By Payam Pourkhomami, President & CEO of OSIbeyond
Phase 1 of the Cybersecurity Maturity Model Certification program is live. The DFARS acquisition rule took effect on November 10, 2025, and DoD has begun incorporating CMMC requirements into new solicitations and contracts. Yet misconceptions about CMMC persist across the defense industrial base, and they’re getting companies disqualified from awards.
This article addresses the myths we at OSIbeyond encounter most often when talking with defense contractors about CMMC. Some of these are half-truths. Others are flat wrong. All of them can hurt you if you let them shape your compliance strategy.
Learn from industry leaders on how to become zero trust-compliant on all systems, while understanding where defense and civilian agencies stand in their cybersecurity journeys by joining the Potomac Officers Club’s 2026 Cyber Summit on May 21. Book your seats here.
CMMC Applies to More Contractors Than You Think
Arguably the most common misbelief is that CMMC is a prime contractor problem. It isn’t. DFARS 252.204-7021 requires prime contractors to flow down CMMC requirements to subcontractors and other contractual instruments if those subcontractors will process, store, or transmit Federal Contract Information or Controlled Unclassified Information (yes, you’re still in scope even if your work only involves FCI).
As stated in 32 CFR 170.23, “CMMC requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract. Prime contractors shall comply and shall require subcontractors to comply with and to flow down CMMC requirements.” Even subcontractors that don’t consider themselves part of the defense industry are in scope if they handle FCI or CUI in the performance of a DoD contract. The regulations don’t care what industry you identify with. They care what data you touch.
That language leaves no room for primes to waive CMMC requirements for their subs, which is another myth we hear regularly. The only exception is for vendors that exclusively provide commercially available off-the-shelf, or COTS, products as defined in FAR 2.101. Waiver authority does exist within the CMMC program, but it sits with DoD acquisition executives under 32 CFR 170.3(d), not with prime contractors. If a prime tells you not to worry about CMMC, that’s not a position the regulations support.
None of what we wrote above changes based on how big or small your company is. The final rule preamble states that the value of DoD’s sensitive information does not diminish when it moves to smaller contractors. The determining factor is the data you touch, not your tier in the contract structure or the number of people on your payroll. If your company processes, stores, or transmits FCI or CUI for a DoD contract at any level, CMMC applies to you.
Corporate structure doesn’t change this either because CMMC status is tied to specific information systems and CAGE codes, not corporate ownership. The CMMC Assessment Process document states that the organization seeking certification could be a subsidiary, division or operating component of a larger entity, and that supporting organizations included in the scope do not themselves receive certification through that assessment. If your subsidiary operates on a separate network with its own CAGE code, your parent’s certification doesn’t extend to you. Each entity that handles FCI or CUI needs its own assessment and its own status in SPRS.
CMMC Isn’t New Requirements, but It Isn’t Just a Checkbox Either
The cybersecurity requirements behind CMMC Level 1 and Level 2 come directly from existing sources, namely FAR 52.204-21 (15 basic safeguarding requirements for FCI) and NIST SP 800-171 Rev 2 (110 security requirements for CUI). Contractors handling covered defense information have been obligated to implement NIST 800-171 since December 31, 2017 under DFARS 252.204-7012, and CMMC doesn’t change those requirements at all. Instead, it adds verification that contractors are actually doing what they’ve been contractually required to do for years.
That said, being familiar with NIST 800-171 controls is not the same as being CMMC-ready. CMMC layers on a formal assessment methodology based on NIST SP 800-171A, which breaks those 110 requirements into 320 individual assessment objectives. Every objective must be satisfied for a control to be marked as “met.”
Contractors also have to maintain a current status in SPRS, submit annual affirmations from a senior official, document everything in a system security plan that an assessor can review, maintain asset inventories and network diagrams that define the assessment scope and produce evidence artifacts that demonstrate controls actually work. DoD’s FAQ states plainly that if an organization lacks an up-to-date SSP at the time of assessment, the assessment cannot be completed.
