About Partners Contact Client Portal
LinkedIn Twitter
Services Industries Insights & Events Careers & Culture

Services

RubinBrown specializes in providing a comprehensive range of services to meet business and personal needs. Whether you require expert tax, strategic business consulting, audit services or more, RubinBrown's team of experienced professionals are here to support you.

View All Our Services
Assurance Services
Benefit Plan Audit Services Public Company Services SOC Examinations, IT Audit, & Third-Party Risk
Consulting Services
Business Process Improvement Services Business Restructuring & Bankruptcy Services Cyber Security Services Environmental, Social and Governance Services Independent ERP Selection Consultants Fraud & Forensics Healthcare SOC Examinations, IT Audit, & Third-Party Risk Information Technology Services Litigation Services Mergers & Acquisitions Services Risk & Internal Audit Services Valuation Services
Entrepreneurial Services
Outsourced Accounting & Advisory Services
Tax Services
Federal Tax Services Private Client Services Credits & Incentives Services State & Local Tax Services
RubinBrown Advisors RubinBrown Corporate Finance

Industries

At RubinBrown, we bring experience across a range of industries. Our experience enables our professionals to offer tailored solutions catering to the intricacies of each sector. Our professionals have years of focused engagement and skills, allowing them to navigate industry-specific challenges to benefit our clients.

View All Our Industries
Colleges & Universities Construction Gaming Healthcare Law Firms Life Sciences & Technology Manufacturing & Distribution Not-For-Profit Private Equity Public Sector Real Estate Transportation & Dealerships

Insights & Events

At RubinBrown, we provide valuable insights detailing emerging trends and industry-specific information. Our events, hosted virtually and in-person, keep you informed and connected to the topics and industries that matter most to you and your organization.

View All Insights & Events
Oct 14

RubinBrown’s Provider Education Portal Webinar: Investing in Accuracy

Learn More & Register
Oct 23

RubinBrown's 2025 Ethics Webinar Featuring The Ethical Futurists: Navigating Complexity with Integri

Learn More
Nov 13

RubinBrown’s Rural Health Webinar Series

Learn More & Register

Cybersecurity Insights: Preparing for CMMC Compliance

Learn More

Careers & Culture

At RubinBrown, we are inspired team members, working as one firm, living our core values, and Being Our Best for Others while delivering totally satisfied clients. We invite you to learn more about the Firm's culture, the Be Your Best for Others mentality, and explore the available opportunities at RubinBrown.

Discover Our Culture
Baker Tilly International Campus Recruiting Diversity & Inclusion Experienced Recruiting RubinBrown Charitable Foundation Join The Team
Back to Insights

Cybersecurity Insights: Preparing for CMMC Compliance

Contact Us

Cybersecurity Insights: Preparing for CMMC Compliance

Contact Us

CMMC is no longer a future requirement—it is here. The rules are in effect, and the impacts will be real and measurable for non-compliance:

  • Loss of revenue, blocked from DoD contracts and renewals

  • Reputational damage

  • Legal and regulatory liability under the False Claims Act and breach consequences

  • Competitive disadvantage compared to compliant peers

  • Heightened cybersecurity exposure and increased risk of breach

  • Supply chain vulnerability and potential exclusion from prime contracts

Bottom line: Noncompliance exposes your organization to existential risk. CMMC must be treated as a board-level priority, directly tied to revenue, risk, and long-term growth strategy.

On September 10, 2025, the U.S. Department of Defense (DoD) finalized the 48 CFR rule, formally integrating the Cybersecurity Maturity Model Certification (CMMC) into the defense contracting process. Starting November 10, 2025, CMMC requirements will be included in solicitations and contracts—making compliance a condition of working on contracts support the DoD.


Why CMMC Compliance Matters Now
Cybersecurity has become a national security priority. The DoD estimates that adversaries have stolen hundreds of billions of dollars’ worth of defense IP, including weapons designs and sensitive R&D. Major breaches, from SolarWinds to ransomware incidents targeting defense suppliers, have shown that even well-funded companies remain vulnerable.

CMMC is designed to ensure contractors can demonstrate—through evidence—that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are properly protected.

Question: If our network was breached tomorrow, could we prove that our CUI was protected according to NIST SP 800-171 requirements?


CMMC-Screenshot.png
Phased Rollout
The DoD is phasing in requirements through 2028:

  • Phase 1 – Nov 10, 2025: Self-assessments required; registration in Supplier Performance Risk System (SPRS) becomes mandatory.
  • Phase 2 – Nov 10, 2026: Third-party (C3PAO) assessments required for Level 2 contracts; expect scheduling bottlenecks.
  • Phase 3 – Nov 10, 2027: Government-led Level 3 assessments begin; primes must enforce subcontractor compliance.
  • Phase 4 – Nov 10, 2028: Full enforcement—no award without a valid CMMC certification or approved POA&M.
  • What this Means: Those who have DoD contracts should start getting ready and schedule an assessment with a C3PAO or risk not being competitive after 10 November 2026. 


