This week, I’m thrilled to welcome Jacob Hill, Director of Cybersecurity at Summit 7, as a guest author.

Some of you might remember Jacob from his GRC Academy Podcast, which was the very first podcast I was invited to join. He’s an excellent educator, and I’m very happy that he has agreed to write this guest edition of GRC Lab.

In the article below, Jacob shares his insights on CMMC and its impact on organizations today.

—

After so many years of waiting CMMC is finally here!

The United States Department of War (DoW) released the Cybersecurity Maturity Model Certification (CMMC) final acquisition rule on September 10, 2025 and it becomes effective on November 10, 2025.

Let’s dive into what CMMC is and what happens next!

How did we get here?

Foreign adversaries have been compromising DoW contractor networks and stealing information about critical DoW programs for years.

The department responded by creating contractual clauses focused on the implementation of NIST 800-171’s security controls. NIST 800-171 outlines the controls necessary to protect Controlled Unclassified Information (CUI) on non-government systems.

DFARS 252.204-7012 required contractors to:

• Implement NIST 800-171 no later than December 31, 2017

• Report cyber incidents within 72 hours

• Use FedRAMP moderate “equivalent” cloud service providers when they hold CUI

The DoW soon discovered that contractors were still not implementing the security controls, so the DoW created provision DFARS 252.204-7019 and contract clause DFARS 252.204-7020.

DFARS 252.204-7019 requires the contractor to submit a NIST 800-171 self-assessment score to DoW to be eligible for contract award.

DFARS 252.204-7020 requires the contractor to allow the government to perform third-party cyber assessments of the contractor’s covered network.

The government has been assessing contractor networks for years under DFARS 7020, and contractors have continued to demonstrate that self-attestation of cyber compliance does not work.

How does CMMC fit into the picture?

CMMC has three levels, and the requirements vary per level:

CMMC Level 1

• Implement 15 controls

• Required for contracts with only Federal Contract Information (FCI) (no CUI)

• Contractor is required to perform a self-assessment – no 3rd-party assessment is required

CMMC Level 2

• Implement 110 controls

• Required for contracts with CUI

• Many contracts will require a CMMC level 2 certification via a 3rd-party assessment by a C3PAO

CMMC Level 3

• Implement 24 additional enhanced security controls

• Required for DoW’s most critical CUI programs

• All contracts will require a 3rd-party assessment by DIBCAC resulting in CMMC certification

  • CMMC level 2 certification is a prerequisite

Contracts/solicitations will require compliance or certification at a specific CMMC level and the government will not award a contract to a company that isn’t compliant.

The acquisition rule modifies a contractual clause called DFARS 252.204-7021 which is the contractual clause that will require either CMMC compliance or certification at a specified CMMC level.

It is estimated there are 80,000 and 300,000 companies in the Defense Industrial Base (DIB). It is impossible for the government to assess that number of companies.

CMMC expands the capacity to perform independent assessments and establishes an ecosystem of independent assessors called CMMC Third-Party Assessor Organizations (C3PAOs).

From the beginning, the DoW has been focused on protecting their information. Similar to health data in a HIPAA context, or PII in a privacy law context, FCI and CUI are the regulated information that is in scope.

What’s next?

CMMC certification assessments have been occurring since the CMMC final program rule became effective back in December of 2024. When the CMMC acquisition final rule is effective in November of 2025, the CMMC phase-in begins.

The CMMC timeline

Each phase of the CMMC rollout introduces progressively higher certification requirements, ultimately leading to full implementation by phase 4. Here’s a breakdown of the timeline:

Phase 1: Initial Requirements

• Start Date: November 10, 2025

• Requirements: contractors handling FCI and CUI will need to self-assess that they meet either CMMC level 1 or CMMC level 2 to qualify for applicable DoW contracts.

• Optional: The DoW may require CMMC level 2 certification for specific contracts or option periods.

Phase 2: CMMC Level 2 Third-Party Assessments

• Start Date: November 2026

• Requirements: DoW will mandate CMMC level 2 certification requirements for contract awards, with the flexibility to require it only during option periods.

• Optional: The DoW may begin to include CMMC level 3 certification requirements for contracts with higher security needs.

Phase 3: CMMC Level 3 Third-Party Assessments

• Start Date: November 2027

• Requirements: Both CMMC level 2 and CMMC level 3 certification will be required as conditions for new contracts and option periods.

• Optional: The DoW may delay CMMC level 3 requirements to option periods for some contracts.

Phase 4: Full Implementation

• Start Date: November 2028

• Requirements: At this final phase, CMMC requirements will apply to all applicable contracts, including those awarded prior to Phase 4.

What contractors should do now

If your company hasn’t started working on NIST 800-171 and CMMC compliance, it is time to dive in before it is too late!

Large primes are applying more pressure on their subcontractors to become certified because they will be accountable for their subcontractors’ compliance – at all tiers.

Becoming CMMC certified early in the CMMC phase in period will be a competitive advantage, but over time it will become “the norm.”

Here are a few steps you should prioritize right now

1. Determine Your Certification Level

Identify which CMMC level your organization needs based on the type of information you handle.

This step will determine the CMMC level of assessment and resources required. Plan ahead and think of the contracts you want to go after in the next three years, because CMMC level 1 will be limiting. C3PAOs can be found on the CyberAB marketplace.

2. To insource or outsource?

Does your team have the technical and cybersecurity skills to address the security controls?

If not, consider hiring a Managed Service Provider (MSP) like Summit 7 to manage your IT environment. Most MSPs are not focused on CMMC and unfortunately will be the cause of many failed CMMC assessments, so choosing the right MSP is critical!

3. Begin preparing ASAP

Estimates on how long it takes to go from 0% to 100% CMMC compliance range from 6 – 18 months. The duration varies based on the size and complexity of your organization and systems.

4. Engage with a C3PAO Early

If CMMC certification is in your future, reserve your assessment spot with a C3PAO as soon as you can. There are only 82 C3PAOs as of the time of this writing, and many of them are already booked into 2026.

5. Develop an Ongoing Compliance Strategy

CMMC certification requires annual affirmations of compliance. Set up regular reviews and training to ensure ongoing compliance.

Closing Thoughts

NIST 800-171 is the US federal standard to protect CUI.

Soon there will be a contractual clause in the FAR requiring the implementation of NIST 800-171 for federal (non-DoW) contracts. If you want to support the federal government, you will not be able to get away from these security controls.

For the sake of our nation’s security and your business’s survival, the time to comply is now.