Skip to content
Chimera readability score 58 out of 100, Graduate reading level.

"This isn't just compliance...it's a national security imperative."
Chief DIB Cybersecurity, DCIO(CS), OCIO
The wait is over. On September 10, 2025, the Department of Defense (DoD) dropped the final rule for the Cybersecurity Maturity Model Certification (CMMC). The rule officially goes into effect on November 10, 2025, and if you’re a DoD subcontractor, you need to pay close attention.
Prime contractors will soon be required to verify that their subs are certified before awarding a contract. This post breaks down what the CMMC final rule is, what it means for you, and why you need to start preparing for your assessment. Let's get into it.
What is the CMMC Final Rule?
Think of CMMC as the DoD's new standard cybersecurity background check for its supply chain. Keep in mind, the NIST SP 800-171-based requirements aren’t new, and as a DoD subcontractor, you should already be meeting these requirements. But before now, contractors have been self-attesting their security posture.
Now, a verification component is being added to make sure contractors are actually protecting sensitive government information. It’s designed to safeguard the supply chain from cyberattacks and data theft.
The program protects two main types of information:
Federal Contract Information (FCI): Information not intended for public release that is provided by or generated for the government under a contract.
Controlled Unclassified Information (CUI): A broad category of information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. If you handle things like Controlled Technical Information (CTI), you're dealing with CUI.
CMMC is broken down into three levels, each with increasing security requirements. The level you need depends on the type of information you handle.
CMMC Level 1: This is the foundational level for anyone handling FCI. It requires an annual self-assessment against 15 basic security controls found in FAR 52.204-21.
CMMC Level 2: This is the big one. If you store, process, or transmit CUI, you'll need a Level 2 certification. It aligns with the 110 requirements in NIST SP 800-171 and requires most contractors to undergo a third-party assessment conducted by a certified organization (C3PAO) every three years.
CMMC Level 3: This top tier is for contractors handling the most sensitive CUI. It includes all 110 controls from Level 2 plus an additional 24 from NIST SP 800-172. The government will conduct these assessments.
The DoD estimates that over 80,000 contractors will need a Level 2 or Level 3 certification. But that number is a very conservative estimate, considering that no database of DoD subcontractors is kept. The real number is likely much, much higher.
CMMC implementation timeline and flow down requirements
While the rule becomes effective on November 10, 2025, CMMC requirements will be phased into new DoD contracts. For the first three years, the DoD will decide which contracts get the CMMC treatment, and at what level. After November 10, 2028, it'll be standard for contracts involving FCI or CUI.
Don't let the "phased rollout" fool you into complacency. The final DFARS clause language is crystal clear: prime contractors must verify that their subcontractors have the required CMMC certification before awarding a contract. This is a massive change. Primes won't wait for the DoD to mandate it on a specific contract; they'll start requiring it across their supply chain to reduce their own risk.
This "flow down" requirement means subcontractors can no longer hide in the background. If you want to continue working with DoD prime contractors, you must be proactive and get certified at the appropriate level. Think about it this way: take the conservative figure of 80,000 contractors in scope for Level 2. Compare that with 82 C3PAOs certified on the Cyber AB website (as of this writing).
While a typical assessment can take four to eight weeks from start to finish, let’s assume one week of solid C3PAO time per assessment. Let’s be generous and assume each of the 82 C3PAOs can magically handle 10 assessments concurrently. With no days off, 82 C3PAOs x 52 weeks a year x 10 concurrent assessments = 42,640.
That means it'll take approximately two years to get through the first 80,000 contractors! If you don't get this done proactively, you’re risking your entire DoD contractor business.
CMMC Level 2 assessment requirements
For the tens of thousands of subcontractors handling CUI, a CMMC Level 2 assessment is in your future. This is a rigorous assessment of your cybersecurity maturity, and passing a C3PAO assessment requires serious preparation.
You need to get these three key areas in order:
Technology: Do you have the right tools in place? This includes things like endpoint protection, security information and event management (SIEM), vulnerability scanning, and application control. Your tech stack must be able to meet the 110 security requirements.
Processes: You need well-defined, repeatable processes for everything from employee onboarding to change control approvals to incident response. Auditors will want to see that your security practices are integrated into your daily operations, not just written down somewhere and forgotten.
Documentation: If it isn't documented, it didn't happen. Auditors live and breathe documentation. You'll need a current System Security Plan (SSP), policies for every control family, detailed procedures, and records to prove you're doing what you say you're doing. This is often the biggest hurdle for most going through the audit process.
Gathering all this evidence, organizing it, and meeting the assessor's expectations is a monumental task. Trying to do it all yourself while running your business can feel like a major distraction.
Please note, this isn’t like other compliance initiatives. The CMMC Level 2 assessment is scored out of 110 points. To pass, you must achieve a score of 110 out of 110.
However, if you score at least 88 out of 110 and have no deficiencies in certain critical controls, you won't fail outright. Instead, your C3PAO can issue a Conditional Certification. Essentially, this grants you a temporary certification on the condition that you fix the remaining open items within a hard 180-day deadline. Proper preparation is paramount.
How Huntress Managed SIEM supports CMMC Level 2 Compliance
The CMMC final rule is here, and the implementation clock has started. Subcontractors who wait to prepare will be unable to win contracts that require a CMMC status of Level 2 (C3PAO). The demand for C3PAO assessments is already high and will only intensify, creating a significant bottleneck (there is approximately one C3PAO for every 1,000+ DoD subcontractors needing L2 certification).
Take these steps today:
Determine your level: Identify if you handle FCI or CUI to understand which CMMC level you need to meet.
Conduct a gap analysis: Assess your current environment against the required CMMC controls. Identify where you fall short.
Build your plan: Create a detailed plan of action and milestones (POA&M) to address your gaps.
Find trusted partners: Engage with security providers who understand CMMC and can help you implement the necessary technology, processes, and documentation. (You guessed it, if you’ve got Huntress products, we have the documentation you need to support a successful audit.)
You can find qualified help on the Cyber AB website. It’s time to get started to keep your place in the DoD supply chain.

