The end of fiscal 2025 on Sept. 30 will usher in a substantial change for the Department of Defense (DoD). The Office of Management and Budget is set to finalize a federal acquisition rule that increases cybersecurity requirements for defense contractors.
The rule, known as the 48 CFR acquisition rule and that was finalized Sept. 10, implements a far-flung DoD effort known as the Cybersecurity Maturity Model Certification (CMMC) initiative.
CMMC is a framework that validates whether organizations in the defense industrial base implement and maintain effective cybersecurity measures to protect sensitive government data from cyber threats.
The final version of that key federal regulation makes CMMC a requirement for future DoD procurements. DoD contracting officers will be obligated to verify a bidder’s certification in the supplier risk management system (SPRS) prior to awarding any new contract that stipulates CMMC.
Time to get on board
Organizations in the defense industrial base supply chain that have waited for this milestone to get started or still believe they can delay due to CMMC’s phased implementation timeline are now well behind and must factor CMMC into their 2026 security efforts — or face losing opportunities.
The government has allowed a caveat in the rule codifying CMMC that lets program management officers and contracting officers decide whether a higher CMMC certification level for a specific contract is warranted, regardless of the implementation phase. Only the contracting officers will know for certain what CMMC level will be included in a given contract. Those who aren’t ready won’t be able to compete.
The phased implementation period also has no bearing on what prime contractors will require from any subcontractors they consider bringing into a bid. Some primes already require that subcontractors be certified at what is known as CMMC Level 2 to join a contract bidding team.
To gain competitive advantage for a particular opportunity, a prime could also require subcontractors to achieve a higher CMMC certification level than the subs might otherwise intend―for instance, to present a team in which participants are certified at CMMC Level 2.
Allocating budget resources
Correctly budgeting for CMMC readiness requires federal contractors and suppliers to distinguish between two major cost categories — implementing the security controls that CMMC validates and undergoing the CMMC assessment.
Implementation steps, such as remediating gaps against the National Institute of Standards and Technology (NIST) SP 800-171 guideline for protecting the confidentiality of controlled unclassified information within information systems, purchasing and configuring security tools, updating policies and training staff differ based on an organization’s cybersecurity maturity.
As part of protecting controlled unclassified information, these efforts should already be underway regardless of CMMC assessment timing, especially for organizations contractually bound by the Defense Acquisition Regulations (DFARS) Clause 252.204-7012 on Safeguarding Covered Defense Information and Cyber Incident Reporting. Assessment costs can either be spread over a several-year period across the number of organizational contracts subject to CMMC compliance or absorbed as a capital expense.
The cost-spreading option will likely be preferrable for organizations with multiple DoD contracts. However, for organizations with only one or two DoD contracts, full cost absorption will have a much greater impact on a project’s profitability, undoubtedly leading to higher bid pricing. DoD contracting officers should expect some increase; and if they don’t see this additional cost in a proposal, they should question whether the contractor is really doing what they claim. Defense industrial base members need to work with their proposal teams to plan for this.
Capital expense absorption is the path many organizations are taking given fear of increasing their bid in the current government environment. This approach can also be spread across a number of contracts and task orders. Whichever method is chosen, the discussion is integral to an organization’s overall strategy, and also to bolstering its own security.
Updates to the CMMC framework
As cyber threats keep evolving, so must CMMC. The next step will be aligning it with the current version of ,, which adds control families and other objectives to CMMC assessment criteria.
As this will impose additional implementation requirements on organizations seeking certification, the DoD has already released organizationally defined parameters that explain minimum requirements for certain controls. Aligning early to the ODPs will be helpful for defense industrial base organizations waiting to go through the CMMC L2 certification process. Organizations already L2 certified should take the organizationally defined parameters into account during annual reviews. Implementing the additional requirements sooner will also spread the cost over a longer period.
Defense Secretary Pete Hegseth and other Pentagon leaders recently reinforced that the DoD is prioritizing cybersecurity and highlighting NIST 800-171 and CMMC as the confirmed approach to securing the industrial base.
CMMC has already shown up as a requirement in an Aug. 18 Army Corps of Engineers Projection. Organizations that have contracts with other federal agencies should take notice. The controlled unclassified information designation applies federally, not just to the DoD. That means all federal agencies can and should be using it. It is highly likely that we will see similar enforcement measures at agencies like the Department of Homeland Security, General Services Administration and others.
CMMC is real and it’s happening. Contractors must act now to ensure that they are positioned to meet evolving federal cybersecurity requirements in the new fiscal year and beyond.
