CMMC 2.0 is moving forward at the Department of Defense despite a potentially high-ranking official promising to review the effort if confirmed.
Cybersecurity Maturity Model Certification 2.0 is DOD’s framework for assessing contractor implementation of cyber requirements and improving their protection of unclassified information in the DOD supply chain. The program provides DOD with better assurance that government contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information—a.k.a. CUI—or federal contract information. The final CMMC 2.0 rule made it a requirement for bidding on defense contracts.
Katie Arrington, performing the duties of DOD chief information officer and a previous Wash100 Award winner, is pushing CMMC 2.0 forward after founding the program during the first administration of President Donald Trump. Contractors previously were only required to self-certify compliance with National Institute of Standards and Technology Standard 800-171, which provides federal agencies with recommended security requirements for protecting the confidentiality of CUI.
Get insights into how the Trump Administration will implement CMMC 2.0 at the Potomac Officers Club’s 2025 Cyber Summit on Thursday. Meet, learn and connect with DOD leaders, defense experts, research officials and industry executives at this can’t-miss event. Time is running out, sign up today!
Contractors are now required to use a third-party audit for CMMC 2.0 certification and many are unhappy about it.
“If you go on LinkedIn one more time and tell me how hard CMMC is, I’m going to beat you,” Arrington said, as reported by Washington Technology.
Who Is DOD’s Michael Duffey?
Contractors upset about CMMC 2.0 may receive relief from Trump nominee Michael Duffey, who was tabbed to be DOD undersecretary for acquisition and sustainment. Duffey told senators during his confirmation hearing that he would review CMMC 2.0 if confirmed. Redspin, a provider of cyber services involving CMMC 2.0, issued a report on GovCon preparedness for CMMC 2.0, saying most respondents did not feel ready for its requirements.
Duffey said in prepared remarks that it is important to improve cyber among defense GovCons without putting unnecessary requirements on small and medium-sized businesses. While these contractors, he said, can be more vulnerable to cyber attacks because of fewer financial resources, they play a pivotal role in supporting DOD.
“If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices,” Duffey said.
What Is SWFT?
Arrington recently kicked off a new effort to improve how DOD acquires software that leverages CMMC 2.0. In a memo issued April 24, Arrington directed the development of the Software Fast-Track Initiative, or SWFT.
This will define clear and specific cyber and supply chain risk management requirements and stringent software security verification processes. It will also define secure information-sharing procedures and federal government-led risk determinations to accelerate cyber authorizations for faster software adoption.
Arrington said software providers will be required to provide her with DOD’s base risk scores on 12 characteristics of range, including CMMC 2.0. SWFT will use AI to evaluate contractor certifications for faster processing.
Key CMMC 2.0 Impacts for GovCons
CMMC 2.0 is a dramatic shift in how defense contractors must approach cyber compliance, according to a GovCon expert. Payam Pourkhomami, OSIbeyond president and CEO, said in GovCon Wire that contractors must meet one of three certification levels based on the sensitivity of the information they handle.
Level 1 requires annual self-assessments for federal contract information. Level 2 makes contractors either self-assess or provide third-party certification for CUI. The most strict, Level 3, requires DOD assessments for critical programs and high-value assets.
Non-compliance with CMMC 2.0, particularly when handling CUI, can lead to big consequences for GovCons. These include financial penalties, contract cancellations and long-term reputational damage.
GovCons can learn more about consequences for CMMC 2.0 non-compliance at the Potomac Officers Club’s 2025 Cyber Summit. Held on Thursday at the Marriott Fairview Park in Falls Church, Virginia, the Cyber Summit is the best opportunity for GovCons to learn directly from federal cyber leaders from the CIA, DOD, U.S. Air Force and the DOD Cyber Crime Center, among others. Few tickets remain; don’t miss out!
