Pentagon begins enforcing CMMC compliance, but readiness gaps remain
An amendment to the Defense Federal Acquisition Regulation Supplement went into effect Monday, officially mandating that all Defense Department solicitations and contracts include requirements for Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0).
And while the road to get CMMC 2.0 across the finish line has been six years in the making, there are still disparities among the defense industrial base’s readiness to validate the cybersecurity controls required by the program.
Experts told DefenseScoop that those gaps are largely fueled by CMMC’s controversial history, misconceptions of what the rule change means and challenges in proving compliance.
“You could say a lot of things about CMMC, but you can’t say you didn’t see it coming,” Ryan Heidorn, chief technology officer for C3 Integrated Solutions, told DefenseScoop. “I look out over the next 12 months, and I think we are going to see a lot of scrambling within the defense industrial base and within DOD as we try to get our feet under us in terms of what this phased rollout is actually going to mean.”
Controversy and confusion
CMMC 2.0 is a three-tiered cybersecurity framework that requires defense contractors working with federal contract information (FCI) or controlled unclassified information (CUI) to have proper security controls based on how sensitive the data they’re handling is. When bidding on new contracts, companies will have to prove that their networks — as well as those of their entire supply chain — meet one of the three levels of compliance outlined by CMMC.
The program was created in 2019 by the first Trump administration as a mechanism to ensure defense contractors are properly safeguarding the Pentagon’s sensitive data from being accessed by adversaries.
However, CMMC’s contentious history has caused a portion of the industrial base to adopt a “wait-and-see” mentality — with some even denying the program would happen at all, according to Jacob Horne, chief cybersecurity evangelist at Summit 7.
“You can’t really blame the average person in the defense industrial base for the confirmation bias that has set in over the years, because people have a lot going on. They have a lot to do, and not everybody is in the weeds of what was going on,” Horne said in an interview.
CMMC was developed through the federal rulemaking procedure used by agencies to issue regulations and implement laws passed by Congress. Although the Pentagon was adamant the program was real, the yearslong rulemaking process and ambiguous messaging created confusion — as well as passivity — within the industrial base, Horne explained.
But in 2024, the Defense Department posted the final rule change for CMMC 2.0 that established the program into federal law and cemented its plans to enact the cybersecurity standards by the end of 2025. The Pentagon then published the rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) in September, which requires contract solicitations to include CMMC verification as a condition to win awards.
That rule change was enacted Monday, beginning phase 1 of a three-year implementation plan to incrementally introduce CMMC requirements.
In the first phase, vendors must complete a self-assessment of their cybersecurity compliance under CMMC Level 1 and CMMC Level 2. Phase 2 will begin in November 2026, and require contractors to prove Level 2 compliance from a certified third-party assessor (C3PAO).
Phase 3 will introduce CMMC Level 3 requirements beginning in November 2027 — necessitating certification from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for those handling the department’s most sensitive data.
The plan does not mean contractors still won’t require a third-party assessment before phase 2 begins, however. The DFARS amendment states that program managers can “at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of Level 2 (Self) CMMC Status for applicable DOD solicitations and contracts” during phase 1.
“I think the DOD is going to use its discretion to really only require those external certifications for those high-critical programs where they’re a heightened national security [risk] and in no way can they afford to even risk a threat actor obtaining that,” Michael Gruden, cybersecurity lawyer at Crowell & Moring, told DefenseScoop.
How often third-party assessments show up in contracts will likely depend on each individual acquisition office’s interpretation of the requirements, Heidorn noted. The new rule gives program managers autonomy in how they apply CMMC, meaning third-party assessments could be included more often than people currently believe, he said.
Regardless of the confusion surrounding CMMC’s development and implementation, there is a common misconception among the industrial base that the program is introducing new requirements. In actuality, the program is the mechanism that proves contractors are following National Institute of Standards and Technology (NIST) cybersecurity regulations that have been around for almost a decade.
“People have had these cyber requirements in their contracts since 2013, the existing set of cyber requirements in DFARS hasn’t changed at all since 2016,” Horne said. “It wasn’t until a verification mechanism came around that said you have to prove to us that the thing we’re paying you for is getting done that people say, ‘This is going to crush small business. This is terrible for the [defense industrial base]. This is horrible for readiness.’”
Readiness gaps
Earlier this year, a report from Redspin found that a significant portion of the defense industrial base did not feel prepared for CMMC’s implementation — with some companies reporting they hadn’t taken any action to reach compliance.
Thomas Graham, Redspin’s vice president and chief information security officer, told DefenseScoop that now, many are racing against the clock out of fear they will lose out on contract opportunities.
