- The Pentagon’s CMMC requirements are causing consolidation in the defense supply chain, according to Summit 7 analysis discussed during a GovCon Wire webinar.
- Primes are buying subcontractors to ensure compliance while subs are buying other suppliers leaving the DOW business due to CMMC’s high costs and long timeframes.
- Get the latest CMMC updates from Pentagon Acting Deputy CIO and CISO Aaron Bishop at the 2026 Cyber Summit this Thursday!
The Department of War’s Cybersecurity Maturity Model Certification, or CMMC, requirements are causing consolidation in the supply chain with primes acquiring subcontractors and subcontractors buying other suppliers who choose to get out of the DOW business.
Daniel Akridge, Summit 7 principal engagement executive, said during a webinar the company co-hosted with GovCon Wire that companies are leaving the DOW business because they don’t want to spend the time or money to earn CMMC requirements, which can cost six figures and take as long as 18 months. Akridge described this supply chain consolidation as disruptive. (Watch full “Achieving CMMC Compliance and Mitigating Supply Chain Risk” webinar here.)
What Is CMMC?
CMMC is the Pentagon’s program for strengthening defense industrial base cybersecurity and better protecting controlled unclassified information. Prime contractors like Boeing, L3Harris, Parsons and Raytheon are starting to accelerate their CMMC timelines, even in verticals like construction, so non-compliant subcontractors don’t jeopardize their DOW work. Boeing, L3Harris and Parsons didn’t return requests for comment prior to publication. Raytheon said it would not be able to comment prior to publication.
Get the latest cybersecurity partnership opportunities at the Potomac Officers Club’s 2026 Cyber Summit tomorrow! Hear directly from Aaron Bishop, DOW acting deputy chief information officer for cybersecurity and chief information security officer, during his illuminating keynote address. Leverage Bishop’s expertise to help tailor your proposals for GovCon success. Sign up now!
Summit 7 is getting inquiries from subcontractors that are confused about which CMMC level they need to be certified. Akridge said they need to follow the flow down, meaning if a prime contractor certified at Level 2 is passing controlled unclassified information, or CUI, down to a subcontractor, that subcontractor must also be Level-2-certified.
When Is the Next CMMC Deadline?
The next major CMMC deadline is Nov. 10. This is when the Pentagon can start requiring Level 2 certification, which can be achieved via self-assessment or by a certified third-party organization, aka C3PAO. The Pentagon can choose to delay both Level 2 and Level 3 certification requirements in a contract to an option period if it chooses.
What Are CMMC Compliance Strategies?
More than 60 percent of Summit 7’s CMMC clients are choosing a virtual desktop deployment compliance strategy, which Akridge called an affordable, but risky, approach. He said the virtual desktop deployment strategy is the preferred for companies with 15 percent or less of their revenue from the DOW. This also includes companies with fewer than 15 percent of employees working with CUI.
Virtual desktop deployment is a separate environment that can be either virtual or a physical computer. Akridge said this is also a faster solution that takes about six months to complete and can be a good option for a company with an imminent contract award in the works that can’t achieve compliance in a short period of time.
Are you a GovCon technology professional? Then you cannot afford to miss the Potomac Officers Club’s 2026 Cyber Summit that takes place tomorrow! Discover “harvest now, decrypt later” risk exposure and cryptographic agility across federal systems at the Quantum Computing and Post Quantum Cryptography panel discussion. It features Department of Education CISO Davon Tyler and Army DEVCOM Army Research Laboratory Senior Research Scientist Dr. Fredrik Fatemi. Secure your seat today!
Akridge said the virtual desktop deployment strategy is risky as small businesses will have to change external partner behaviors to only send CUI to the new and protected virtual desktop. The big risk is spillage, or CUI ending up on an old, non-compliant desktop because a prime had been sending email to that email address for years and accidentally shares CUI, he said.
On the other side of the CMMC compliance strategy risk and pricing spectrum is the all-in approach for an entire company. Akridge said many companies who choose this approach have greater than 15 percent of their revenue coming from the DOW and more than 15 percent of their employees handling CUI.
The advantage of the all-in approach, Akridge said, is that it’s easier to manage for a small team compared to the virtual desktop solution as companies don’t have to run two different infrastructures. It takes about 12 to 18 months to fully implement the all-in solution for medium-sized organizations, he said.
Will CMMC Expand Beyond the DOW?
Companies should expect CMMC requirements to expand beyond the defense sector. Akridge predicts a final CUI protection rule for the rest of the federal government to be finalized by the end of the year. He specifically said the Departments of Transportation, Homeland Security, Energy and NASA would be impacted by an expanded CMMC.
