The CMMC compliance gap is now a competitive risk

For years, defense contractors have lived with shifting guidance, draft rules, and moving deadlines around cybersecurity compliance. That uncertainty is ending. The Department of Defense is now phasing in its enforcement of the Cybersecurity Maturity Model Certification, the shape of federal contracting is changing, and the consequences for companies that delay are becoming much more tangible.

What once felt like a theoretical requirement is now a condition for eligibility. Primes are asking harder questions, subcontractors are being asked to verify their posture, and companies that cannot demonstrate readiness are already seeing strain in their supply-chain relationships. The risk is no longer abstract: for many contractors, their DoD revenue is on the line.

A Framework Moving from Guidance to Enforcement

CMMC builds on NIST SP 800-171, but with a critical difference: the new rules introduce formal verification. Under the Title 48 rule, which became effective Nov. 10, 2025, contractors will now be expected to substantiate their cybersecurity posture rather than simply attest to it. While the rollout is phased, enforcement authority is flexible enough that companies may face requirements earlier than the official milestones suggest.

The corresponding Title 32 program outlines four phases that will govern how CMMC is introduced into federal contracting:

Phase One (November 2025): New contracts will require a valid self-assessment score in the Supplier Performance Risk System (SPRS). Level 2 bidders must meet a minimum score of 88 out of 110.

Phase Two (November 2026): For select new contracts, certification by a Certified Third-Party Assessment Organization (C3PAO) becomes mandatory. Program officers retain discretion to impose this requirement earlier, creating uneven but accelerating enforcement pressure.

Phase Three (November 2027): Certification begins to apply not only to new awards but to contract renewals and option periods. Level 3 assessments—conducted directly by the DoD—will apply to contracts involving more sensitive information.

Phase Four (November 2028): Except for commercial off-the-shelf purchases, all solicitations and contracts must include CMMC requirements as a condition of award.

While the structure appears linear, enforcement will not necessarily feel that way. When primes face certification requirements, subcontractors are immediately brought into scope. Since contracting officers have the option to prescribe certification before the formal deadlines, contractors cannot assume they will have until late 2026 or 2027 to prepare.

A Challenge Measured in Scale and Time

The defense industrial base includes roughly 300,000 companies. About 80,000 of them are expected to require Level 2 certification. Today, fewer than 2% have completed the process.

This imbalance is compounded by capacity constraints. Fewer than 100 C3PAOs are currently accredited to perform the required assessments. Even assuming additional designations in the coming months, demand will dramatically exceed supply. Late movers may simply be unable to secure a certification slot before key acquisitions and renewals occur.

The stakes are far higher than administrative inconvenience. If a subcontractor cannot produce a qualifying SPRS score or certification, they risk being left out of a proposal. 

Some primes have already implemented internal readiness scoring systems, restricting how controlled unclassified information is shared with suppliers that appear behind. A growing number are withholding purchase orders until compliance progress is demonstrated.

For companies that rely heavily on defense work, the loss of a single renewal can cascade into layoffs or even insolvency, and under the False Claims Act, misrepresenting cybersecurity posture brings the possibility of treble damages. The financial risk is both immediate and downstream.

Getting Ahead of the Curve

The most effective starting point for contractors is a formal gap assessment. This establishes a baseline against CMMC requirements and identifies the specific policies, processes, and controls that must be remediated. 

Many companies choose to work with registered provider organizations (RPOs) accredited by the Cyber AB, though some prefer to conduct initial assessments internally. Either approach can work, provided the organization has staff who understand the evidence requirements and can build documentation that will withstand third-party review.

Typical readiness timelines run three to six months for organizations with mature cybersecurity programs and six to nine months for those still building foundational processes. 

Documentation, not technology, is often the longest and most underestimated portion of the work. Companies expecting to certify during Phase Two should be engaging potential assessors well ahead of time; some will begin scheduling 2026 commitments as early as next year.

Regardless of structure or size, certain steps apply broadly:

• Conduct a gap assessment and update SPRS scores accordingly.
• Prioritize closure of policy and process gaps, which often require the most lead time.
• Confirm that external service providers can meet shared responsibility expectations.
• Engage assessors early to avoid capacity constraints.
• Elevate CMMC from an IT task to an organizational priority.

CMMC is no longer a future requirement; it is reshaping the defense marketplace today. 

Contractors that take a proactive approach will enter the coming phases with stability and a competitive advantage. Those who wait may find deadlines arriving faster than expected and assessor availability shrinking at the moment they need it most.

Charlie Sciuto is the CISO and CTO for SSE, Inc., a registered provider organization accredited by the Cyber AB (formerly CMMC Accreditation Body) to help companies prepare for CMMC certification. This can include a readiness assessment, gap assessments, remediation, and continuous monitoring for ongoing compliance.