Pentagon Begins Enforcing CMMC Compliance, But Readiness Gaps Remain

Government Contracts attorney Christian Nagel was interviewed for a DefenseScoop article about the new Cybersecurity Maturity Model Certification (CMMC) requirements for federal contractors and compliance preparation gaps between large and small businesses. The updated program, also known as CMMC 2.0, consists of a three-tiered framework under which defense contractors handling federal contract information (FCI) or controlled unclassified information (CUI) must certify compliance with certain cybersecurity protocols depending on the sensitivity of the data they touch. An amendment to the Defense Federal Acquisition Regulation Supplement (DFARS) concerning CMMC compliance went into effect Nov. 10, 2025, and implementation will take place over the next three years. Thus far, professionals have observed readiness gaps between larger companies that have the resources and personnel to undergo the lengthy process of updating internal structures and demonstrating compliance with CMMC controls and smaller organizations that may lack the technical capabilities or time to complete certification and continue bidding for awards. Mr. Nagel said this issue could force prime contractors to find different suppliers, which can be difficult in specialized defense supply chains, though it could also diversify the defense industrial base in the long term.

"When there's a focus on small business, either from the government or from the upstream contractor, then you really are at an impasse," he said. "And if that supplier has other work and doesn't feel the pinch and can say no, then it can put the upstream contractor in a really bad position."

READ: Pentagon Begins Enforcing CMMC Compliance, But Readiness Gaps Remain