Facts Only

The Department of Defense (DoD) finalized the CMMC rule on September 10, 2025.
The rule takes effect on November 10, 2025.
CMMC applies to DoD contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
The program replaces self-attestation with third-party verification for most contractors.
CMMC has three levels: Level 1 (15 controls, self-assessment), Level 2 (110 controls, third-party assessment), and Level 3 (134 controls, government assessment).
Level 2 aligns with NIST SP 800-171 and requires certification every three years.
Level 3 includes additional controls from NIST SP 800-172.
Over 80,000 contractors are estimated to need Level 2 or 3 certification.
As of the article’s writing, only 82 Certified Third-Party Assessment Organizations (C3PAOs) are available.
CMMC requirements will be phased into contracts over three years, becoming standard by November 10, 2028.
Prime contractors must verify subcontractor CMMC certification before awarding contracts.
A Level 2 assessment requires a perfect score of 110/110, though conditional certification is possible with a score of at least 88/110 and no critical deficiencies.
Conditional certification requires remediation within 180 days.
The DoD estimates a potential two-year backlog for assessments due to limited C3PAO capacity.

Executive Summary

The Department of Defense (DoD) has finalized the Cybersecurity Maturity Model Certification (CMMC) rule, effective November 10, 2025, with phased implementation over three years. The program mandates third-party verification of cybersecurity practices for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC introduces three certification levels: Level 1 for basic FCI protection (self-assessment), Level 2 for CUI (third-party assessment), and Level 3 for highly sensitive CUI (government-led assessment). Over 80,000 contractors are expected to require Level 2 or 3 certification, but the actual number may be higher due to unregistered subcontractors. Prime contractors must verify subcontractor compliance before awarding contracts, creating urgency for subcontractors to prepare. Assessments are rigorous, requiring documented evidence of 110 security controls for Level 2, with no margin for error unless conditional certification is granted for minor deficiencies. The bottleneck in certified assessors (C3PAOs) suggests a potential two-year backlog, risking contract eligibility for unprepared subcontractors.
The rule reflects the DoD’s shift from self-attestation to enforced cybersecurity standards, aiming to protect the defense supply chain from cyber threats. While the phased rollout offers temporary flexibility, prime contractors are likely to enforce requirements early to mitigate risk. Subcontractors must act quickly to conduct gap analyses, implement necessary controls, and secure assessments to maintain eligibility for DoD contracts.

