The Pentagon will officially launch the phased rollout of its long-awaited Cybersecurity Maturity Model Certification (CMMC) program on Nov. 10.
CMMC establishes a three-tiered cybersecurity framework requiring companies to meet standards based on the sensitivity of the data they manage. The rule is set to take effect on Nov. 10, and the Department of Defense (DOD) – which the Trump Administration has rebranded as the Department of War – plans to implement the program in four phases over the next three years.
To understand the implications for contractors, MeriTalk spoke with several cybersecurity experts about navigating business with the DOD now that CMMC is the law of the land.
CMMC as a Catalyst for Transformation
Russ Smith, field chief technology officer (CTO) at Zscaler, described the rollout as “a pivotal moment for the Defense Industrial Base (DIB).” He emphasized that CMMC is more than a compliance deadline – it represents a fundamental shift in how contractors secure critical information based on its sensitivity.
“For too long, compliance has been treated as a box-checking exercise. CMMC changes that by embedding security and accountability into every layer of operations. The organizations that will thrive are those that see CMMC as a catalyst for transformation rather than a constraint,” Smith said.
In regard to controlled unclassified information (CUI), Smith explained that CMMC raises the bar for CUI protections.
“Under this new approach, securing CUI that is stored, processed, and transmitted within contractor networks must meet similar requirements as military data security network infrastructure,” Smith said. “CMMC will ensure the DIB raises the bar to ensure there is no weak link up and down the supply chain when holding CUI that is critical to developing, operating, and maintaining the tools that represent this nation’s technical edge.”
He added that this is a call for the DIB to ensure there are no weak links across the supply chain, protecting critical tools that underpin the nation’s technical edge. He praised the milestone as a shared responsibility that reinforces trust, innovation, and the integrity of the defense ecosystem.
Readiness and Execution Challenges
Thomas Graham, vice president and chief information security officer at Redspin and chair at the Cyber AB C3PAO Accreditation Committee, stressed that while awareness and understanding of CMMC has improved among contractors, readiness still varies widely across organizations.
“Some contractors are still waiting for phased contract rollouts, which may disallow awards if the contract requires CMMC prior to the rollout date,” Graham said. “Many small and mid-sized suppliers struggle not due to lack of effort but because they underestimated the time, complexity, and resources it takes to implement controls properly, tighten documentation, and schedule [third-party] assessments.”
To prepare for the rollout and successfully meet CMMC requirements, Graham advised that DIB contractors first review DOD contracts to determine the required level of compliance, and the steps needed to meet those standards.
“If you are unsure, reach out to an organization, such as a [Certified Third-Party Assessor Organization] (C3PAO) … to assist you,” he said. “Improperly scoped environments can cost you the certification, additional cost, etc.”
He also noted that the phased rollout applies only to contract enforcement. Subcontractors should know that primes can demand higher CMMC levels at any time, and most do so to reduce the risk of a sub failing to protect sensitive information.
Cybersecurity as National Security
Gary Barlet, public sector CTO at Illumio, framed CMMC as an overdue yet crucial step for national defense.
“While there are understandable concerns and challenges about the implementation as the Nov. 10 deadline approaches, this milestone represents a critical step toward strengthening our national defense,” Barlet said.
“CMMC ensures cybersecurity is no longer optional – it embeds accountability at every level and compels suppliers to address vulnerabilities often overlooked,” he added.
Barlet emphasized that the government’s use of contract leverage signals that protecting sensitive systems is now “a prerequisite for any organization seeking to do business with defense agencies.”
“This serves as a reminder that protecting our nation’s information is not merely a compliance exercise, but a cornerstone of national security and the integrity of our defense ecosystem,” Barlet said. “Even amid a government shutdown, when many operations have paused, our adversaries have not – and we must remain committed to resilience.”
Scramble, Compliance, and Opportunity
Emil Sayegh, CEO of CyberSheath, delivered a stark message to contractors still struggling with compliance: get on the CMMC bandwagon or risk losing your contract.
“A good portion of [contractors] are not ready and are scrambling,” Sayegh said.
With mere days until day one of CMMC, his advice for all organizations – not just those struggling with compliance – was to find a “sherpa”: someone knowledgeable in CMMC levels and assessments to guide them through the process and ensure nothing falls through the cracks.
“They need to get their acts together very, very quickly. And the likelihood that they’re able to do it internally is very low based on what we’ve been seeing,” he said. “So, what do they need to get compliant? They need to find a partner that is going to be able to get them from whatever they actually are to [where] they need to be.”
Sayegh acknowledged that reaching compliance standards may be difficult for smaller organizations but stressed that CMMC compliance is simply “good cybersecurity hygiene.”
“It’s like putting locks on the door, installing cameras, multi-factor authentication, and encrypting data. Beyond compliance, it’s just smart practice,” he said.
He also noted the strategic opportunity for small businesses that invest in readiness.
“People need to seize this as a huge business opportunity, jump on it, embrace it. This is a chance to be a leader, win contracts, and protect national interests,” Sayegh said.
Turning Compliance Challenges into Competitive Advantage
Felipe Fernandez, CTO at Fortinet Federal, notes that while achieving CMMC compliance can be daunting, it also presents a significant strategic opportunity for defense contractors.
“[It] opens the door for forward-leaning contractors to stand apart,” Fernandez said.
Fernandez explains that organizations investing in cybersecurity readiness today not only reinforce their standing as trusted DOD partners, “but also gain a competitive edge in future contract opportunities.”
Fernandez adds that as automated compliance tools and CMMC-focused technologies evolve, “contractors that once found readiness overly burdensome may now find new, cost-effective pathways to certification and long-term success.”
“The widening gap between perceived and actual readiness underscores the urgency for action – and signals a moment of opportunity,” he said.