The Cybersecurity Maturity Model Certification (CMMC), went fully into effect in November of 2025. While this activation is new, the standards are not. CMMC is based on the National Institute of Standards and Technology’s (NIST) SP 800-171 standard, which has been in place for eight years. This standard ensures that companies contracting with the Department of Defense (DoD) meet security requirements based on the sensitivity of the data they manage. CMMC formalizes compliance standards that companies should have been following all along.
Starting in November, DoD began a three-phase rollout of compliance.
- Phase 1 – Limited rollout (starting Nov 2025) – CMMC requirements began appearing in select DoD contracts. For Level 1 certification, contractors can rely on self-assessments to show they comply with the 15 controls—specified by 800-171—that cover basic cyber hygiene. Most who require Level 2 certification, which involves all 110 controls in the NIST standard, can also rely on self-assessment for the time being.
- Phase 2 – Broader enforcement (starting around November 2026): DoD will require that contractors dealing with Controlled Unclassified Information (CUI), instead of self-assessing for Level 2 compliance, be verified through a CMMC third-party assessment organization (C3PAO).
- Phase 3 – Full implementation (to be completed around 2028): Once CMMC is fully integrated into DoD acquisitions, required certification levels will be consistently enforced across applicable contracts, with third-party assessments the norm and noncompliance effectively barring contractors from eligibility. Contracting officers can start requiring those seeking Level 3 certification—which would enable them to work with highly sensitive data or systems—to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center.
Begin Third-Party Assessments Now
To get ahead of the requirements, companies should be working as if third-party certification is already required. If not using C3PAOs yet, companies should be self-evaluating with the same rigor third parties would employ—this way, when they do engage C3PAOs, those assessments can proceed quickly.
There is a real concern in the defense contracting community that there will not be enough assessors to meet the need for third-party assessment. Nearly 80,000 firms will need Level 2 certification, requiring the work of C3PAOs, but currently there are only about 70 firms authorized to provide assessments and certification. Getting ahead of the assessment crunch may prove to be a differentiator.
Get Visibility into CUI
Another way to prepare for these future requirements is to conduct a gap analysis now and begin implementing fixes. This can be done with existing resources or by using consultants. However, it is critical to ensure that anyone working on this analysis is well-versed and experienced with the CMMC requirements and process. A solid first step in self analysis is understanding where your organization stores federal government CUI. With this, you can determine which systems need the more rigorous C3PAO assessment and where you may already meet CMMC requirements.
To stay on top of CMMC implementation, check out these resources from GovWhitePapers and GovEvents:
- Securing the Cyber/Software Supply Chain 2026 (March 26, 2026; virtual) – Expert speakers from government and industry will share actionable insights and real-world approaches to securing mission-critical software infrastructure. Whether you’re responsible for procurement, IT security, or strategic planning, this workshop will equip you with the tools and foresight to stay ahead of emerging threats to the supply chain.
- 2026 Cyber Summit (May 21, 2026; Falls Church, VA) – With less than a year until DOD’s 2027 deadline to become zero trust–compliant on all systems, understanding where defense and civilian agencies stand in their cybersecurity journeys is a requirement.
- 2026 Navy & Marine Corps Procurement Conference (May 28-29, 2026; Norfolk, VA) – Engage directly with decision-makers from the Pentagon, Navy and Marine Corps commands, and leading prime defense contractors. Gain critical information on current Defense spending plans and procurement priorities.
- Understanding CMMC (white paper) – CMMC is more than a compliance checkbox—it’s a long-term process that must be embedded into business operations, especially to safeguard sensitive data and defend against cyber threats. This report emphasizes that organizations must shift their culture, improve documentation, and maintain ongoing vigilance, particularly as the CMMC model evolves. It also calls on the government to clarify standards and account for mobile usage and international regulatory alignment.
- Enhancing Security Protocols for the Department of Defense (Memorandum) – The Department of Defense is tightening its security protocols to protect against supply-chain attacks. The directive calls for immediate validation of all IT and cloud services to ensure they are free from foreign influence or malicious code. Key cybersecurity programs—such as the CMMC, the Secure Software Development Framework, and FedRAMP—will be leveraged to bolster these efforts.
- Understanding the NIST Cybersecurity Framework (white paper) – The NIST Cybersecurity Framework (CSF) 2.0 is a set of guidelines, best practices, and standards to help organizations manage and improve their cybersecurity posture. This whitepaper covers the NIST CSF 2.0 and explains the differences found in this updated Framework.
Search GovWhitePapers and GovEvents to find even more insights on DoD security requirements, including CMMC.
