It’s important to note that many of the largest defense prime contractors are already pushing CMMC (or equivalent security) requirements down their supply chains today, and several have drawn a line in the sand telling suppliers handling CUI they should be meeting level 2 requirements.
As CMMC rolls out, don’t expect that the prime contractors will be content with vague assurances; they’ll want evidence and proof of certification — not promises — from their vendors. Many are preparing contingency plans to replace suppliers that aren’t ready, so if you assume a longstanding customer will keep you around despite your cybersecurity gaps, you may be in for a rude awakening.
Another area to consider is what level of certification is sufficient. Self-attestation is on the way out for many large prime contractors as they move to validated third-party evidence of cybersecurity. Be ready for questions like: Have you scheduled a CMMC assessment? Which C3PAO will do it? What’s your current NIST 800-171 SPRS score?
Also, if you’re a COTS product vendor, you may feel that you’re technically exempt from CMMC. However, a COTS label won’t protect you if your customer decides a weak cybersecurity posture is an unacceptable supply chain risk. The bottom line is that even if you’re a small subcontractor or a vendor not directly handling CUI, you may be asked by your customers to show at least level 1 basic cyber hygiene.
Cybersecurity is becoming a universal requirement across government and the private sector
Cybersecurity is no longer just a best practice — high-profile breaches and growing threats have pushed regulators to demand stronger baseline protections across government departments and the private sector. A key development is the upcoming Federal Acquisition Regulation (FAR) rule on CUI, which will require all federal contractors — not just those in defense — to implement NIST SP 800-171 controls. This aligns closely with CMMC level 2 requirements, signaling a governmentwide shift toward standardized cybersecurity expectations. Beyond federal contracts, the private sector is also steadily tightening security standards. In short, early CMMC compliance not only prepares you for DOD contracts — it positions your organization to meet broader regulatory demands and thrive in a security-conscious marketplace.
Early CMMC compliance pays off
Getting ahead of CMMC requirements isn’t just about avoiding penalties — it’s a strategic move that can deliver real business value. Consider the following factors as you evaluate your future compliance posture.
- Cost efficiency: Early action helps avoid last-minute chaos, higher implementation costs, and resource bottlenecks when demand spikes.
- Competitive advantage: Certified suppliers stand out. Demonstrating CMMC level 2 readiness can win favor with prime contractors and open doors to new opportunities.
- Supply chain security: Early compliance signals reliability, helping you maintain and strengthen relationships with prime contractors that are prioritizing supply chain security.
- Stronger cyber defense: Implementing controls now reduces the risk of breaches, ransomware, and costly downtime for your own company. It’s not just compliance — it’s protection.
- Operational readiness: A phased approach allows for smoother integration, better training, and fewer disruptions. You’ll be prepared when CMMC is fully phased in.
- Future-proofing: CMMC aligns with emerging regulations like the FAR CUI rule and industry standards. Early adopters will be well-positioned to meet broader compliance demands in the years to come.
The clock is ticking
The cybersecurity landscape is evolving rapidly, and CMMC is at the forefront of the shift to more rigorous standards. The rollout has started, and the window for a smooth, strategic rollout is closing. Early adopters are already gaining ground, winning contracts, earning trust, and building resilience. What about you? By acting early, you’ll position your organization as a trusted, secure, and forward-thinking partner — ready to meet today’s requirements and tomorrow’s challenges.
