If you’re a supplier or subcontractor within the Defense Industrial Business (DIB) supply chain, then you’ve undoubtedly heard a lot about CMMC 2.0 compliance and certification. But can you still win Department of Defense (DoD) contracts without getting certified?
If you’re a prime contractor that handles federal contract information (FCI) or controlled unclassified information (CUI), or are a subcontractor with FCI and CUI flow-down, then the answer is no.
Primes and their subcontractors within the Defense Industrial Base (DIB) will be required to obtain CMMC certification in order to keep their existing DoD contracts and be eligible to win new ones.
In this article, we’ll discuss the expected deadlines for becoming CMMC compliant and spell out what it could mean for businesses who fail to do so.
With this information, you’ll be able to establish a compliance timeline so you can plan out an effective compliance strategy. This will help ensure that you have everything in place and that nothing gets overlooked ahead of your official audit.
You should know that the DoD has already started putting CMMC language into high-priority contracts.
In addition, the second phase of the planned CMMC 2.0 rollout is fast approaching.
Acquisition rule 48 CFR Part 204 (and subparts 212, 217, and 252) is being finalized now and is expected to be published and take effect in late December.
The regulation updates the Defense Federal Acquisition Regulation Supplement (DFARS) to include the specific solicitation provisions and contract requirements outlined in the CMMC 2.0 Final Rule, which went into effect on December 16, 2024.
According to DoD guidelines, the start of the second phase of its four-phase CMMC rollout is expected to kick in after December 16, one year following the adoption of the CMMC 2.0 Final Rule.
Once 48 CFR Part 204 goes into effect, this rule gives DoD contracting officers the authority to include CMMC security requirements in solicitations and contracts moving forward.
While the DoD will decide exactly which contracts or solicitations will be held to the new standards, some businesses that handle CUI can expect to see language requiring third-party assessments for Level 2 compliance to be included in contracts and solicitations by early 2026.
The government has already indicated that it intends to strictly enforce its cybersecurity regulatory requirements.
For instance, on July 31, 2025, California-based defense contractor Aero Turbine Inc. agreed to pay $1.75 million to settle with the U.S. Department of Justice for DFARS noncompliance under the False Claims Act.
The False Claims Act gives the government the ability to hit businesses with criminal and civil penalties for knowingly misreporting or misrepresenting information related to a federal contract, including cybersecurity violations.
The law also has a whistleblower provision (known as a qui tam) that allows individuals to file lawsuits on behalf of the government against companies they believe to be defrauding the government, such as failing to implement required cybersecurity measures. The government can then choose to step in with such cases.
In the Aero Turbine case, the company—which held a contract to supply turbine engines to the U.S. Air Force—voluntarily disclosed to the government cybersecurity violations related to DFARS 252.204-7012.
Specifically, the settlement alleges that the company failed to implement certain NIST SP 800-171 cybersecurity controls to properly safeguard its CUI. The settlement further alleged that Aero Turbine improperly shared files containing CUI with an Egyptian software company.
There have been several other significant False Claims Act settlements within the past few years related to DIB organizations, including universities, failing to become compliant and knowingly submitting false information into the SPRS portal.
Related Article: What Are The Risks If My Business Doesn’t Get NIST, CMMC Compliant?
In a press release announcing the Aero Turbine settlement, the Justice Department reiterated its intention to continue such enforcement actions against other companies that fail to meet the cybersecurity requirements.
“Protecting the integrity of the Department of Defense (DoD) procurement processes is a top priority for the DoD Office of Inspector General’s Defense Criminal Investigative Service (DCIS),” Director Kelly Mayo of DCIS said in the press release.
“Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk of exploitation,” Mayo continued. “DCIS will continue to collaborate with our law enforcement partners and the Department of Justice to investigate allegations of false claims on DoD contracts.”
This means that if you’re not actively taking the steps to become compliant, you could not only be putting current and future contracts at risk, but also be facing the possibility of legal consequences.
Related Article: Why Are Manufacturers An Increasingly Attractive Target Of Hackers?
In short, if you handle FCI or CUI, you need to make sure that you have the security requirements in place for your CMMC level.
Level 1 suppliers and subcontractors that only handle FCI have to implement fundamental cybersecurity controls, while Level 2 and Level 3 organizations must implement the 110 NIST SP 800-171 requirements to safeguard the CUI they store, process, or transmit (with up to an additional security requirements from NIST SP 800-172 for Level 3 organizations).
Businesses that have implemented the required cybersecurity controls and achieved CMMC certification will remain in good standing with the DoD, giving them a clear advantage over noncompliant organizations to keep current contracts or be eligible to win new ones.
In addition, becoming compliant means that you’ve strengthened your security defenses to ward off ever-evolving cyber threats. With robust security guardrails in place, you can breathe easier knowing that you’ve done everything possible to protect your sensitive data and your business.
Related Article: How to Cut CMMC Compliance & C3PAO Audit Costs: Grants, MSPs & More
For all of these reasons, establishing a compliance readiness plan is critical to ensure that you can get assessed and meet the compliance deadline.
As an experienced managed IT service provider, Kelser can provide expert guidance to streamline your compliance process in several ways. They include:
Related Article: CMMC Step 4: SSP Documentation–What’s Your CMMC Compliance Evidence?
Our goal in writing articles like this one is to help organizations like yours get CMMC ready so you can stay competitive, retain your existing contracts, and be positioned to win more DoD contracts.
Keep in mind that becoming CMMC compliant takes time. Depending on your current cybersecurity posture and required CMMC level, getting CMMC compliant could take anywhere from up to six months to a year or more.
If you’re trying to wait until after you have a new contract in hand, that will likely be too late. You should also keep in mind that if you are among the majority of Level 2 organizations that will require an independent CMMC assessment by a third-party auditor, scheduling and getting assessed should also be factored into your timeline due to the limited number of available C3PAOs nationwide.
As we’ve said, businesses that get a jump on compliance and obtain their certification will be able to maintain their relationship with the DoD, giving them a clear advantage over companies that have yet to become compliant.
Need clarity on your next step or have questions about your compliance readiness? Book your no-cost readiness consultation call. We’re prepared to guide you every step of the way to get you audit ready.