Everybody comply now.
That’s the message for Department of Defense (DOD) contractors as the federal agency moves to enforce Cybersecurity Maturity Model Certification (CMMC) requirements as defined in the December 16, 2024, CMMC Program Rule. As of 2025, all new contracts with DOD are required to adhere to the guidelines.
The program is in place to enforce existing standards, Deltek Senior Manager of Cloud Solutions Michael Greenman told IT Brew during a break from the floor at CEIC West, a CMMC-focused conference, in May. The contract clause dates back to 2017, and for a time relied on the honor system. That didn’t work, perhaps predictably; Greenman said that the lack of self-enforcement was even worse than DOD had expected.
“CMMC was born as the enforcement of the cybersecurity requirements that defense contractors have had again in their contracts for many, many years,” Greenman said. “And so in the first version of CMMC, it was a bit haphazard, didn’t do the full baked out version.”
Figuring it out. DOD went back to the drawing board and developed a strategy that the Biden administration published in December. The CMMC enforcement clause, acting DOD CIO Katie Arrington said at the AFCEA TechNet Cyber conference in May, shouldn’t be feared or disparaged.
“If you’re putting down the CMMC, why are you putting it down?” Arrington said. “It’s only an audit measure for you to do what you were contractually required by law to do since 2014.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In a Deltek survey of IT professionals, over half (55%) of those polled said they expected CMMC guidelines to apply to their business, with 69% saying they were planning on achieving a Level 3 certification through the program, the highest level available with 134 requirements, a triennial government-led assessment model, and annual affirmations.
Moving forward. Costs associated with compliance can run into the tens of thousands. Deltek’s survey found that while smaller businesses are running costs of under $50,000 to get into compliance, “57% of enterprise businesses have spent a minimum of $100k to implement CMMC compliance measures.”
That’s nothing to sneeze at. But the end result is that DOD contractors are going to have to toe the line, Greenman said. Enforcement is in place and, as he noted at CEIC West, contractors are at “critical moment” as they work on complying with the rule.
“CMMC is here to stay,” Greenman said. “You need to be doing this if you’re a defense contractor, if you serve the defense industrial base, whether as an MSP, an MSSP, or a cloud service provider like we are here at Deltek.”