Introduction
CMMC has officially arrived, and it’s already making its presence known. Although Phase 1 doesn’t officially begin until November 10, 2025, solicitations on SAM.gov and inquiries from prime contractors are already including CMMC certification requirements for those handling Controlled Unclassified Information (CUI). In other words, the framework isn’t just coming. It’s here.
And its influence won’t stop with the Department of Defense (DoD). As cybersecurity expectations rise across the federal landscape, other agencies are beginning to reference or align with CMMC as a model for contractor assurance. The message is clear: proving your cyber maturity is no longer optional—it’s becoming the new standard for doing business with the federal government.
CMMC’s Impact is Broadening Beyond the DoD
CMMC is now enacted, with Phase 1 commencing on November 10 2025. It took years to reach this point, but from here on out members of the Defense Industrial Base (DIB) will need to prove their cybersecurity bona fides to the DoD through CMMC certification before being able to accept their awarded contracts. That’s not only for newly won contracts, but for extensions to existing contracts and/or periods of performance (PoPs), according to the Office of Management and Budget for CMMC published on September 10, 2025.
Given the heavy lift it has been and continues to be in getting DIB members CMMC certified, some may feel like at least an end point is finally in sight. DoD requirements are now formally set, and eventually all contractors will align to them or be forced to leave the DIB. But in truth, CMMC is really the beginning of a new era of federal cyber requirement-setting as a whole.
That shouldn’t be surprising. Cyber threats are ubiquitous and our federal agencies are prime targets for attacks by nation-states or other sophisticated adversaries. The Federal Acquisition Regulation (FAR) is currently being revised, and a proposed rule includes new requirements for the federal government-wide protection of Controlled Unclassified Information (CUI) through contractor cybersecurity, training and incident reporting requirements. The rule references conformance to the National Institute of Standards and Technology (NIST) 800-171 guidance on which CMMC is based. If and when this rule becomes part of the FAR, the next logical step could well be to institute CMMC or a CMMC-like initiative for a wide range of government contractors to prove their cyber maturity.
Which Agencies Are CMMC-Forward?
Several federal civilian (FedCiv) agencies have already referenced CMMC in various communications over the past few years. We could expect these agencies to be high on the list of those who will institute new formal requirements that require proof of compliance.
- The General Services Administration (GSA) is out in front. GSA addressed CMMC in a 2022 blog post that noted “as the Cybersecurity Maturity Model Certification (CMMC) effort ramps up and Supply Chain Risk Management (SCRM) principles are emphasized, GSA will continue to prioritize security as a core tenet of acquisitions.” Things have progressed significantly since then; this past August, the agency noted in another blog that CMMC language is now included in two of their government-wide Acquisition Contracts (GWACs), STARS III and Polaris, at the order level.
What’s more, in responding to a public question about the Oasis+ Phase II GWAC, the agency noted that “while CMMC is not explicitly required for all OASIS+ contracts at this time, cybersecurity compliance is a crucial aspect of the OASIS+ vehicle (and) …it is possible CMMC compliance may included in the certification prerequisite for future awards.” This is a strong indicator that cyber maturity is going to be very important for many GSA-managed contracts, a large swath of all government contracts, in the not-too-distant future.
- The Department of Homeland Security (DHS) Office of the Chief Procurement Officer stated back in 2021 that it was seeking a formal mechanism to check contractors’ compliance with cyber hygiene clauses published six years earlier. By late 2023, the department announced its intention to use a new Cybersecurity Readiness Factor (CRF) based on NIST SP 800-171 and SP 800-172 controls ― in essence a “CMMC Light” ― to assess contractor cybersecurity postures for relevant contracts. An effective date for enforcing this mechanism has not yet been announced, but with the final enforcement of CMMC as an example, DHS may likely take forward action soon.
- The Department of Energy (DoE) also mentioned CMMC in their 2021 supply chain risk management report. While the agency has not announced plans to adopt CMMC, DoE does have its own Cybersecurity Capability Maturity Model (C2M2) that helps organizations evaluate and optimize their cybersecurity capabilities for both information technology (IT) and operational technology (OT) environments using industry practices like NIST-aligned controls and more. The agency published supplemental guidance mapping its own C2M2 to some CMMC practices. While C2M2 is voluntary, DoE also issued Order 205.1D establishing its IT cybersecurity requirements, including a Contractor Requirements Document (CRD) that details what contractors must follow to comply with the Order.
- NASA also has a dedicated CMMC page under its Solutions for Enterprise-Wide Procurement (SEWP) V contract website, explaining CMMC’s levels and how it is being implemented by the DoD. As SEWP V can be used as a purchasing vehicle for some DoD procurements, NASA is offering contractors this reference. While the agency has not stated any intention to adopt CMMC as of now, the SEWP connection is an obvious starting place for it to get anchored within the agency. Given the sensitivity of NASA missions and growing use of commercial space capabilities to fulfill them, security is a huge concern. It should be expected that stronger security enforcement is inevitable.
What This Means for Federal Contractors Beyond the DIB Community
While multiple agencies are increasing and formalizing contractor security requirements, to date only the DoD CMMC is enforcing them through the CMMC certification process. CMMC came about because many DIB members were attesting to having cyber measures in place that they in fact did not. The DoD finally demanded proof.
Government contractors serving other agencies should not be lulled into a false sense of exclusion from CMMC. Rather, it is likely CMMC or another other similar requirement will be adopted by more agencies within the next few years.
Our advice is to start now. As cyber enforcement grows, it will be an enormous lift to get a huge number of federal contractors certified against necessary cyber maturity requirements. Being ahead of the curve with your own cyber defenses will help your organization stay competitive, be ready for new compliance requirements and be more secure for your own and your government clients’ protection.
How Redspin Helps
We’ve helped hundreds of organizations prepare for CMMC—and we’re one of the first authorized C3PAOs.
Whether you need a readiness assessment, help fixing gaps, or support during your audit, our team can guide you through the process with zero guesswork.
Don’t wait until the RFP drops—start getting compliant now.
Book a meeting to get CMMC certified with Redspin: