Have Defense Contracts? Breaking Down the CMMC Rule for You

In an era where cybersecurity threats are increasingly sophisticated, the Department of Defense (DoD) is taking decisive action to protect critical data through the Cybersecurity Maturity Model Certification (CMMC)—a framework designed to enhance the overall security of sensitive information. The purpose of CMMC is to verify that defense contractors comply with existing protections for federal contract information (FCI) and controlled unclassified information (CUI), ensuring that this information is protected at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats. The completion of the CMMC rulemaking process marks a significant step toward enforcing cybersecurity standards for defense contractors. 

With the CMMC requirement appearing in new DoD contracts—beginning November 10, 2025—contractors have a clear timeline of when to expect these new compliance requirements. The three-year phased approach aims to prevent last-minute rushes to bring cybersecurity standards up to par, allowing organizations (and industry) time to effectively align their data security practices with the new requirements. Some defense contractors may need extra time, because many DoD contracts will require a CMMC Level 2 certification. This level of certification involves an official and independent third-party audit to be awarded DoD contracts, which is a big change from the current practice of self-attestation of cybersecurity compliance and comes with a substantial cost. 

As the implementation of CMMC rolls out, defense contractors will need to assess their current cybersecurity posture and develop compliance strategies to avoid potential issues when seeking their CMMC certifications and bidding on federal contracts. 

Below, you will find some key statistics and industry terms about the CMMC program, which will help familiarize you with this monumental change in how government contracts for the Department of Defense will be awarded going forward. 

How Can You Prepare

With the CMMC program now finalized and poised to begin appearing in new contracts next month, defense contractors should focus on preparing for their CMMC certification assessments. Although the CMMC program rollout will be a phased approach, contractors should prioritize CMMC compliance now, as preparing for and completing assessments can be time-consuming. 

Once CMMC requirements are incorporated into solicitations, contractors who do not meet the necessary CMMC compliance requirements will be ineligible for new contract awards. While program managers may request waivers for CMMC requirements in certain cases, such waivers are anticipated to be uncommon. 

This phased rollout timeline for CMMC to be required in DoD contracts will occur in four phases over the course of three years:

CMMC Phased Rollout Plan:

• Phase 1: Starts when contractual requirement rule is final; Lasts 12 months, requires only Level 1 and 2 self-assessments for contracts 
• Phase 2: Begins immediately following the end of Phase 1; Lasts 12 months and adds the requirement of Level 2 certification assessments for new contracts 
• Phase 3: Begins immediately following the end of Phase 2; Lasts 12 months and includes Level 2 certification assessments for contract option periods, along with Level 3 certification assessments for all applicable contracts 
• Phase 4: Begins immediately following the end of Phase 3; Requires CMMC certifications for all DoD contracts 

Since the DoD will ultimately specify which CMMC level will be required in a solicitation, defense contractors and subcontractors should review their active defense contracts now to determine whether they currently possess, store, or handle CUI or FCI. This is a likely indicator of the CMMC level they should aim to achieve certification for. 

Deltek’s Role in Supporting CMMC Requirements

Navigating the intricacies of CMMC compliance can be overwhelming and challenging. It’s neither a quick nor an inexpensive process. With the right support, this process can be smoother and more effective. As an industry leader, Deltek stands ready to be your trusted partner, offering comprehensive solutions and expert guidance to help you meet all CMMC requirements.