Compliance with CMMC has been a hot topic in the Defense Industrial Base going on five years, and during all that time people have questioned whether it’s real. At CompliancyIT, we strongly believe it’s not only real, but it’s coming faster than many people realize. It’s time to get on board before businesses start losing contracts. We can help you understand your obligations, get everything in shape, and get certified…quickly.
Believe it or not, we still hear some business owners in the Defense Industrial Base say:
- “It’ll never happen. I’ll never see this in my contracts.”
- “If it happens, I’ll complain to my Congressperson or DOGE about the cost and they’ll get me off the hook.”
- “Even if I can’t get off the hook, I’m super important to the supply chain and they’ll give me an exception.”
- “The cost of compliance is too high and there’s no way I can win a lowest cost contract with all this cybersecurity.”
- “CMMC makes it too hard for me to run my business so I’m not going to do anything.”
Resistance to CMMC has recently surfaced again as Michael Duffy, the nominee for Undersecretary of Defense for Acquisition and Sustainment, testified during his Senate confirmation hearing. He stated, “If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”
Source: Trump’s Pentagon acquisition chief nominee vows to review controversial CMMC program | DefenseScoop
Some folks believe this telegraphs the administration’s intention to scale back CMMC due to industry’s complaints over cost and complexity.
Everything we’ve seen indicates the opposite. For your consideration:
- CMMC has been building over decades, spanning administrations of both parties. CMMC gained momentum during the first Trump administration, indicating support for the initiative.
- During his confirmation hearing, Michael Duffy reinforced the need for the DIB to bolster cybersecurity, especially because “these businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation’s defense.”
- Katie Arrington, the main advocate for CMMC during that first Trump administration, explained the program is proceeding. She noted the US loses $180M/day in intellectual property, which is much more than the cost of CMMC compliance to the US economy. Source: Just Katie’s thoughts on the executive order pulling back regulations… | Katie Arrington | 28 comments
- The CMMC rule was finalized in December and there’s been no indication of being rolled back. Indeed, Katie reinforced that DFARS 252.204-7012 has been settled law for a long time and there’s no way that’s being rolled back. CMMC simply adds a certification requirement to enforce compliance.
- On January 15, 2025, a new rule was proposed for the FAR that will extend CMMC-style controls beyond the Department of Defense. This allows all US Government agencies to require protection of CUI for any and all federal contracts. Source: 2024-30437.pdf”
These points reinforce that CMMC is here. Hoping to get out of it is not a winning business strategy.
Prime contractors are already requiring some subs to be fully compliant with 800-171 even if they’re not requiring certification yet. It’s only a matter of time before certification hits DoD contracts, and we’re expecting the first ones to be issued in October 2025. We expect the FAR CMMC rule to be finalized this year with non-DoD contracts requiring certification to come sometime thereafter.
Now is the time to take action if you’ve been waiting on the sidelines. To get a peek at where we see companies missing key elements of CMMC, grab a copy of our Free Report “5 Ways We See Every Company Fail CMMC Compliance” here:
And if you’re unsure about your CMMC Program, you’d like a second pair of eyes, or just plain old need some help, we’d love to hop on your team and give you the guidance you need to succeed!
Ace Swerling, Sr. Compliance Consultant
CompliancyIT | www.compliancyit.io | www.getitdoctoolkit.com
