The big day for the Defense Department’s Cybersecurity Maturity Model Certification 2.0 effort is almost here. Specifically, that’s Nov. 10, when contracting officers can start inserting stringent cybersecurity requirements into DOD contracts.
The phased rollout takes place with four parts over three years. In the first year, DOD contracting officers, at a minimum, will require self-assessments. In year two, they’re required to put Level 2 certifications, which require a third-party assessment, into contracts.
CMMC 2.0 taking effect means that GovCons who don’t meet these stringent cybersecurity regulations can’t do business with the Pentagon. To help GovCons wade through this complicated, but essential, process, we summarized the five biggest takeaways from the GovCon Wire CMMC Enforcement Starts in November webinar presented by Michael Greenman, Deltek senior manager for cloud solutions. Let’s dig into the details.
Get the latest CMMC 2.0 updates directly from top DOD officials at the Potomac Officers Club’s 2026 Defense R&D Summit on Jan. 29! Engage with the key cyber decision-makers shaping the future of defense. Be the first to learn how DOD is helping GovCons comply with CMMC 2.0. Secure your seat for this elite GovCon event today
1. Lack of Clarity Over How the Enforcement Clause Will Be Implemented
CMMC certification is technically rolling out over a phased period over the next three years. But DOD contracting officers can start inserting any level of CMMC requirements into contracts starting Nov. 10, Greenman told GovCon Wire in an exclusive interview. There’s nothing, he said, preventing a DOD contracting officer from requiring a Level 2 or Level 3 certification.
Greenman said GovCons are in for a surprise if they’re not taking CMMC certification seriously.
“There’s been this overall feeling of ‘Oh, we’ve got time, this [is a] phased rollout. We don’t need a Level 2 third-party certification until phase two or later,” Greenman said. “But myself and others in the industry are stressing—no, this is not a get-out-of-jail-free card. This is not a ‘wait until then’ kind of thing.”
Greenman said the DOD chief information officer’s office put out a memo instructing contracting officials to abide by the phased rollout and not just mark every contract as requiring Level 2 certification. But, he said, the rest is unclear. Greenman said only about 400 to 500 companies have achieved Level 2 certification out of an expected 70,000 to 80,000 companies that will need it.
“I think it’s a bit of a big mystery for the industry, what this will look like,” Greenman said during his Deltek-GovCon Wire webinar. “There is industry expectation that … for all intents and purposes, this will be a phased rollout, to not be such a shock to the system for the many DOD contractors that have not completed their Level 2 certification assessment yet, or really haven’t done much in addition to that.”
2. Steep Costs and Timelines for Level 2 Certification
It’s not cheap, nor quick, for GovCons to perform their Level 2 certification assessment. This is the level necessary for those who want to bid on DOD contracts that handle controlled unclassified information, covered defense information, controlled technical information or International Traffic in Arms regulations or export-controlled data.
Greenman said companies surveyed in Deltek’s annual Clarity report said they spent between $50,000 to $250,000 just to prepare for their Level 2 assessment, which conservatively takes 12 to 18 months to perform. Just the assessment itself, he said, can cost small businesses around $100,000.
The clock is ticking on making sure you have your [Level 2] certification set up before full enforcement, full rollout of CMMC … where you have a real risk of not winning a new DOD contract if you do not have this certification
All CMMC certifications are valid for 3 years and require annual affirmation. Greenman said companies seeking CMMC Level 2 certifications need to understand and prepare to budget for a third-party assessment certification every three years or if there are any significant changes from the previous assessment.
Innovation in defense research and development has never been more essential. Discover the latest business opportunities in R&D at the Potomac Officers Club’s 2026 Defense R&D Summit on Jan. 29! Have the valuable face-to-face conversations that only take place in live forums. Connect with top DOD R&D officials. Sign up today and ensure you’re part of the defense R&D conversation!
3. Certification “False Starts” Are Growing
There’s an increasing number of companies that aren’t completing their CMMC certification because the assessors are finding things to be fixed before being approved. Greenman called these “false starts.”
Companies may be a year into their Level 2 third-party assessment and have assessors find violations. Things like inappropriate handling of ITAR data, which becomes CUI when part of a DOD contract. Greenman said inappropriate ITAR data handling can not only prevent a GovCon from getting its Level 2 certification, but it also carries potential civil and criminal penalties.
Greenman recommends companies make sure they are properly storing, handling and protecting information so that it doesn’t come out in the CMMC assessment.
“This is your buyer beware,” he said. “Be cautioned.”
4. Big Name Primes Expecting Subs to Get Certified
Greenman said he was surprised to learn that roughly 70 percent of respondents to the Clarity survey said they planned on getting the third-party CMMC assessment. This, he said, could be because high-profile prime contractors such as Lockheed Martin, Leonardo DRS and Boeing are telling subcontractors that their business with these primes depends on being CMMC-certified.
Greenman said it’s one thing for a subcontractor to have a contract, but it’s another to have a supply chain lead to threaten their business if they don’t get certified.
“They’re telling suppliers: ‘Look, if you’re handling this federal contract information or CUI, your CMMC status is going to determine whether you can be in the supply chain or not. But we’re not waiting. We’re sending notice now,” he said.
5. Cloud Service Providers Held to Higher Standard
GovCons may only prioritize themselves when performing their CMMC certification, but they should also think of their cloud computing provider. Greenman said cloud service providers are held to a higher standard in CMMC certification because they have access to the contractor’s controlled and classified information.
As such, cloud computing providers are required to meet the stricter FedRAMP Moderate or higher authorization or FedRAMP Moderate equivalency. To be considered FedRAMP Moderate equivalent, cloud service operators must achieve 100 percent compliance with the latest FedRAMP Moderate security control baseline. This must be declared through an assessment by a FedRAMP-recognized third-party assessor.
CSOs must also present the following information to be certified as FedRAMP Moderate equivalent:
- System security plan
- Security assessment plan
- Security assessment report
- Plans of action and milestones