Executive Readiness Roadmap

  1. Determine Scope: Identify where FCI/CUI is created, processed, or stored. Default to Level 2 if any CUI is handled (even if it isn’t labeled).
  2. Readiness Assessment: Conduct a gap analysis, update your System Security Plan (SSP), Plan of Actions & Milestones (POA&M), CUI Data Flow Diagram System Diagram, and register in SPRS. Budget implications should be presented to senior leadership—Implementation/remediation may take 12-18 months if starting from scratch.
  3. Remediate & Document: Implement missing controls, collect evidence continuously, and train staff on CUI handling.
  4. Engage Expertise: Consider external advisors to streamline remediation and prepare for C3PAO review.
  5. Engage a C3PAO: With over 300,000 organizations requiring certification and limited C3PAOs, schedule early.
  6. Certify: Undergo the four-phase C3PAO process (pre-assessment, on-site assessment, reporting, close-out).  Note the assessment phase is onsite at every facility handling CUI, it includes physical security assessment(s) and interviews.
  7. Maintain Compliance: Establish dashboards, quarterly reporting, and supplier monitoring to prevent compliance drift.
Note: Prime contractors are held responsible for monitoring subcontractor compliance.


Budget & ROI Considerations
Noncompliance risks include contract loss, reputational damage, and legal liability. Forward-leaning firms are using CMMC as a differentiator to win work and demonstrate cybersecurity maturity to primes and the DoD.

Achieving CMMC compliance strengthens internal security practices and also signals readiness for long-term success under evolving defense standards. Companies that complete the CMMC assessment and maintain certification show a stronger commitment to protecting controlled unclassified information, building trust with partners and customers alike.

Supply Chain & Governance
Your compliance is only as strong as your weakest supplier. Require subcontractors to disclose CMMC status, include compliance clauses in contracts, and offer guidance to smaller suppliers. Establishing clear expectations around CMMC compliance and security requirements helps ensure the entire supply chain is prepared to support DoD contract obligations.

Boards should receive regular updates on control implementation, POA&M closure rates, and supplier compliance. Treat CMMC as part of enterprise risk management. Regular reporting on CMMC compliance and alignment with the CMMC framework ensures executives remain informed about potential risks to security requirements, while also demonstrating readiness to achieve CMMC accreditation and support future DoD contract opportunities.

Next Steps
The November 10, 2025 deadline is near. Executives need to:

  • Commission a readiness assessment and determine remediation activities.
  • Budget for remediation and certification.
  • Engage C3PAOs and schedule the certification assessment.
  • Communicate requirements to suppliers.
  • Make CMMC part of enterprise risk management and quarterly reporting.


Conclusion
The CMMC program is a turning point for the defense industry—an opportunity to reduce risk, strengthen cybersecurity, and build trust with the DoD. Early movers will avoid last-minute scrambles and position themselves as preferred partners. 

Organizations must understand that CMMC assessment are not IT assessments. They are assessments of the how the business protects CUI. Because most businesses handle CUI electronically, IT is heavily involved, but be prepared for more than just an “IT audit”. 

Failing to attain CMMC certification is a revenue, risk, and reputation issue. Act now, invest wisely, and turn compliance into a competitive advantage.


RubinBrown Support
RubinBrown is actively supporting our clients seeking to achieve and maintain compliance with CMMC.  We have strategic relationships with C3PAOs for the formal certification process, while we are focused on consulting, advisory, and compliance management requirements.  Please feel free to reach out to your RubinBrown point of contact if we can provide any assistance.


 

 

 

Published: 09/25/2025

Readers should not act upon information presented without individual professional consultation.

Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.

 

 

Contact Us:

Talk to Our Experts

Audrey Katcher, CPA, CISA, CITP, CGMA Partner audrey.katcher@rubinbrown.com 314-290-3420
Robert Rudloff, CISSP, CISA, QSA, CMMC RPA Partner rob.rudloff@rubinbrown.com 303-952-1220

Be Your Best for Others at RubinBrown

At RubinBrown, our firm fosters a culture built upon five vision points, and are guided by our philosophy of Being Our Best for Others. Discover how you can be your best at RubinBrown today by visiting our Careers & Culture Overview for available opportunities and more.

Discover Our Culture

Join Our Mailing List

RubinBrown periodically sends breaking regulatory updates, technical summaries, industry-specific information and event (in-person and virtual) invitations through electronic newsletters.

Sign Up for Our Communications
1-800-678-3134 Certified Public Accountants & Business Consultants

Ranked a Top 50 Accounting Firm by Inside Public Accounting

Firm News Disclaimers Privacy Policy Client Payment © 2025 RubinBrown LLP
RubinBrown Executive Recruiting RubinBrown Advisors RubinBrown Corporate Finance