Because of all this, neither prior experience with NIST 800-171 nor any single tool or platform can substitute for the actual work of building and maintaining a compliance program. Yes, GCC High environment gives you compliant cloud infrastructure, and SIEM platforms can support monitoring requirements, but CMMC assessments evaluate controls through interviews, evidence review and technical testing. A significant share of those 110 controls involve organizational policies, training programs, incident response procedures and leadership engagement. No product can generate those for you.
The Timeline Is Already Working Against You
First, the cybersecurity obligations behind CMMC aren’t new. DFARS 252.204-7012 has required NIST 800-171 implementation since 2017. If you haven’t been meeting those requirements, you’re already out of compliance on your existing contracts, and the Department of Justice has been enforcing that aggressively through its Civil Cyber-Fraud Initiative since 2021.
Second, CMMC requirements are now appearing in solicitations. Phase 1 started November 10, 2025, and the first 12 months focus on Level 1 and Level 2 self-assessments. When a solicitation includes a CMMC requirement, you are not eligible for award if you don’t already hold the required CMMC status and a current affirmation in SPRS, according to DFARS 252.204-7025.
While achieving CMMC Level 2 readiness isn’t some insurmountable obstacle, it’s also not exactly a quick process. Industry consensus puts the timeline at 6 to 12 months for most organizations, and that’s if you already have a reasonable security foundation in place. If you’re starting from scratch on documentation, scoping, or remediation, it can take longer. And that timeline only covers getting your controls and documentation in order.
If your contract requires a C3PAO assessment rather than a self-assessment (Level 2 is split into two tracks), you need to factor in the time to actually get assessed. During Phase 1, self-assessments are the primary requirement, but starting in Phase 2 (November 2026), third-party certification becomes broadly mandatory for prioritized acquisitions. With C3PAO wait times already stretching to several months and only a few hundred organizations certified so far against tens of thousands that need to be, the scheduling bottleneck alone is reason not to wait. The same applies to existing contracts since DoD can require CMMC as a condition to exercise an option period on a contract awarded before the rules took effect under 32 CFR 170.5(e).
Compliance Is Your Responsibility, Even When You Have Outside Help
Working with a managed service provider or cloud provider is often the right move for contractors pursuing CMMC, especially smaller organizations that don’t have the in-house resources to build and maintain a compliant environment on their own. But a common misconception is that bringing on an IT provider transfers the compliance burden entirely. In reality, the contractor remains accountable for meeting all applicable requirements, and DoD’s assessment process is built around verifying that the contractor understands and can demonstrate that accountability.
What changes when you work with an external service provider is how responsibilities are divided, and that division has to be documented because DoD’s scoping guidance requires contractors to maintain a Shared Responsibility Matrix that maps each security objective to either the contractor, the provider, or both. The SRM, along with the provider’s service description, must be reflected in the contractor’s system security plan. A good provider will help you build and maintain that documentation. But the assessor is evaluating your organization’s compliance posture, not your provider’s sales materials.
The same principle applies to cloud environments. If you use a cloud service provider to process, store, or transmit CUI, DFARS 252.204-7012 requires that provider to meet security requirements equivalent to FedRAMP Moderate baseline. Standard commercial cloud offerings don’t meet that bar, which is why contractors handling CUI typically need to operate in a FedRAMP-authorized environment like GCC High. But even with a compliant cloud in place, your on-premises infrastructure, your endpoints, and the way your people handle data are all still part of your CMMC assessment scope.
Every myth addressed in this article can delay CMMC compliance, which is something contractors can’t afford in 2026. If you’re unsure where to begin, download OSIbeyond’s CMMC Prerequisite Checklist to help identify the first steps on your compliance journey. While the checklist provides guidance, achieving CMMC compliance often requires an experienced partner to help you navigate the process and reduce the risk of costly missteps during assessment.
