The Department of Defense (DoD)’s new guidance outlining Cybersecurity Maturity Model Certification (CMMC) program requirements is now in full effect under CFR 32, and the guidance for contracting is in its final stages. If you do business with the DoD, this directly impacts your ability to win and keep contracts.
New administrations often bring shifts in priorities, but those waiting to see if CMMC will be cut need to reconsider. CMMC was introduced under the first Trump administration, and its lead architect at the time, Katie Arrington, was just named DoD Chief Information Security Officer (CISO), signaling a renewed commitment to protecting sensitive government data.
Additionally, enforcement actions against DoD contractors failing to meet cybersecurity requirements continue. In February 2025, Health Net Federal Services was hit with an $11 million False Claims Act judgment for non-compliance. This reinforces that cybersecurity matters—compliance is no longer optional, and breaches and fines cost far more than meeting requirements.
CMMC is not an optional program, and failing to prepare means you could lose eligibility for future government contracts, even if you’re currently compliant with DFARS 252.204-7012 or NIST SP 800-171. The phased rollout will soon make CMMC a hard requirement, meaning contractors and subcontractors must prove they meet security standards through self-assessments, third-party certifications, or government-led reviews.
If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), here’s what this means for you—and why you need to act now.
If you don’t prepare for CMMC now, you face:
Not all companies will need a third-party assessment, but you must determine your required level now:
Key takeaway: If you handle CUI, you will likely need a third-party assessment and may also require a government assessment.
The DoD is phasing in CMMC requirements, meaning they will be enforced on strict timelines:
· Phase 1: Begins at Effective date. Where applicable, solicitations include Levels 1 and 2 self-assessment and some solicitations may require Level 2 certification.
· Phase 2: Begins 6 months later. Where applicable, solicitations include Level 2 certification. Some solicitations may require Level 3. Solicitations may specify the certification due at award or at option period.
· Phase 3: Begins 12 months later (18 months after effective date). Where applicable, solicitations include Level 1, 2 or 3 requirements. For Level 3 only, solicitation may specify due at option period (all others due at award).
· Phase 4: 12 months later (30 months after Effective Date), DoD intends all solicitations will include the applicable CMMC level requirements.
Key takeaway: These deadlines mean you must start preparing now, not when the rule goes into effect.
Even if your company is ready, your subcontractors must also meet CMMC requirements. If a subcontractor fails compliance, prime contractors could lose eligibility to bid on contracts or be forced to replace key suppliers—potentially causing delays, cost overruns, or compliance failures.
Key takeaway: Your compliance is only as strong as your weakest subcontractor—plan ahead.
In very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) may elect to waive the inclusion of CMMC Program requirements in a solicitation or contract.
However, contractors and subcontractors will still be required to comply with all applicable cybersecurity and information security requirements.
CMMC compliance isn’t just another checkbox—it’s a requirement that directly impacts your ability to work with the DoD. The guidance makes it clear:
Bottom line: Contractors who prepare now will have a competitive advantage over those who wait. If your organization relies on DoD contracts, ensure your cybersecurity practices are compliant before it’s too late.
Start preparing today—CMMC is coming, whether you’re ready or not. Learn more about how Coalfire Federal guide you to compliance effectively and efficiently.
Amy Williams began her career in Accounting Information Systems, a precursor to cybersecurity that imbued her with the talents and knowledge that she uses today. A member of multiple fields of study, Dr. Williams has ample experience understanding fraud, system errors in internal systems, and internet security protection. She has been on the forefront of developing cyber strategies for supply chains since the world wide web made the internet popular for sharing data in business. With both a Master’s Degree and PhD from Virginia Tech, Amy Williams has held prestigious positions with the NY Citizens Crime Commission where she built an alliance with the FBI, and she led the development of BlueVoyant's CMMC and CIS Advisory Practices prior to joining Coalfire Federal.
