The CMMC is coming! The CMMC is coming! (Apologies to Paul Revere)
Too late. CMMC is here and companies are finding themselves in a bind. It certainly is not due to a lack of notice since the CMMC Program (32 CFR Part 170) final rule went in effect on December 16, 2024. This was not something that was sneaked into the Code of Federal Regulations at the last minute; it has been discussed, modified, and discussed more almost four years prior to that. So, where did things start to go sideways?
November 10, 2025. That was the day that the clock started ticking on CMMC compliance for every contractor and subcontractor in the Defense Industrial Base (DIB). According to 32 CFR Part 170, the Department of Defense (DoD) is utilizing a phased approach for the inclusion of CMMC Program requirements in solicitations and contracts. Implementation of CMMC Program requirements will occur over four (4) phases:
(1) Phase 1. Begins on the effective date of the 48 CFR part 204 CMMC final rule and requires Level 1 or Level 2 (Self‑Attestation) CMMC status for applicable DoD solicitations and contracts as a condition of award. At DoD’s discretion, these requirements may also apply to option periods on existing contracts or be elevated to Level 2 (C3PAO) instead of self‑attestation.
(2) Phase 2. Begins one year after Phase 1 and adds a requirement for Level 2 (C3PAO) CMMC status for applicable DoD solicitations and contracts as a condition of award. At DoD’s discretion, this requirement may be deferred to an option period or elevated to include Level 3 (DIBCAC).
(3) Phase 3. Begins one year after Phase 2 and requires Level 2 (C3PAO) for all applicable DoD contracts as a condition of award and option exercise, and Level 3 (DIBCAC) as a condition of award. At DoD’s discretion, the Level 3 requirement may instead be deferred to an option period.
(4) Phase 4, full implementation. Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.
(Source: Chief Information Officer - Department of War | About CMMC)
The Flow Down
So, where does the flow down come into play?
If we look at Part 170 in its entirety, the answer lies in 170.3 (c) which reads:
(c) CMMC Program requirements apply to all DoD solicitations and contracts pursuant to which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on unclassified contractor information systems …
The DoD requires that prime contractors secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for their contracts. If the prime subcontracts portions of work or materials to another contractor, and that contract contains FCI or CUI, the subcontractor must meet the CMMC requirements or the prime contractor could potentially lose their contract.
Major defense contractors like L3 Harris, Huntington Ingalls, Lockheed Martin, Boeing, General Dynamics, and others are sending notifications to their sub-contractors and supply chains that they must provide proof of CMMC compliance. Failure to meet the compliance requirements could force the prime contractor to find another source to supply the product and/or service that your company is providing.
The Bottom Line
The security requirements in CMMC are not going away. Businesses are going to have to weigh the cost of meeting the compliance requirements or give up that revenue stream. More prime contractors will be pushing down compliance to their subcontractors because they do not want to risk losing a DoD contract.
If you are a business owner and find yourself in this position, we can help you by providing expert guidance on the cost of meeting compliance. IGI Cybersecurity has CMMC Certified Assessors (CCAs) on staff that can help provide you with the right information to equip you with data needed to make a sound business decision on whether to meet the compliance requirements or let the business go.
Want to learn more? Reach out to our sales team and ask about our complimentary CMMC Readiness Snapshot Program.
