CMMC is no longer a future requirement—it is here. The rules are in effect, and the impacts will be real and measurable for non-compliance:

• Loss of revenue, blocked from DoD contracts and renewals

• Reputational damage

• Legal and regulatory liability under the False Claims Act and breach consequences

• Competitive disadvantage compared to compliant peers

• Heightened cybersecurity exposure and increased risk of breach

• Supply chain vulnerability and potential exclusion from prime contracts

Bottom line: Noncompliance exposes your organization to existential risk. CMMC must be treated as a board-level priority, directly tied to revenue, risk, and long-term growth strategy.

On September 10, 2025, the U.S. Department of Defense (DoD) finalized the 48 CFR rule, formally integrating the Cybersecurity Maturity Model Certification (CMMC) into the defense contracting process. Starting November 10, 2025, CMMC requirements will be included in solicitations and contracts—making compliance a condition of working on contracts support the DoD.

Why CMMC Compliance Matters Now
Cybersecurity has become a national security priority. The DoD estimates that adversaries have stolen hundreds of billions of dollars’ worth of defense IP, including weapons designs and sensitive R&D. Major breaches, from SolarWinds to ransomware incidents targeting defense suppliers, have shown that even well-funded companies remain vulnerable.

CMMC is designed to ensure contractors can demonstrate—through evidence—that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are properly protected.

Question: If our network was breached tomorrow, could we prove that our CUI was protected according to NIST SP 800-171 requirements?

Phased Rollout
The DoD is phasing in requirements through 2028:

• Phase 1 – Nov 10, 2025: Self-assessments required; registration in Supplier Performance Risk System (SPRS) becomes mandatory.
• Phase 2 – Nov 10, 2026: Third-party (C3PAO) assessments required for Level 2 contracts; expect scheduling bottlenecks.
• Phase 3 – Nov 10, 2027: Government-led Level 3 assessments begin; primes must enforce subcontractor compliance.
• Phase 4 – Nov 10, 2028: Full enforcement—no award without a valid CMMC certification or approved POA&M.
• What this Means: Those who have DoD contracts should start getting ready and schedule an assessment with a C3PAO or risk not being competitive after 10 November 2026. 

Executive Readiness Roadmap

1. Determine Scope: Identify where FCI/CUI is created, processed, or stored. Default to Level 2 if any CUI is handled (even if it isn’t labeled).
2. Readiness Assessment: Conduct a gap analysis, update your System Security Plan (SSP), Plan of Actions & Milestones (POA&M), CUI Data Flow Diagram System Diagram, and register in SPRS. Budget implications should be presented to senior leadership—Implementation/remediation may take 12-18 months if starting from scratch.
3. Remediate & Document: Implement missing controls, collect evidence continuously, and train staff on CUI handling.
4. Engage Expertise: Consider external advisors to streamline remediation and prepare for C3PAO review.
5. Engage a C3PAO: With over 300,000 organizations requiring certification and limited C3PAOs, schedule early.
6. Certify: Undergo the four-phase C3PAO process (pre-assessment, on-site assessment, reporting, close-out).  Note the assessment phase is onsite at every facility handling CUI, it includes physical security assessment(s) and interviews.
7. Maintain Compliance: Establish dashboards, quarterly reporting, and supplier monitoring to prevent compliance drift.

Budget & ROI Considerations
Noncompliance risks include contract loss, reputational damage, and legal liability. Forward-leaning firms are using CMMC as a differentiator to win work and demonstrate cybersecurity maturity to primes and the DoD.

Achieving CMMC compliance strengthens internal security practices and also signals readiness for long-term success under evolving defense standards. Companies that complete the CMMC assessment and maintain certification show a stronger commitment to protecting controlled unclassified information, building trust with partners and customers alike.

Supply Chain & Governance
Your compliance is only as strong as your weakest supplier. Require subcontractors to disclose CMMC status, include compliance clauses in contracts, and offer guidance to smaller suppliers. Establishing clear expectations around CMMC compliance and security requirements helps ensure the entire supply chain is prepared to support DoD contract obligations.

Boards should receive regular updates on control implementation, POA&M closure rates, and supplier compliance. Treat CMMC as part of enterprise risk management. Regular reporting on CMMC compliance and alignment with the CMMC framework ensures executives remain informed about potential risks to security requirements, while also demonstrating readiness to achieve CMMC accreditation and support future DoD contract opportunities.

Next Steps
The November 10, 2025 deadline is near. Executives need to:

• Commission a readiness assessment and determine remediation activities.
• Budget for remediation and certification.
• Engage C3PAOs and schedule the certification assessment.
• Communicate requirements to suppliers.
• Make CMMC part of enterprise risk management and quarterly reporting.

Conclusion
The CMMC program is a turning point for the defense industry—an opportunity to reduce risk, strengthen cybersecurity, and build trust with the DoD. Early movers will avoid last-minute scrambles and position themselves as preferred partners. 

Organizations must understand that CMMC assessment are not IT assessments. They are assessments of the how the business protects CUI. Because most businesses handle CUI electronically, IT is heavily involved, but be prepared for more than just an “IT audit”. 

Failing to attain CMMC certification is a revenue, risk, and reputation issue. Act now, invest wisely, and turn compliance into a competitive advantage.

RubinBrown Support
RubinBrown is actively supporting our clients seeking to achieve and maintain compliance with CMMC.  We have strategic relationships with C3PAOs for the formal certification process, while we are focused on consulting, advisory, and compliance management requirements.  Please feel free to reach out to your RubinBrown point of contact if we can provide any assistance.


 

Published: 09/25/2025

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}