Ready or Not CMMC is Here

Cybersecurity Maturity Model Certification (CMMC) sets security standards for contractors working with the Department of Defense (DoD) to ensure the data they interact with is protected. The standards have been in place since the introduction of the Defense Federal Acquisition Regulation (DFARS) in 2015, and now, 10 years later, a more formalized compliance process is being implemented.

Starting October 1, 2025, the CMMC clause will start to be used in DoD contracts. This clause requires contractors to align their security practices with the CMMC level required by the contract. While contractors have been required to meet rigorous security standards for some time, whether they did was determined primarily through self-attestation. This roll-out introduces the need for third-party validation of compliance claims, ensuring the security of the defense supply chain.

Third-Party Assessor Organizations (C3PAO) are critical to the success of CMMC. These organizations validate security claims made by contractors and vendors. Non-compliance under self-attestation was largely not malicious. Many of the issues resulted from contractors not fully understanding the requirements or not realizing that their documented claims had not actually been put into practice. With third-party assessment, these issues can be caught early in the procurement cycle, ensuring that contracted parties can meet security guidelines immediately upon being awarded work. A projected 80,000 companies in the defense industrial base will soon require CMMC "level two" assessment, necessitating a scaling of assessors as CMMC implementation moves through its phases.

While these requirements have been around for a decade, the rigor required to show compliance is still proving challenging for many companies. A report issued in early 2025 found that 58% of respondents did not feel ready for the rule to be final and effective. Of those who indicated cost as a top preparation challenge, 52% were prime contractors and dual-role companies.

To stay on top of CMMC implementation and understand the underlying cybersecurity requirements, check out these resources:

• CS5 East (October 16-17, 2025; National Harbor, MD and virtual) - The essential gathering for defense contractors to get CMMC compliance right. This event brings the entire compliance ecosystem together, from the experts who prepare you (RPOs) to the auditors who assess you (C3PAOs), and the training and tool providers who support you every step of the way.
• October Cybersecurity Division Meeting (October 23, 2025; Arlington, VA) - The NDIA Cybersecurity Division will discuss the latest on CMMC, supply chain risk management, AI and software assurance, new requirements regarding the secure software development framework and AI, and other policy and legal developments.
• Summit 7 Live (November 5, 2025; Tampa, FL) - This half-day session is focused on the strategies, updates, frameworks, and real-world tools you need to tackle compliance.
• Understanding CMMC (white paper) - CMMC is more than a compliance checkbox--it's a long-term process that must be embedded into business operations, especially to safeguard sensitive data and defend against cyber threats. This report emphasizes that organizations must shift their culture, improve documentation, and maintain ongoing vigilance, particularly as the CMMC model evolves. It also calls on the government to clarify standards and account for mobile usage and international regulatory alignment.
• Enhancing Security Protocols for the Department of Defense (Memorandum) - The Department of Defense is tightening its security protocols to protect against supply chain attacks. The directive calls for immediate validation of all IT and cloud services to ensure they are free from foreign influence or malicious code. Key cybersecurity programs--such as CMMC, Secure Software Development Framework, and FedRAMP--will be leveraged to bolster these efforts.

For more information on meeting cybersecurity mandates and best practices, search for additional events and resources on GovEvents and GovWhitePapers.