👋 I am an experienced GC at tech companies. I will be writing all things you need to know about legal. Subscribe below and get my weekly newsletter straight to your email.

It’s official…the final rule for the Cybersecurity Maturity Model Certification (CMMC) is landing on November 10, 2025. No more maybes. No more “let’s wait and see.” If you’re a defense contractor or anywhere near the Defense Industrial Base (DIB), it’s go time.

Contractors are currently split into three camps:

• Camp A: “We’ve been preparing for years. We’re ready.” (These people are lying. Or consultants.)

• Camp B: “We’ve heard of CMMC but thought it was optional?”

• Camp C: “We have a spreadsheet. It’s…somewhere.”

If you’re in Camp B or C, buckle up. This isn’t just another compliance checkbox. It’s a contract gate. And the DoD is serious this time.

Wait, What’s Actually Happening?

In December 2023, the DoD issued a Notice of Proposed Rulemaking (NPRM) to formalize CMMC. In plain English: they’re replacing the old self-attestation model with real audits, real teeth, and real consequences.

Here’s what’s in the final rule:

• CMMC Level 2 will require a third-party audit (via a C3PAO) if you touch Controlled Unclassified Information (CUI)

• Contract eligibility will be tied to certification—no certification, no contract

• Applies to primes AND subs. If CUI touches your systems, you’re in scope

There’s a 3-year phased rollout, but don’t let that lull you into a false sense of security. You don’t want to be the company scrambling to book an auditor 60 days before your bid is due.

And yes, I’ve seen that happen. The quote came back at $85,000. The CFO said “we’ll revisit next quarter.” The prime moved on without them.

The Real-World Stuff You Should Actually Care About

1. You Might Need to Pay for an Audit…Soon

If you’re handling CUI, a C3PAO audit is coming your way. These aren’t cheap. Current ballpark:

• Small business with straightforward systems: $30,000–$50,000

• Mid-size org with complexity or hybrid cloud: $70,000–$100,000

• Chaos goblin IT environment with no documentation: priceless (but still $100K+)

And that’s just the audit. It doesn’t count the cost of actually fixing gaps. Like the company I worked with last year that discovered they were missing 41 of 110 NIST 800-171 controls. Their IT lead said, “We’re working on it.” That was six months ago. They still haven’t scheduled their audit.

Pro Tip: Budget now. Also, assume your subcontractors are not ready. If you’re a prime, you might want to start screening your supply chain before someone else does.

2. You Can’t Fake the Paperwork Anymore

Security controls are one thing. Documented, implemented, and provable security controls? That’s the new bar.

If your System Security Plan (SSP) is just a printout of NIST 800-171 with checkboxes next to each control and the words “planned” scribbled in pencil—you’re in trouble.

You’ll need:

• System Security Plan (SSP)

• Plan of Action and Milestones (POA&M)

• Evidence. Logs. Screenshots. Configurations.

I once had a client whose SSP listed MFA as implemented, but during a readiness check, the only place MFA was enforced was on the CIO’s laptop. The auditors were…not impressed.

Auditors have one job: to find out if what you claim is actually true. Not what you hope is true. Not what you might someday fix. The truth, with documentation.

3. You Could Lose Bids If You’re Not Certified

This is the big one: you can’t win contracts if you’re not certified. The CMMC requirement will be a hard gate.

Even now, we’re seeing solicitations and primes adding language like: “All subcontractors must be CMMC Level 2 certified at the time of award.”

Not “working on it.” Not “scheduled for Q2.”

I’ve worked with companies that had to scramble at the last minute, trying to find “certified” partners to fill gaps. One told me, “We lost a contract we’ve held for 10 years because we couldn’t get an audit done in time.” Brutal.

And if you think your prime will make exceptions because you’ve “always been great,” think again. They’re not going to risk a bid because you didn’t get your house in order.

What About the Timeline?

Here’s the current rollout plan, per the final rule:

• November 10, 2025: Final rule goes live

• Year 1 (2026): Level 1 self-assessments required on certain contracts

• Year 2 (2027): Level 2 certifications required for some awards

• Year 3 (2028): Broad application across all eligible contracts

But you need to note: Level 2 certifications require 6–12 months of prep if you’re not already airtight. Booking an auditor alone can take months due to backlog.

So if you wait until the requirement is in your contract, it’s already too late.

This Isn’t Just About IT

One of the biggest myths? “This is an IT problem.”

Nope. CMMC touches:

• HR (background checks, training logs)

• Facilities (physical access controls, badge logs)

• Procurement (vendor risk management)

• Legal (contracts, flowdowns, representations)

• Finance (budgeting for security and compliance)

If you don’t have cross-functional alignment, you’ll fail. I once had a client whose IT team built a secure enclave…but no one told HR to update the onboarding process. A temp got provisioned with local admin rights and no training. Whoops.

Don’t Count on Your MSP to Save You

Managed service providers (MSPs) are helpful, but they can’t do everything.

Your MSP might:

• Configure your firewalls

• Help you deploy endpoint protection

• Run vulnerability scans

But they can’t:

• Write your policies

• Sign off on internal training

• Control physical access to your buildings

• Prove who accessed what and when

We had a client where the MSP promised “turnkey CMMC readiness.” We reviewed their evidence package. It was 12 screenshots and a link to a Microsoft blog post. That MSP is no longer on the roster.

Compliance Theater vs. Reality

You know what doesn’t count as compliance?

• A Google Doc titled “CMMC Plan” with no updates since 2022

• A Jira ticket that says “Audit TBD” with no owner

• Telling the auditor “we’ve got that under control” with no documentation

I’ve seen them all. One org printed out every control and wrote “Y” next to each. When I asked for implementation evidence, they said, “Well, we have antivirus.”

CMMC doesn’t care about your intentions. It cares about proof.

If You’re a Subcontractor, You’re in the Blast Radius

You don’t need a prime contract to be in scope. If you touch, store, process, or create CUI, you’re on the hook.

And primes aren’t waiting:

• They’re vetting their supply chains

• They’re dropping non-compliant subs

• They’re including hard certification requirements in their subcontracts

I’ve personally helped primes draft subcontractor flowdowns that say: “Failure to maintain CMMC Level 2 certification may result in termination for convenience.”

And yes, it’s enforceable.

What Should You Be Doing Right Now?

1. Figure Out if You Touch CUI

   • If you’re not sure, assume you do

   • Ask your primes for clarification

2. Do a Real NIST 800-171 Gap Assessment

   • Not just checkboxes—detailed analysis

   • Identify what’s missing and who owns it

3. Build an SSP That Doesn’t Suck

   • No generic templates

   • Tailor to your environment and practices

4. Budget for Audit and Remediation

   • Include internal labor, external consultants, and C3PAO fees

5. Start Tracking Your Evidence

   • Save logs, configs, screenshots, training rosters

   • Organize it by control for fast access

Final Thought: Nobody Gets a Trophy for Almost

This isn’t a “try your best” moment. If you’re serious about defense work, you need to prove it.

CMMC is the price of entry now. Not a nice-to-have. Not a future consideration.

The government is done pretending that PowerPoints count as cybersecurity. They want receipts. And if you don’t have them, someone else will.

So start now. Before the clock hits November 10.

*Forward to your legal team (or friends) to make sure someone as checked if they need to be compliant!