Pentagon's CMMC Program Commences Phased Rollout, Mandating Cybersecurity Compliance for Defense Contractors

Executive Summary

On November 10, 2025, the U.S. Department of Defense (DoD) officially began the long-anticipated rollout of its Cybersecurity Maturity Model Certification (CMMC) program. This marks a pivotal moment for the hundreds of thousands of companies in the Defense Industrial Base (DIB), as cybersecurity compliance moves from a recommendation to a contractual mandate. The program will be implemented in four phases over three years, gradually introducing increasingly stringent assessment and certification requirements. The final rule, now published in the Federal Register, amends the Defense Federal Acquisition Regulation Supplement (DFARS), making CMMC a legally binding prerequisite for winning and maintaining DoD contracts. All DIB members must now prepare for a new era of verifiable cybersecurity.

Regulatory Details

The CMMC program is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that resides on the networks of DIB contractors. It establishes three levels of cybersecurity maturity, each with a corresponding set of practices and assessment requirements.

• Level 1 (Foundational): For contractors handling only FCI. Requires an annual self-assessment against 17 basic security controls.
• Level 2 (Advanced): For contractors handling CUI. Requires compliance with the 110 controls of NIST SP 800-171. Most will need a triennial third-party assessment, while a subset may be allowed an annual self-assessment.
• Level 3 (Expert): For contractors handling CUI in high-priority programs. Requires compliance with NIST SP 800-172 in addition to Level 2 controls, and will necessitate a triennial government-led assessment.

Implementation Timeline

The DoD has structured the CMMC rollout to allow contractors time to adapt. The timeline is as follows:

• Phase 1 (Starts November 10, 2025): Contracting officers may begin including requirements for Level 1 and Level 2 self-assessments in new solicitations.
• Phase 2 (Starts November 10, 2026): Introduction of requirements for Level 2 third-party certification assessments in new solicitations.
• Phase 3 (Starts November 10, 2027): Introduction of requirements for Level 3 government-led assessments in new solicitations.
• Phase 4 (Starts November 10, 2028): CMMC requirements will be included in all new DoD solicitations where FCI or CUI is present.

Affected Organizations

The CMMC program applies to the entire Defense Industrial Base, which is estimated to include over 300,000 companies. This includes:

• Prime contractors who have a direct contractual relationship with the DoD.
• Subcontractors at all tiers of the supply chain.
• Companies of all sizes, from large defense corporations to small businesses.

Even if a company does not handle CUI, it will likely need to achieve CMMC Level 1 if it handles FCI, which is present in nearly all DoD contracts.

Impact Assessment

The rollout of CMMC will have a profound business and operational impact on the DIB:

• Increased Compliance Costs: Contractors will face new costs associated with preparing for assessments, hiring consultants, implementing new security technologies, and undergoing third-party certifications.
• Competitive Disadvantage: Companies that fail to achieve the required CMMC level will be ineligible for new DoD contracts. Proactive companies that certify early may gain a significant competitive advantage.
• Supply Chain Pressure: Prime contractors will be responsible for ensuring their subcontractors are compliant, leading to a top-down push for certification throughout the supply chain. Primes may drop non-compliant subcontractors, creating significant business risk.
• Improved Security Posture: Ultimately, the program is intended to raise the cybersecurity baseline of the entire DIB, making it a harder target for nation-state adversaries seeking to steal sensitive defense information.

Compliance Guidance

DIB companies should take the following steps immediately:

1. Determine Your Required Level: Identify whether your company handles FCI only (Level 1), CUI (Level 2), or high-priority CUI (Level 3). This will dictate your compliance path.
2. Conduct a Gap Analysis: Perform a thorough self-assessment against the controls required for your target CMMC level (e.g., using NIST SP 800-171 for Level 2). Identify all gaps in your current security posture.
3. Develop a Plan of Action & Milestones (POA&M): Create a detailed project plan to remediate all identified gaps. While CMMC requires most controls to be met at the time of assessment, a POA&M is essential for managing the remediation process.
4. Engage with Experts: Consider engaging with a Registered Provider Organization (RPO) or other CMMC consultants to guide your preparation. For Level 2 and 3, you will need to contract with an accredited CMMC Third-Party Assessment Organization (C3PAO).
5. Document Everything: CMMC assessments are evidence-based. Thoroughly document all policies, procedures, and technical configurations that demonstrate compliance with each control.