CMMC 2.0 is moving forward at the Department of Defense despite a potentially high-ranking official promising to review the effort if confirmed.
Cybersecurity Maturity Model Certification 2.0 is DOD’s framework for assessing contractor implementation of cyber requirements and improving their protection of unclassified information in the DOD supply chain. The program provides DOD with better assurance that government contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information—a.k.a. CUI—or federal contract information. The final CMMC 2.0 rule made it a requirement for bidding on defense contracts.
Katie Arrington, performing the duties of DOD chief information officer and a previous Wash100 Award winner, is pushing CMMC 2.0 forward after founding the program during the first administration of President Donald Trump. Contractors previously were only required to self-certify compliance with National Institute of Standards and Technology Standard 800-171, which provides federal agencies with recommended security requirements for protecting the confidentiality of CUI.
Get insights into how the Trump Administration will implement CMMC 2.0 at the Potomac Officers Club’s 2025 Cyber Summit on Thursday. Meet, learn and connect with DOD leaders, defense experts, research officials and industry executives at this can’t-miss event. Time is running out, sign up today!
Contractors are now required to use a third-party audit for CMMC 2.0 certification and many are unhappy about it.
“If you go on LinkedIn one more time and tell me how hard CMMC is, I’m going to beat you,” Arrington said, as reported by Washington Technology.
Table of Contents
Who Is DOD’s Michael Duffey?
Contractors upset about CMMC 2.0 may receive relief from Trump nominee Michael Duffey, who was tabbed to be DOD undersecretary for acquisition and sustainment. Duffey told senators during his confirmation hearing that he would review CMMC 2.0 if confirmed. Redspin, a provider of cyber services involving CMMC 2.0, issued a report on GovCon preparedness for CMMC 2.0, saying most respondents did not feel ready for its requirements.
Duffey said in prepared remarks that it is important to improve cyber among defense GovCons without putting unnecessary requirements on small and medium-sized businesses. While these contractors, he said, can be more vulnerable to cyber attacks because of fewer financial resources, they play a pivotal role in supporting DOD.
“If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices,” Duffey said.
What Is SWFT?
Arrington recently kicked off a new effort to improve how DOD acquires software that leverages CMMC 2.0. In a memo issued April 24, Arrington directed the development of the Software Fast-Track Initiative, or SWFT.
This will define clear and specific cyber and supply chain risk management requirements and stringent software security verification processes. It will also define secure information-sharing procedures and federal government-led risk determinations to accelerate cyber authorizations for faster software adoption.
Arrington said software providers will be required to provide her with DOD’s base risk scores on 12 characteristics of range, including CMMC 2.0. SWFT will use AI to evaluate contractor certifications for faster processing.
Key CMMC 2.0 Impacts for GovCons
CMMC 2.0 is a dramatic shift in how defense contractors must approach cyber compliance, according to a GovCon expert. Payam Pourkhomami, OSIbeyond president and CEO, said in GovCon Wire that contractors must meet one of three certification levels based on the sensitivity of the information they handle.
Level 1 requires annual self-assessments for federal contract information. Level 2 makes contractors either self-assess or provide third-party certification for CUI. The most strict, Level 3, requires DOD assessments for critical programs and high-value assets.
Non-compliance with CMMC 2.0, particularly when handling CUI, can lead to big consequences for GovCons. These include financial penalties, contract cancellations and long-term reputational damage.
GovCons can learn more about consequences for CMMC 2.0 non-compliance at the Potomac Officers Club’s 2025 Cyber Summit. Held on Thursday at the Marriott Fairview Park in Falls Church, Virginia, the Cyber Summit is the best opportunity for GovCons to learn directly from federal cyber leaders from the CIA, DOD, U.S. Air Force and the DOD Cyber Crime Center, among others. Few tickets remain; don’t miss out!
Related Articles
The Senate Appropriations Committee on Thursday voted 26-3 to pass a bill that would appropriate $851.9 billion in discretionary defense funding for fiscal year 2026. Weapons Systems Procurement The committee said Thursday the proposed FY 2026 Defense Appropriations Act would allocate $171.3 billion for weapon systems procurement and $140.5 billion for platform research, development and testing. The measure includes a $280 million increase in funding for F-135 spare engines and an additional $500 million for F-35 sustainment spare parts; an additional $216 million for drone and counter-drone tech capabilities; $4.6 billion more for air and missile defense efforts; and a
NASA wants to team up with industry to develop advanced space technologies for future commercial or government use. The space agency on Wednesday issued an announcement of collaboration opportunity, or ACO, to solicit partnership proposals. Managed by the Space Technology Mission Directorate, the ACO gives industry partners access to NASA subject matter expertise, facilities, software and hardware to accelerate and enhance capability development. According to NASA, the ACO will be open for five years and will serve as an umbrella opportunity for topic-specific appendices that would be released every six to 12 months to address evolving needs. For the 2025
Robert F. Kennedy, Jr., head of the Department of Health and Human Services, and other government and healthcare technology leaders have committed to delivering a patient-centric digital health ecosystem. At an event hosted by the Centers for Medicare & Medicaid Services at the White House, over 60 companies pledged to collaborate and deliver results that benefit the public in the first quarter of 2026. Meanwhile, 11 health systems and providers said they will support patient use. Seven electronic health record companies pledged to facilitate data exchange. According to Kennedy, bureaucrats and entrenched interests have made health data inaccessible to patients,