“I expect to see more and more organizations waking up. Because even today there are some that say, ‘I don’t have to worry about it until at least November of next year,’” Graham said. “I think it’s going to hit them in the face a lot sooner than they expect.”
One of the main arguments against CMMC has been that verifying compliance will be arduous, requiring months of work and significant funds — especially for small and medium-sized businesses. Graham and others emphasized that the actual time and money a contractor spends on CMMC activities heavily depends on multiple factors, such as how well it has been implementing cybersecurity controls and what information it’s handling.
While CMMC can require some vendors to implement additional cyber controls to achieve compliance, technology hasn’t been the main challenge for the wider industrial base, Christian Nagel, government contracting lawyer at Holland & Knight, told DefenseScoop.
“It may be more process changes and internal responsibilities and processes, as opposed to something drastically different the company is doing from a cyber standpoint,” Nagel said.
A lot of vendors don’t have sophisticated or detailed mechanisms needed to demonstrate they have fully met the cybersecurity controls, and they also maintain inconsistent or antiquated policies, Gruden noted. That can become an issue when proving CMMC compliance, as the program requires two pieces of evidence for each control — one of which is often a policy or procedure, he said.
“If the company is not ready in terms of they don’t have technical implementation [and] they don’t have administrative policies or governance, then that could push it out into that 18-month phase,” Gruden said.
The issue is compounded when a vendor uses a mix of local networks and cloud-based solutions to handle data. Gruden noted that if regulated data is stored in the cloud, a company may have to completely redesign its day-to-day operations in order to meet compliance.
As for the cost of implementing CMMC, Horne acknowledged that for some vendors — particularly smaller businesses and subcontractors — meeting all of the controls can take a significant portion of revenue. Still, claiming high costs can put companies in a difficult position, he said.
“People have had the requirements in their contracts, they’ve been accepting the terms of the contracts, they’ve been getting paid for the terms of their contracts,” Horne said. “If DOD says, ‘Okay, we just want to verify that you’re doing those things,’ and you say, ‘It’s going to take me 18 months and it’s going to take me $150,000 and I need more time,’ then that’s the obvious confession that the requirements haven’t been implemented.”
Incoming changes
As the Pentagon moves forward with phased CMMC implementation, industry’s inconsistent adoption of the program may cause significant shifts in the industrial base and how the department works with its contractors.
Horne said that it’s possible some businesses may leave the defense industrial base because they cannot prove they’ve implemented CMMC requirements. At the same time, other vendors have become “hyper-ready” and thus put themselves in a better position to win more Defense Department contracts, he added.
“You’re going to see a split over that first 12 months in the [defense industrial base] of companies that grow incredibly rapidly and experience a ton of success,” he said. “Then you’re going to see a bunch of companies that get left behind because they’re taking a long time to catch up, or they put themselves in a situation where it became impossible to catch up.”
While larger prime contractors may be further along in reaching compliance, Nagel said that many subcontractors and small-business partners will be impacted the most because they are struggling to find the time and resources for CMMC.
The issue could force prime contractors to find different suppliers — which isn’t always easy, especially with specialized supply chains, Nagel added. Although it may cause headaches in the near term, he noted that it may eventually lead to broader diversification of the industrial base.
“When there’s a focus on small business, either from the government or from the upstream contractor, then you really are at an impasse,” he said. “And if that supplier has other work and doesn’t feel the pinch and can say no, then it can put the upstream contractor in a really bad position.”
Nagel also noted that failure to comply with CMMC might become the basis for future bid protests and False Claims Acts litigation against companies who claim they meet the program’s requirements but do not.
While industry will surely be affected, Graham said the Defense Department will not be immune to the growing pains associated with implementing a program like CMMC. At the same time, there are lingering concerns over having enough Certified CMMC Assessors (CCA) to conduct third-party evaluations due to the months it takes to become certified.
“The bottleneck on CCAs is not on the C3PAOs. It’s on the DOD, because one of the requirements to be a fully vetted CCA is that we have to be tier-three certified and DOD is responsible for that,” Graham said. “Unfortunately unlike other designations, there’s not an interim component to it where folks can still perform the work while they’re going through the process.”
Heidorn predicted that there will be a significant demand for third-party assessors from prime contractors ensuring that their supply chains are compliant, although the current market isn’t ready to accommodate that spike.
Overall, the Defense Department has made it clear that CMMC will continue to be critical for its strategy to secure the defense industrial base, Heidorn said.
“DOD fully understands that if they don’t do something like this, the problem that we’ve known about for decades — the loss of sensitive, taxpayer-funded intellectual property going out the window to data infiltration to other nation-state actors — doesn’t go away. This is the tool that DOD believes they have to use,” he said.
