The Pentagon can begin requiring cybersecurity certification in defense contracts starting November 10, 2025, marking the start of a three-year phased rollout that will leave defense contractors with a stark choice: invest in comprehensive security infrastructure or lose access to Department of Defense work.
Margarita Howard, founder and CEO of aerospace and defense contractor HX5, frames the situation plainly. “Contractors will not have a choice but to implement heightened cybersecurity requirements if they want to remain a government contractor,” she says.
The implementation of the Cybersecurity Maturity Model Certification program, finalized through a Defense Federal Acquisition Regulation Supplement amendment in September 2025, represents the Pentagon’s shift from self-attestation to verified compliance. The three-year phased rollout will reach full implementation by November 2028, affecting an estimated 100,000 defense industrial base companies and their subcontractors.
Compliance Gaps
Recent surveys reveal troubling disconnects between Pentagon expectations and contractor capabilities. Only 1% of defense contractors report feeling fully prepared for CMMC audits, according to CyberSheath’s 2025 State of the DIB Report, conducted by Merrill Research. Of the 80,000 contractors requiring Level 2 certification, just 270 currently hold final CMMC certificates.
The certification gap extends to fundamental security practices. Fewer than half of surveyed defense contractors have implemented necessary security controls and completed required documentation, including system security plans and plans of action and milestones. Only 29% have deployed secure backup technologies, 22% maintain patch-management systems, and 27% use multifactor authentication.
Compliance scoring tells a similar story. None of the respondents in CyberSheath’s survey reported Supplier Performance Risk System scores of 110—the threshold required for full CMMC Level 2 compliance. The median SPRS score sits at 60, with 17% of contractors still reporting negative scores. Level 2 certification demands implementation of 110 security requirements outlined in NIST Special Publication 800-171 Revision 2 to protect Controlled Unclassified Information in contractor information systems.
Margarita Howard on Compliance Demands
Howard emphasizes that government contracting demands meticulous recordkeeping even before CMMC requirements take effect. “It’s important that a company’s records are impeccable when working with the government due to the compliance reporting and audits that companies have to agree to in order to perform on government contracts,” she says.
Data protection requirements add another layer of complexity. “Ensuring full compliance with all data security and confidentiality compliance requirements and regulations is another key component,” Howard says. “The company must protect information, ensure compliance with data security and confidentiality requirements, take active steps to safeguard information obtained during the procurement process, and adhere to applicable laws and regulations.”
Financial and Strategic Consequences
Achieving CMMC compliance carries substantial costs that scale with organizational complexity. Small defense contractors with 100 or fewer employees face estimated expenses between $30,000 and $150,000, while large enterprises exceeding 1,000 employees may spend $500,000 to $2 million or more, according to data from Kiteworks.
The financial pressure creates a competitive dynamic. Emil Sayegh, CEO of CyberSheath, notes the math facing contractors: “Eighty thousand defense contractors need Level 2 certification, yet only 270 of these organizations currently hold final CMMC certificates. Contractors that aren’t prepared will be locked out of billions in DoD contracts while their competitors who invested in real compliance and cybersecurity capture the business.”
Contractors who fail to meet CMMC requirements will become ineligible for DoD contracts involving Federal Contract Information or Controlled Unclassified Information. The Justice Department’s Civil Cyber-Fraud Initiative adds another layer of risk, actively pursuing False Claims Act actions against defense contractors for alleged failures to comply with DFARS cybersecurity requirements.
National Security Rationale
Pentagon officials developed CMMC partly from concerns that many prime contractors and subcontractors remain noncompliant with existing DFARS security requirements. The cyber threat to defense supply chains differs markedly from conventional hazards in onset speed, duration, geographic reach and visibility, according to RAND Corporation research commissioned by the Air Force Research Laboratory.
Nearly 89% of defense contractors have already experienced financial, business or reputational losses from cyber incidents, CyberSheath’s research found. Financial losses were reported by 57% of respondents, business losses by 56%, and reputational damage by 46%.
Small and medium-sized businesses in the defense supply chain face particular vulnerability. These companies often lack robust cybersecurity measures, making them attractive entry points for attackers targeting larger network access. Ransomware attacks on one contractor can cascade throughout the defense supply chain, with potential theft of intellectual property undermining competitive advantages in military technology development.
Defense contractors work on cutting-edge technologies where stolen intellectual property can be sold on dark web markets or used by adversaries to replicate or counteract U.S. military capabilities. This loss of proprietary information carries long-term strategic consequences beyond immediate operational disruptions.
HX5 Leadership Philosophy Shapes Security Approach
Howard’s management approach informs how HX5 addresses the cybersecurity requirements. “We hold ourselves to the same high standards of performance, integrity, and honesty that we would expect of our employees,” she says.
The company has invested in technology infrastructure to meet evolving federal demands. Howard anticipates that compliance verification will become increasingly automated in coming years. “Contractors will be required to integrate systems that provide continuous reporting and real-time audit capabilities,” she says.
Implementation Timeline and Contractor Response
The phased CMMC rollout begins with Level 1 and Level 2 self-assessment requirements on November 10, 2025. One year later, the Pentagon will begin introducing Level 2 third-party assessments conducted by CMMC Third-Party Assessment Organizations. Level 3 assessments by the Defense Industrial Base Cybersecurity Assessment Center will follow in subsequent phases.
Contracting officers maintain discretion to delay CMMC status requirements to option periods rather than making them contract award conditions. However, all applicable DoD solicitations and contracts must include CMMC requirements by November 2028.
Survey data suggests contractors recognize the urgency. Nearly six in ten respondents in the 2025 research supported stronger DFARS requirements, viewing CMMC compliance as a competitive advantage. Eight in ten expect to undergo third-party audits by winter 2026.
Shikha Negi is a Content Writer at ztudium with expertise in writing and proofreading content. Having created more than 500 articles encompassing a diverse range of educational topics, from breaking news to in-depth analysis and long-form content, Shikha has a deep understanding of emerging trends in business, technology (including AI, blockchain, and the metaverse), and societal shifts, As the author at Sarvgyan News, Shikha has demonstrated expertise in crafting engaging and informative content tailored for various audiences, including students, educators, and professionals.
