With phased enforcement commencing, contractors face a tightening timeline to prove compliance. Those who mobilize early will stay ahead of deadlines and avoid potential bottlenecks.
For many defense contractors, the path to cybersecurity compliance has been clouded by shifting deadlines and evolving requirements. Now, as stricter rules will begin appearing in Department of Defense (DoD) contracts, uncertainty has turned into urgency. Primes are tightening oversight, subcontractors are scrambling to verify readiness, and companies that misstep risk losing not just future bids, but the very contracts that sustain their business.
With the Title 48 rule, effective November 10, 2025, now reshaping how the DoD must allocate awards, defense contractors and subcontractors must expect to prove they meet strict Cybersecurity Maturity Model Certification (CMMC) standards. Those who delay risk losing valuable contracts and getting caught in a growing certification bottleneck.
This goes beyond IT. CMMC is about policy, procedure, personnel, and even physical security. Itโs an organizational state of compliance that companies need to be able to demonstrate fully.
A rollout with high stakes
CMMC is being implemented through a phased rollout under Title 48. It builds on NIST SP 800-171, but the final rule adds stricter verification measures and formal accountability.
The Title 32 CMMC Program plan provides for rollout in four phases, each with increasing impact:
-
Phase One โ Initial Enforcement (Nov. 2025):
All new DoD contracts to require a valid self-assessment score in the Supplier Performance Risk System (SPRS). Contracts may not be awarded if the score is below the threshold. For Level 2, that means meeting a minimum score of 88 out of 110.
-
Phase Two โ Select Contract Certifications (Nov. 2026):
Certification audits by a Certified Third-Party Assessment Organization (C3PAO) are to be required for โselectโ new contracts. Exactly which programs will be selected is uncertain. However, DoD program officers have discretion to require certification both earlier than the phase two starting line and during this phase โa situation many describe as โRussian roulette.โ
-
Phase Three โ Expanding to Options and Renewals (Nov. 2027):
Certification requirements extend to option periods, drawing previously โsafeโ long-term agreements into compliance. Level 3 audits, led directly by DoD, begin for contracts with the most sensitive data.
-
Phase Four โ Full Enforcement (Nov. 2028):
Excepting only commercial off the shelf (COTS) procurements, all DoD solicitations and contracts will include applicable CMMC certification requirements as a condition of award.
While these phases suggest a gradual path, many companies will feel the impact much sooner, and when prime contractors are selected, flow downs are mandatory.
Title 48 gives program officers the complete and unrestricted freedom to implement C3PAO certification at any time they choose during the rollout. A contracting officer could start prescribing CMMC requirements to programs in early 2026 rather than waiting, and if you arenโt ready, you could be excluded.
Also Read:ย CIO Influence Interview with Gera Dorfman, Chief Product Officer at Orca
Why early action matters
The challenge of getting the entire Defense Industrial Base (DIB) through the CMMC process is staggering. There are roughly 300,000 companies in the DIB, with an estimated 80,000 needing Level 2 certification. Yet experts estimate fewer than 2% are currently certified.
Adding to the challenge is the limited number of accredited assessors. Fewer than 100 C3PAOs are currently available to audit contractors. With tens of thousands of companies chasing certification, the bottleneck could be severe.
This can aptly be compared to a thousand-lane highway suddenly merging down to ten lanes. Companies that wait will find themselves in a traffic jam with no way to get certified in time for an award.
The risks go far beyond scheduling delays. According to SSE, Primes are already pressing subcontractors to demonstrate progress, sometimes color-coding suppliers (e.g., green, yellow, red) based on SPRS scores or restricting the way CUI is shared until compliance improves. Some have begun withholding purchase orders (POs) from subs that cannot provide evidence of readiness.
For companies that rely heavily on DoD work, these risks are existential. A lot of them depend on those contracts with Primes as the lifeblood of their business. Mess that up, you could find yourself closing shop.
Finding the gaps
For organizations unsure of where they stand, the first step is a gap assessment. This process identifies strengths and weaknesses relative to CMMC requirements and provides a roadmap to remediation before a formal audit.
To help with gap assessments, companies can partner with a Registered Provider Organization (RPO), a designation established by the DoD to help companies prepare for CMMC. RPOs are accredited by the Cyber AB and may also provide services like remediation, policy development, and continuous monitoring.
Choosing an experienced partner is critical.
Get a gap assessment from someone whoโs been through and passed the certification process themselves. Itโs a very different conversation when youโre talking to someone who can say, โHereโs exactly what an auditor will expect to see.โ
An organizational approach
CMMC enforcement is no longer theoretical; itโs redefining how the defense industry operates. Contractors who act decisively will control their future; those who delay risk being overtaken by deadlines and competitors. Ultimately, success depends on preparation, discipline, and trusted partners.
As Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity for the DoD CIO, recently put it:
โThose who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritize DoD cybersecurity compliance.โ
Her warning makes the stakes clear: compliance is a matter of readiness, accountability, and survival in the modern defense supply chain.
Catch more CIO Insights: Eyes on the Prize: How to Reimagine the โDiscoveryโ Journey in the Agentic AI Era
[To share your insights with us, please write toย psen@itechseries.comย ]
