- The Pentagon needs additional Cybersecurity Maturity Model Certification third-party assessors to reduce long waits for mandatory audits and increase compliance rates.
- Firms that don’t follow the CMMC compliance schedule risk losing Pentagon business
- Get the latest update on CMMC implementation at the Potomac Officers Club’s 2026 Cyber Summit on May 21!
The Pentagon needs more Cybersecurity Maturity Model Certification certified third-party assessors, or C3PAOs, to reduce long waits and costs for mandatory CMMC audits and increase the low rate of businesses achieving CMMC compliance ahead of a key deadline, according to experts who spoke with ExecutiveGov.
This lack of CMMC compliance among small and mid-sized contractors could reduce the Department of War’s ability to grow business among smaller and innovative firms, a key initiative of President Trump during his second term. There are 103 C3PAOs authorized to perform CMMC assessments, according to the CyberAB, the sole authorized non-governmental partner of the Pentagon in implementing and overseeing CMMC conformance.
Payam Pourkhomami, OSIbeyond president and CEO and one of Executive Mosaic’s GovCon Experts, told ExecutiveGov that roughly 1 percent of 100,000 defense industrial base customers that are supposed to be CMMC Level 2 certified have achieved Level 2 certification. OSIbeyond is not a CMMC C3PAO.
Dig into the latest Pentagon cybersecurity business opportunities at the Potomac Officers Club’s 2026 Cyber Summit on May 21! Hear directly from three top national security cyber executives during their illuminating keynote addresses:
- Aaron Bishop, chief information security officer and acting principal deputy chief information officer
- Katherine Sutton, assistant secretary for cyber policy
- Rear Adm. Jason Tama, Coast Guard Cyber Command chief
What Are Key CMMC Deadlines?
A key deadline in CMMC implementation, known as Phase 3, begins on Nov. 10, 2027. This is when contractors who want to do business with the Pentagon must have an independent assessment performed by a C3PAO every three years.
Another important deadline, known as Phase 2, takes place on Nov. 10. This is when the Pentagon can start requiring Level 2 certification, which can be achieved via self-assessment or by C3PAO. The Pentagon can choose to delay both Level 2 and Level 3 certification requirements in a contract to an option period if it chooses. Phase 1, which began on Nov. 10 of last year, can require Level 1 or 2 self-assessment in individual contracts.
Trey Hodgkins, CEO of Hodgkins Consulting LLC and an adviser to Fortune 500 companies about the federal technology marketplace, told ExecutiveGov that the Pentagon needs thousands of C3PAOs to reduce high fees associated with C3PAO assessments.
How Much Do CMMC Third-Party Assessments Cost?
Many small businesses, he said, pay $50,000 to $100,000 individually for both a C3PAO assessment and as consulting to help them prepare for the assessment. These fees may not be steep for larger businesses, but Hodgkins said they are for sixth- or seventh-tier subcontractors in the automotive supply business who might make a couple of parts that go into a tank and whose annual revenue may be around $150,000.
Though the Pentagon may give a short term extension on CMMC compliance requirements, Hodgkins said that might not be enough for these firms further down in the supply chain.
Bill Greenwalt, senior fellow at the American Enterprise Institute think tank, also believes that CMMC needs thousands of C3PAOs to reduce fees and wait times and encourage more small businesses to pursue CMMC compliance.
Greenwalt told ExecutiveGov that he is a supporter of better cyber hygiene between the Pentagon and its contractors, but he’s not a fan of CMMC and its “check the box” approach. He believes it’s forcing contractors to comply with a standard that is already outdated.
Greenwalt also doesn’t like the adversarial nature of the program with its audits and banishments for not achieving compliance. He dislikes the unfunded mandate nature of the fees, which he said will deter small businesses from entering the federal workforce.
“If there were thousands of [C3PAOs] and things were going fast and it was cheap, most companies wouldn’t be complaining,” Greenwalt said. “They would say ‘here’s a paper exercise thing I have to go through, but it doesn’t cost [an excessive amount of money] that’s going to affect my bottom line.”
What Could the DOW Do Differently With CMMC?
