After years in development, the Pentagon is set to launch the phased rollout of its long-awaited Cybersecurity Maturity Model Certification (CMMC) program next week. The question now is: Is industry ready?
To gauge how prepared small businesses are, the Pentagon’s Office of Small Business Programs rolled out a new “pulse survey” last week on CMMC compliance. The survey aims to assess industry readiness, surface key concerns, and identify challenges as CMMC officially becomes a contracting requirement.
“This short survey will help us better understand how small businesses are navigating these changes so we can tailor our support, resources, and guidance to better meet your needs during the transition,” the survey website reads.
The CMMC rule is set to take effect on Nov. 10. The Department of Defense (DOD) – which the Trump Administration has rebranded as the Department of War – plans to implement the program in four phases over the next three years. During the first year, DOD will mostly feature less arduous CMMC self-assessment requirements in contracts.
Up until now, CMMC compliance has been largely voluntary, but last month, DOD finalized the rule formally enforcing CMMC standards in defense contracts. Published in the Federal Register, the rule amends the Defense Federal Acquisition Regulation Supplement roughly a year after CMMC’s final release in October 2024.
The program – introduced in 2020 and revised as CMMC 2.0 in 2021 – initially drew criticism for its complexity and cost, particularly among smaller contractors. CMMC 2.0 addressed some of these concerns by reducing the number of certification levels from five to three and introducing more flexible assessment options.
Despite these changes, industry groups and advocates have continued to voice concerns, particularly over the impact of CMMC on small businesses. Last year, the Small Business Administration’s Office of Advocacy formally raised questions about companies’ ability to comply in a letter to former DOD Chief Information Officer John Sherman.
Nevertheless, whether the industry is ready or not, CMMC is now the law.
Rollout Begins Nov. 10: What Contractors Need to Know
With CMMC now official, here’s what to expect from the phased rollout and what defense contractors need to know to stay compliant.
CMMC establishes a three-tiered cybersecurity framework requiring companies to meet standards based on the sensitivity of the data they manage.
Level one sets basic protections for federal contract information, requiring defense contractors to implement 15 core safeguards focused on fundamental cyber hygiene.
Level two expands protections for controlled unclassified information and calls for full implementation of all 110 security controls outlined in NIST SP 800-171 Revision 2. These controls cover a broad range of information security practices, including identification, authentication, and access control.
Level three raises the bar to defend high-risk information against more sophisticated threats. In addition to the 110 controls from NIST SP 800-171 Revision 2, it mandates contractors to meet a subset of 24 enhanced security controls – derived from NIST SP 800-172.
Contractors must affirm compliance annually, receive a third-party assessment certification (under level two) every three years, and receive a certification assessment (level three) from the Defense Industrial Base Cybersecurity Assessment Center every three years.
For levels two and three, plans of action and milestones (POA&Ms) may be granted for only a select few of the security controls. POA&Ms will not be granted under level one. Granted POA&Ms must be completed within 180 days.
Contracting officers have already reached out to current DOD contract holders to start implementing CMMC requirements in preparation for the rollout, and contractors who fail to meet the standards when contract renewals come up risk losing those awards.
DOD’s four-phase rollout over three years begins Nov. 10 with phase one, which requires contractors to complete level one or level two self-assessments for applicable solicitations.
Phase two will require level two certifications beginning Nov. 10, 2026, followed by phase three, which focuses on level three certifications starting Nov. 10, 2027. Phase four, set for Nov. 10, 2028, will make all applicable CMMC requirements mandatory for contract awards. During phases two and three, DOD may choose to delay certification requirements within a contract to an option period.
However, in some procurements, DOD may adopt CMMC standards earlier than scheduled.