For members of the Defense Industrial Base, Cybersecurity Maturity Model Certification (CMMC) requirements are no longer an optional mission: Contractors must be ready before year-end 2025 or risk losing their contracts either as a prime or subcontractor.

In late July, the Department of Defense (DoD) submitted the 48 Code of Federal Regulations (CFR) rule to the Office of Management and Budget (OMB) – including clause 204.7503, which formally introduces the requirement for contractors to comply with CMMC. Specifically, it mandates the use in contracts of clause DFARS 252.204-7021, which requires contractors to hold a valid CMMC certification at the level specified in the contract. Now, starting sometime in Q4 2025, DoD contracts will begin a phased-in requirement for CMMC compliance, and the DoD’s planned timeline is to have full CMMC implementation in place by 2028.

A recent memorandum from the Secretary of Defense(Opens a new window) reinforced the critical role of CMMC in safeguarding the DoD’s supply chain. That directive emphasizes the need for secure procurement and deployment of both software and hardware across the DoD, citing CMMC certification as one of the required benchmarks for all members of the Defense Industrial Base.

A significant number of organizations remain behind the curve. In a study by Redspin(Opens a new window), more than 16% of Defense Industrial Base contractors surveyed last fall reported little to no readiness for CMMC compliance; nearly half admitted to being only moderately or slightly prepared, and 13% said they had taken no action at all. These numbers highlight just how crucial it is to take steps now to meet the deadline.

Now is the time to be proactive – preparing today is essential to keeping your contracts secure.

What are your next steps to CMMC compliance?

With the deadline rapidly approaching, there is a heightened urgency to uncover weaknesses and be adequately prepared to support the war-fighting mission of the DoD by being CMMC-certified.

Companies and individuals may be wondering, “Where do I go from here?” Some concrete steps to take include the following:

• Determine your scope, applicable certification level, and controlled unclassified information (CUI) boundaries.
• Develop and finalize a System Security Plan (SSP).
• Verify your cloud and external service providers’ FedRAMP equivalency.
• Conduct a readiness assessment aligned with NIST SP 800-171 rev. 2.
• Engage a Certified Third-Party Assessor Organization (C3PAO) early.
• Establish a sustainment plan for continuous compliance.

How CohnReznick can help

CohnReznick is proud to be one of the few firms recently reauthorized as a C3PAO(Opens a new window). Renewal is more than just a milestone: It reflects our long-standing involvement with CMMC from its early stages. We have worked closely with clients through multiple phases of the program, adapting to changes and assisting organizations in achieving certification. We can leverage that experience to help your organization as well.

We support our clients through every phase of the journey:

• Readiness assessments tailored to your environment and risk profile
• Policy and documentation development aligned with NIST 800-171
• Remediation planning and implementation support
• Official Level 2 assessments conducted by certified assessors
• Ongoing advisory services to maintain compliance and prepare for future audits

Whether you are just beginning your CMMC journey or preparing for a formal assessment, CohnReznick is ready to help you get CMMC-certified.

Learn more about our CMMC services(Opens a new window), or reach out to get started.