CMMC: From Ignored Compliance to Mandatory Enforcement

Baan Alsinawi, Stratregy and Risk Managing Director

Compliance isn’t optional anymore… it’s essential and required. With the Department of Defense’s (DoD) CMMC Final DFARS rule[1] published on September 10, 2025, and effective November 10, 2025, CMMC 2.0 requirements are now being written into DoD solicitations and contracts.

Our journey started in 2018, with our first NIST SP 800‑171[2] gap assessment services that helped clients comply with DFARS requirements to protect controlled unclassified information (CUI). Back then, the plan to comply with DFARS was self-attestation – in practice, “Trust us, we’re secure.” You can imagine how that played out. 

In 2019 CMMC arrived, designed to add teeth to the DFARS security requirements through audits and accountability. But without enforcement and official implementation backed by actual DoD contract requirements, defense industrial base (DIB) vendors kept checking the self-attestation boxes and hoped no one would look closely and for far too long, no one did. That’s the larger lesson: in compliance, enforcement drives behavior.

As time went on, the cost and complexity argument against enforced compliance grew louder. Many firms, especially small DIB vendors, struggled to fund the necessary policies, procedures, and tools they would need to meet these requirements. That frustration is real.

As of November 10, 2025, those arguments are over. DIB vendors will have to comply with CMMC requirements or risk being shut out of DoD contracts.

CMMC High Level Timeline

• 2017: DFARS clause requires NIST SP 800‑171 safeguards (baseline).
• 2019–2021: CMMC launched, then simplified into CMMC 2.0 (three levels).
• 2025: Final DFARS rule published (September 10); effective November 10, 2025; phased rollout begins.

Where We Are Now

Enforcement is here. If you handle FCI(Federal Contract Information)or CUI, CMMC is now a condition of award and phased in over three years.

• DFARS 252.204‑7021 (contract clause) and DFARS 252.204‑7025 (solicitation provision) carry the obligation and notice. [3]
• Phase 1 (started November 10, 2025): DoD may require Level 1 and Level 2 self-‑assessments; Supplier Performance Risk System (SPRS) posting and annual affirmations are part of eligibility.
• Phases 2–3 (2026–2027): More Level 2 CMMC third-party assessment organization (C3PAO) certifications, then Level 3 (DIBCAC) appears in awards/options.
• By Phase 4 (November 10, 2028): CMMC is broadly applied where FCI/CUI is in scope (commercial off the shelf [COTS] excluded).

What that means in practice:
You must have a current CMMC status in SPRS (with Unique Identifiers [UIDs] per covered system) and a current affirmation of continuous compliance or you’re ineligible. [4]

We’ve gone from ignored guidance to enforced compliance. Organizations that act now, conducting complete self-assessments, registering SPRS UIDs, assigning an affirming official, and building a culture of shared accountability, will be positioned to succeed in their CMMC compliance mission.

Why This Isn’t Just About Winning Contracts

Here’s our stance: Protecting sensitive data does require investment, and that mindset hasn’t been universal. Now, it isn’t an option. It’s time to move from debate to execution.

CMMC is about resilience in a threat landscape that’s getting tougher. The era of cutting corners is over, protecting sensitive data is a collective responsibility across prime and sub DIB contractors. Requirements are cascading down the supply chain; compliance is now an ecosystem responsibility, not just a prime-level task.

Reality check: Yes, we have more clarity than before as DFARS is live, C3PAOs are operational, and certified assessors are available. That’s progress. But clarity doesn’t equal simplicity. Compliance remains a heavy lift across the board.

Large primes may have bigger budgets, but they’re not immune to pain. Managing sprawling networks, multiple enclaves, and subcontractor oversight makes compliance a complex, ongoing effort.

Meanwhile, smaller DIB vendors face an even steeper climb. With limited investment in risk management, tooling, and documentation, many start from behind, often without formal governance or the technology stack needed to meet requirements. For these businesses, Day1 readiness isn’t just hard, it can feel overwhelming.

Whether you’re a prime or a small vendor, the fundamentals are the same:

• Define your CMMC boundary: Know what systems process CUI, where data resides, and who has access.
• Map your data flows: This is critical for scoping and audit readiness.
• Build a right-sized architecture: Consider pre-certified infrastructure to reduce complexity.
• Engage expertise early: Advisory support may look like an added cost, but it’s often cheaper than failing an audit and starting over.
• Plan for sustainability: Compliance isn’t a one-time event. Continuous monitoring, annual affirmations in SPRS, and regular policy updates are essential.

Preparing for Certification (Level 2 focus)

Start with the basics, listed above: Define your CUI footprint. What you have, where it lives, who can access it, and how it’s processed. Map data flows and design a right‑sized architecture. Choosing pre-certified infrastructure and narrowing your audit scope can make the effort more manageable. (This is where our advisory + C3PAO team spends a lot of time with clients.)

Be fully prepared: CMMC audits are strict. There’s no risk acceptance and no “fix it later.” Gaps must be remediated before certification, otherwise you risk failure and costly rework. (Again, this is where our advisory + C3PAO team spends a lot of time with clients.)

Plan for the long game to stay in the game: Once you achieve this hard-earned compliance, plan to stay compliant. Maintain continuous monitoring, run regular assessments, and keep policies and procedures current. DFARS recognizes Conditional and Final statuses with specific validity windows, so you’ll need annual affirmations in SPRS to keep status current over your certificate’s life.

Looking Ahead: What’s Next for CMMC

Even though CMMC 3.0 isn’t official yet, DoD has signaled alignment with NIST SP 800‑171 Rev. 3 and newly issued Organization‑Defined Parameters (ODPs)[5]—turning “fill‑in‑the‑blank” control language into prescriptive values (e.g., lockout after 5 failed logins in 5 minutes; auto‑lock after 15 minutes of inactivity). Start preparing now with gap analysis and policy updates, so those values are already reflected in your environment.

At the high end, CMMC Level 3 brings in selected NIST SP 800‑172 enhanced controls for advanced threat defense with zero trust-style segmentation, continuous situational awareness, and response capabilities. If you’re on a path to Level 3, architect for that now.

Ready to move?

If you’re wondering where to start, let’s talk. Our advisory + C3PAO team has had seats on both sides of the table with designing rightsized boundaries, tightening controls, and getting clients audit‑ready by focusing and prioritizing strategy and action that will achieve the best results.

Next up in this series: “Defining Your CMMC Boundary and Selecting the Right Architecture.” It’s the blueprint you need before you even think about certification.

---

[1] Cybersecurity Maturity Model Certification (CMMC) program. Defense Federal Acquisition Regulation Supplement (DFARS) final rule: https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

[2] National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

[3] https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements.

[4] https://dowcio.war.gov/Portals/0/Documents/CMMC/CMMC-FAQsv3.pdf

[5] https://dowcio.war.gov/Portals/0/Documents/CMMC/CMMC-FAQsv3.pdf, FAQ B-Q4, pg. 6

---