The New Era of CMMC: Compliance is no Longer Optional

The Changing Landscape of CMMC

The Cybersecurity Maturity Model Certification (CMMC) has evolved from draft guidance into an enforceable requirement. The Department of Defense’s (DoD) final CMMC Program Rule was published in the Federal Register on October 15, 2024, and took effect on December 16, 2024, establishing the structure, levels, and assessment methodology of CMMC.

Phase-In of CMMC Requirements

While the foundational rule is in place, CMMC’s introduction into actual DoD contracts depends on the 48 CFR “Acquisition Rule.” In July 2025, the DoD submitted that final rule for review. As implementation proceeds, CMMC requirements are expected to appear in select new contract solicitations starting November 10, 2025. Link to Federal Register. 

What This Means for Your Business

  • Immediate Exposure: Contracts you pursue or those managed by primes could begin requiring CMMC certification or self-assessments starting November 10, 2025. 
  • Longer-Term Consistency: Following initial rollout, third-party  assessments conducted by Certified 3rd Party Auditing Organication (C3PAO) will become standard for the majority of Level 2 assessments.
  • Prime Contractors Leading the Way: As of June 30, 2025 companies like Lockheed Martin are already enforcing suppliers to meet CMMC requirements. 

Why Now? The Cost of Delay

  • Only 4% of defense contractors are fully prepared for CMMC compliance, according to a 2024 study by CyberSheath and Merrill Research. The report cites key barriers such as understaffed IT teams, poor understanding of NIST SP 800-171, lack of C-suite engagement, and insufficient progress in implementing cybersecurity controls (CyberSheath, National Defense Magazine) 
  • Preparation typically requires 12–18 months, especially for organizations unfamiliar with NIST 800-171 practices.
  • Companies that act now stand to gain a competitive advantage. Those that delay risk losing contract opportunities or facing disqualification under new eligibility requirements.

 

Key Takeaways: What You Should Know

Insight

Why It Matters

CMMC is not optional

DoD’s Program Rule is law as of December 2024

Contract compliance begins November 10, 2025

CMMC clauses will begin to appear in new solicitations

Prime contractors are acting now

Lockheed Martin is already pushing relevant suppliers to meet CMMC requirements.

Demand for assessments is high

With so many organizations required to comply with CMMC Certification requirements, audits will be in high demand and audit availability will fill up quickly. 

Industry readiness is low

Study suggests only 4% of defense contractors feel fully ready. CyberSheath Study

 

How DNV Can Help You Prepare

CMMC Level 1 Compliance Training (1 Day)

Designed for organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).

Participants will learn about CMMC Level 1 requirements, documentation expectations, and evidence needed to validate implementation. Learn more -->

CMMC Level 2 Compliance Training (2 Additional Days)

For organizations that handle Controlled Unclassified Information (CUI) and must comply with more advanced CMMC Level 2 requirements.

This course covers controls aligned with NIST SP 800-171, documentation, and audit readiness strategies. Learn more -->

CMMC Gap Assessments

A CMMC gap analysis is a systematic evaluation that helps your organization understand how your current cybersecurity posture compares to CMMC requirements.

  • Pinpoint Gaps: Assessing your existing practices against CMMC controls.
  • Identify Security Risks: Expose vulnerabilities in your systems.
  • Create a Remediation Roadmap: Focus your remediation efforts only on the controls that require enhancement. 
  • Support DoD Contract Readiness: Increase likelihood of winning contract opportunities or eliminate potential disqualification under new eligibility requirements.

Need help getting started?

Let’s talk about your readiness, training, or a custom Gap Assessment plan. Call expert Hassaan Iftikhar, North America Head of Growth - Cybersecurity, Information Privacy and ICT, for DNV at +1 289.834.3689 or submit a contact request.

 

Additional Resources:

Additional information on the CMMC Program: https://dodcio.defense.gov/CMMC/  

9/10/2025 7:16:00 PM