ISJ hears exclusively from Andy Watkin-Child, cybersecurity and risk management expert and George Alevras, Analyst at Evolution about how the US Department of Defence will start enforcing its cybersecurity from November 2025.
From 10 November 2025, the US Department of War (“DoW”) starts its phased roll-out of its Cybersecurity Maturity Model Certification (“CMMC”) program that applies to the Global Defence Industry Base (“DIB”).
In simple terms, unless a covered contractor or subcontractor demonstrates to the DoW its compliance with CMMC, which may require a certificate of CMMC compliance, it won’t be awarded a new contract or option.
The DoW’s mission: It provides the military forces needed to deter war, ensure the nation’s security and support US national policy.
At the heart of its role is protecting the US from threats, whether they come from nation-states, terrorist groups or new and emerging domains such as cyber warfare.
To achieve this, the DoW maintains a constant state of readiness; troops, equipment, intelligence and technology must all be prepared to respond at any moment.
This readiness translates into confidence: Knowing that the nation can defend itself when necessary.
In achieving its mission, the DoW relies on the security of its weapon systems.
Weapon systems that rely on IT systems for their design, manufacture, operability and interoperability in and across the battle space.
The security of digital data is critical for the DoW and the success of its mission. Data security has a direct impact on national security, military readiness and technological superiority.
How does the security of DoD data support the DoW’s mission?
- Technological advantage in the battle space is lost if data is stolen from the Global Defense Industrial Base; adversaries will use it to weaken US military capabilities
- Exploitation of data about US weapon systems poses serious risks to national security, military readiness and technological superiority
- Military readiness depends on uninterrupted access to data, systems and supply chains
- Supply chains create, process, store and transmit DoD data. Data that is used to design, manufacture, service and support DoD Weapon systems
- Economic advantage is lost if data is stolen. As DIB contractors and subcontractors consume resources on weapon systems design and manufacturing
- Erosion of trust the US frequently shares sensitive defense information with trusted allies. This trust is eroded if data cannot be secured
To secure the data associated with the design, manufacture, service and support of its weapon systems, the DoW relies on a symbiotic relationship with the DIB and cybersecurity regulation enforced through its Defense Federal Acquisition Regulation Supplement (DFARS).
The DoW introduced DFARS 252.204-7012 (“7012”) as early as 2016, which applies to DoW contractors and subcontracts globally.
7012 has been a requirement passed down by Prime contractors to subcontractors, requiring covered companies to safeguard Covered Defense Information using the 110 security practices identified by NIST SP 800-171 (“NIST 171”).
Contractors and subcontractors should already have self-assessed their compliance and reported their NIST scores to the DoD through its Supplier Performance Risk System (SPRS).
Unfortunately for the DoW, the application of 7012 was highlighted as inadequate by the US Government Accountability Office (GAO) on several occasions.
As a result, the DoW reviewed its approach to cybersecurity across the Global DIB, publishing the Cybersecurity Maturity Model Certification (“CMMC”) program, formally known as DFARS 252.204-7021 (“7021”), on the Federal Register on the 10 of September 2025 and it takes effect on the 10 of November 2025.
CMMC requires covered contractors and subcontractors to self-assess and affirm compliance at CMMC Level 1 and if required, present a certificate of CMMC compliance at Level 2 or Level 3.
Without demonstrating CMMC compliance, DIB contractors and subcontractors may not be awarded a new contract or an option under an existing contract.
What is CMMC?
The goal of the CMMC program is to ensure that DoW contractors and subcontractors protect every covered contractor system that creates, processes, stores, or transmits Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC requires covered contractors to demonstrate their protection of FCI and CUI through the application of 15 cybersecurity practices defined by:
- FAR 52.204-21 (CMMC Level 1)
- 110 cybersecurity practices defined by NIST SP 800-171 (CMMC Level 2 and Level 3)
- An additional 24 security practices from NIST SP 800-172 (CMMC Level 3)
Level 1: Basic Safeguarding of FCI – Annual self-assessment and affirmation of compliance with FAR Clause 52.204-21
Level 2: Broad Protection of CUI – Annual affirmation of compliance with NIST SP 800-171 and self-assessment or CMMC Certificate every three years.
Level 3: High Protection of CUI – Provide annual affirmation, achieve CMMC status of Final Level 2 and undergo an Assessment by DCMA’s DIBCAC every 3 years
CMMC timelines
The DoD has confirmed an implementation timeline starting on the 10th of November 2025 with the introduction of self-assessment of CMMC Level 1 and Level 2, and continues through 4 phases until the 10 November 2028.
Phase one – November 10 2025: Companies complete a self-assessment and can begin discretionary implementation of CMMC requirements
Phase two – November 10 2026: Companies continue Phase 1 activities and start meeting Level 2 C3PAO certification requirements
Phase three – November 10 2027: Companies follow all Phase 1 and Phase 2 requirements and add Level 3 C3PAO certification requirements
Phase four – November 10 2028: Full implementation is achieved, meaning all CMMC requirements are fully in effect.
What CMMC means for the DIB
Covered defense contractors handling FCI or CUI must self-assess and affirm their compliance with cybersecurity Practices defined by FAR 52.204-21 and NIST 171.
If required by the DoW, they must be prepared to undergo an independent third-party assessment of their compliance to obtain a CMMC certificate of compliance with the 110 security practices defined by NIST 171, which they must present to the DoD if they wish to be awarded a contract or option.
Contractors that do not self-assess and affirm or present a CMMC certificate, will be ineligible for new contract awards or the award of contract options.