Full Take

The CMMC final rule represents a significant escalation in the DoD’s cybersecurity enforcement, shifting from trust-based self-attestation to mandatory third-party verification. At its core, this reflects a paradigm of risk externalization: the DoD is transferring the burden of cybersecurity compliance—and the consequences of failure—down the supply chain. The narrative leans heavily on urgency, framing preparation as a binary choice between proactive compliance and business extinction. This is not inherently manipulative, but it does exploit the natural anxiety of subcontractors dependent on DoD contracts. The bottleneck analysis (80,000 contractors vs. 82 C3PAOs) serves as a compelling call to action, though it assumes static assessor capacity and ignores potential scaling solutions.
The strongest version of this argument is that CMMC is a necessary evolution to protect national security in an era of supply chain cyber threats. The DoD’s phased rollout acknowledges implementation challenges, but the "flow down" requirement ensures prime contractors will enforce compliance early, creating a de facto accelerated timeline. However, the article’s focus on the assessment backlog risks overshadowing broader questions: Will CMMC actually reduce cyber risks, or will it become a bureaucratic hurdle that smaller contractors cannot clear? The emphasis on documentation and perfect scores may incentivize "checklist compliance" over genuine security improvements.
Root cause: This narrative assumes that cybersecurity is primarily a compliance problem rather than a dynamic, adversarial challenge. The unstated assumption is that third-party assessments are inherently more reliable than self-attestation, despite no evidence that auditors are immune to gaming or superficial compliance. Historically, such frameworks often favor large incumbents with dedicated compliance teams, potentially reducing competition in the defense industrial base.
Implications: The most immediate consequence is the potential exclusion of smaller subcontractors who lack resources to navigate the certification process. Second-order effects may include consolidation in the defense supply chain, increased costs passed to taxpayers, and a false sense of security if compliance replaces continuous improvement. The human cost—job losses at non-compliant firms—is unaddressed.
Bridge questions: What evidence exists that CMMC will reduce actual cyber incidents, not just paperwork? How might adversaries adapt to exploit the certification process itself? What alternatives (e.g., continuous monitoring, outcome-based metrics) could achieve security goals without creating artificial bottlenecks?
Counterstrike scan: If this were part of an influence campaign, the playbook would amplify fear of business loss, frame compliance as the only path to survival, and downplay systemic critiques (e.g., "This is just bureaucracy"). The actual content aligns with this pattern but stops short of outright manipulation—it presents real stakes and constraints without demonizing alternatives. The tone is urgent but not hyperbolic, and the call to action (preparation) is proportional to the stated risks. No coordinated attack pattern detected; this appears to be a genuine advisory with inherent biases toward compliance as a solution.
Patterns detected: none

Sentinel — Human

Confidence

The article is primarily human-written, exhibiting a style consistent with specialized industry journalism that fuses technical facts with urgent, actionable advice, rather than generic synthetic output.

Signals Detected
low severity: Sentence length variance is erratic (short, punchy calls to action mixed with long explanatory sentences).
low severity: Passionate framing (urgency) is present, suggesting a human voice driving the narrative, despite the balanced claims.
medium severity: The use of specific, detailed, but speculative calculations (e.g., 82 C3PAOs x 52 weeks x 10 concurrent assessments = 42,640) suggests a human trying to synthesize complex data into a compelling argument, rather than pure LLM enumeration.
low severity: Attribution of specific, though contextually plausible, numbers and timelines (e.g., Sept 10, 2025; November 10, 2025) is highly consistent, but the speculative nature of the projections (C3PAO timeline) is typical of opinion journalism attempting to ground fear in data.
Human Indicators
The text contains a specific, commercially oriented plug (Huntress), which is a strong indicator of paid or commissioned content, often blending analysis with marketing.
The style shifts between high-level policy framing and highly specific, ground-level operational advice, a characteristic of an expert or journalist navigating a complex regulatory environment.
The tone exhibits a clear, urgent imperative aimed at a specific audience (DoD subcontractors), demonstrating intentional rhetorical structuring.
CMMC Final Rule: A Guide for DoD Subcontractors — Arc Codex