Instead, Greenwalt believes the Pentagon should take a more collaborative approach with contractors for better cyber hygiene to help keep small contractors doing business with the department. He proposes the department offer system penetration testing to assess firms’ cyber vulnerabilities and provide them step-by-step processes to improve their cyber defenses.
Greenwalt said that long waits and high fees for C3PAOs could be a silver lining for CMMC in that it could demonstrate that the program is unimplementable and inspire the Pentagon or Congress to make changes or scrap the program. Pentagon spokesman Joseph Loewy declined to comment for this article.
Are you a GovCon technology executive? Then you cannot afford to miss the Potomac Officers Club’s 2026 Cyber Summit on May 21. Examine meeting CMMC, National Institute of Standards and Technology and zero trust requirements and transitioning prototypes into secure mission systems at the Cybersecurity at Commercial Speed panel discussion. It features
- John Baase, Defense Information Systems Agency DOW enterprise identity, credential and access management, or E-ICAM, program manager
- Khoi Nguyen, Cyber Command Cyber Acquisition and Technology Directorate (J9) command acquisition executive
How Can the DOW Reduce CMMC Compliance Costs?
There are a variety of ways the DOW could reduce CMMC compliance costs for small businesses. Pourkhomami suggested the department financially subsidize the program, though he declined to provide details. The government, he said, is going to “front the bill” in the end through contractors including fees in their bids, so figuring out how to get contractors moving will be key and a challenge in the short term.
Hodgkins said the Pentagon should approve a cloud computing provider that would allow businesses to run programs like email, data storage and computer assisted design through it.
One C3PAO’s Perspective
Redspin of Nashville, Tenn., is a C3PAO and has been involved in the CMMC ecosystem since its early development in 2020. It was also among the first organizations authorized as a C3PAO to conduct assessments under the initial version of CMMC.
Both Pourkhomami and Thomas Graham, Redspin senior principal consultant and CISO, disagree with the perception that there are long wait times for C3PAO assessments. Graham told ExecutiveGov that the company’s next available assessment window is around November, though schedules shift and earlier availability can, and often does, open up as Redspin’s assessor team grows.
Graham said booking an assessment 6 to 10 months in advance isn’t unusual for a program of this scale, he said, and this timeline often works in an organization’s favor. This is because the period leading up to an assessment is critical for finalizing documentation, validating controls, practicing interviews with your team and ensuring overall readiness. Graham said organizations that use that time effectively tend to have much smoother assessment experiences.
Pourkhomami said companies don’t become assessment-ready in timeframes less than three months. Pourkhomami would be more concerned if assessment waits were 18 months long. Additionally, Pourkhomami the number of CP3AOs are growing, he said, which should help alleviate this bottleneck.
Redspin has completed over 1,000 assessments, Graham said, and continues to support a large and growing pipeline of organizations preparing for certification. He said the company’s completed assessment count grows almost daily and is a good indicator that the DIB has woken up to the requirement.
Graham said Redspin doesn’t offer flat-rate pricing because CMMC Level 2 assessments are highly dependent on the size, scope and complexity of an organization’s controlled unclassified information environment. Factors like subsidiaries, number of physical locations and additional in-scope networks can all impact the overall assessment cost.
Assessments are also dependent on the operational nature of the environment as a research and development organization may be vastly different from a manufacturing organization.
“These assessments are not checklist assessments,” Graham said. “They require validated evidence across all 110 requirements and the 320 associated objectives.”
A GovCon attorney called CMMC the latest shakeup to an industry that has experienced vast changes since President Trump started his second term in January of last year. Cherylyn Harley LeBon, partner at Cohen Seglias, told ExecutiveGov that reduced federal budgets outside of the Pentagon and the intelligence community has business owners reexamining federal business opportunities.
CMMC, she said, is making these business decisions even more difficult.
“Either you’re going to play the [Pentagon] game and intelligence with CMMC compliance, and go along with it, or you’re going to pivot to something else,” LeBon said. “[But] budgets have decreased in these other agencies and there are fewer opportunities. So where does that leave you? With commercial opportunities and state and local [governments].”
