The Department of Defense will require cybersecurity certifications for contractors handling sensitive data by October 2025, six months earlier than planned, according to a policy memorandum issued Monday.
The accelerated timeline affects approximately 220,000 companies in the defense industrial base that process, store, or transmit controlled unclassified information. Companies must achieve Cybersecurity Maturity Model Certification before bidding on new DoD contracts.
Certification Levels
CMMC establishes three certification levels based on the sensitivity of information contractors handle. Level 1 requires basic cybersecurity practices. Level 2 aligns with NIST SP 800-171 controls. Level 3 addresses advanced persistent threats.
DoD officials estimate 80 percent of contractors will need Level 2 certification, requiring implementation of 110 security controls across 14 domains including access control, incident response, and system monitoring.
"The threat to our supply chain is real and growing," said Katie Arrington, DoD's chief information security officer for acquisition. "We cannot wait any longer to secure the defense industrial base."
Industry Concerns
Defense contractors and industry groups say the accelerated timeline creates significant compliance challenges. Third-party assessment costs range from $10,000 to $100,000 depending on company size and complexity.
Small businesses face additional hurdles implementing required controls with limited IT security budgets and staff. Some contractors may exit the defense market rather than pursue certification, according to the National Defense Industrial Association.
Implementation Support
DoD allocated $500 million to help small contractors achieve certification, including grants covering up to 75 percent of assessment costs for companies with fewer than 50 employees. The department also launched a technical assistance program providing free consultation.
More than 150 certified third-party assessment organizations can conduct CMMC evaluations. DoD maintains an authorized assessor directory at cyberab.org.
Contractors must maintain continuous compliance and undergo reassessment every three years. DoD will begin including CMMC requirements in contracts starting October 1, 2025.