The Cybersecurity Maturity Model Certification (CMMC) is a framework that requires companies contracting with the Department of Defense (DoD) to meet security standards based on the sensitivity of the data they manage. These standards, based on the National Institute of Standards and Technology's (NIST) SP 800-171 standard, have been in place for eight years, but CMMC further formalizes compliance.
As of November 10, 2025, Defense agencies now require at least a Level 1 certification to award any new contract. To meet this requirement, companies must self-certify that they comply with 15 controls--specified by 800-171--that cover basic cyber hygiene. Next November 10 (in 2026), DoD will require that Level 2 status for contracts dealing with Controlled Unclassified Information (CUI), which currently can be self-assessed, be verified through a third-party assessment of compliance with all 110 controls in the NIST standard. Then in 2027, contracting officers can start requiring those seeking Level 3 certification to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center. A Level 3 requirement would apply to technology dealing with highly sensitive data or systems, where a breach could have far-reaching impact.
Given that these security standards have been in place for the better part of a decade, and the formalization timeline of CMMC has been publicized for over a year, companies should be well equipped to comply--but challenges remain.
Continuous Monitoring
With Phase 1 relying on self-attestation for Levels 1 and 2, companies must ensure that what they claim is actually what is implemented in their solutions. Product updates could change compliance, supply chain changes could impact security standing, or business process changes could be non-compliant with CMMC controls. Ensuring CMMC compliance is not a single activity, but a matter of continual monitoring. Any companies that falsify their attestations face consequences under the False Claims Act, including civil and potentially criminal penalties.
Availability of Assessors
As CMMC moves to Phase 2, with the requirement that Level 2 compliance be verified by a third-party assessor (3PAO), there is concern over having enough people to complete the needed assessments. As many as 70,000 contractors may need this higher certification. Currently, there are under 100 certified 3PAOs in place. In order to fill out the needed workforce by November 2026, work is underway to speed the background checks of people looking to become 3PAOs.
Determining the Real Cost of Assessment
The DoD has stated a Level 2 third-party assessment should cost companies around $105,000-118,000. The National Defense Industrial Association (NDIA), the Small Business Administration, and others have expressed that actual compliance costs far exceed this projection. Studies put estimates around from $150,000 to $800,000 in upfront costs. This includes not just the assessment but also needed remediation. Companies may also need to hire personnel or consultants to focus on CMMC on an ongoing basis to maintain compliance, adding thousands in monthly costs moving forward. The fear is that this high cost could be a barrier to entry for small contractors.
CMMC is no longer a "nice to have" competitive advantage. It is a requirement to doing business with the DoD. To stay on top of the rollout and how companies are adjusting, check out these events and resources:
- Securing the Cyber/Software Supply Chain 2026 (March 26, 2026; virtual) - Expert speakers from government and industry will share actionable insights and real-world approaches to securing mission-critical software infrastructure. Whether you're responsible for procurement, IT security, or strategic planning, this workshop will equip you with the tools and foresight to stay ahead of emerging threats to the supply chain.
- 2026 Cyber Summit (May 21, 2026; Falls Church, VA) - With less than a year until DOD's 2027 deadline to become zero trust-compliant on all systems, understanding where defense and civilian agencies stand in their cybersecurity journeys is a requirement.
- 2026 Navy & Marine Corps Procurement Conference (May 28-29, 2026; Norfolk, VA) - Engage directly with decision-makers from the Pentagon, Navy and Marine Corps commands, and leading prime defense contractors. Gain critical information on current Defense spending plans and procurement priorities.
- Understanding CMMC (white paper) - CMMC is more than a compliance checkbox--it's a long-term process that must be embedded into business operations, especially to safeguard sensitive data and defend against cyber threats. This report emphasizes that organizations must shift their culture, improve documentation, and maintain ongoing vigilance, particularly as the CMMC model evolves. It also calls on the government to clarify standards and account for mobile usage and international regulatory alignment.
- Enhancing Security Protocols for the Department of Defense (Memorandum) - The Department of Defense is tightening its security protocols to protect against supply-chain attacks. The directive calls for immediate validation of all IT and cloud services to ensure they are free from foreign influence or malicious code. Key cybersecurity programs--such as the CMMC, the Secure Software Development Framework, and FedRAMP--will be leveraged to bolster these efforts.
- Understanding the NIST Cybersecurity Framework (white paper) - The NIST Cybersecurity Framework (CSF) 2.0 is a set of guidelines, best practices, and standards to help organizations manage and improve their cybersecurity posture. This whitepaper covers the NIST CSF 2.0 and explains the differences found in this updated Framework.
For more information on CMMC and security compliance, search for additional events and resources on GovEvents and GovWhitePapers.
