The Pentagon has finalized a rule that enforces Cybersecurity Maturity Model Certification standards in defense contracts, transitioning from policy to enforceable requirements across the defense industrial base. This regulation, published in the Federal Register, amends the Defense Federal Acquisition Regulation Supplement and will take effect on November 10, 2025. The Cybersecurity Maturity Model Certification program, introduced in 2020 and revised to CMMC 2.0 in 2021, requires contractors to meet specific cybersecurity benchmarks based on the sensitivity of the information they handle, with three certification levels ranging from basic protections to stringent requirements for high-risk data.
Why do we care?
So, the Pentagon just locked in CMMC as a real contract requirement—no more self-attestation, no more “we’ll get to it later.” By November 2025, if you want defense dollars, you need certification. That sounds like a big opportunity for providers, and sure, there’s business to be had helping customers navigate compliance. But let’s not kid ourselves—some SMBs will look at the cost and just bail out of defense contracts altogether. And if your client waits until next fall to start, good luck finding an auditor. The smart play here isn’t banking on a gold rush—it’s building scalable, ongoing compliance services now and setting realistic expectations with clients. This isn’t about hype, it’s about execution.