September 11, 2025
Subscribe and listen to the Fed Gov Today Podcast anytime on Apple Podcasts, Spotify, or at FedGovToday.com.
The long wait is over — the Cybersecurity Maturity Model Certification (CMMC) Final Rule is out, and it officially takes effect November 10. For defense contractors, that means solicitations will soon include CMMC requirements, and preparation time is short. Government contracts attorney Eric Crusius, partner at Hunton Andrews Kurth, calls this moment the culmination of years of development. “It’s finally here, and it’s real,” he says. The Department of Defense (DoD) plans to implement the three-tier CMMC model in four phases over the next three years, beginning with a requirement for self-assessments in the first year.
Crusius notes that DoD will decide which contracts include CMMC requirements during the initial rollout. That means contractors won’t know in advance which solicitations will require certification. As a result, many companies may rush to complete assessments early to avoid missing out on contract opportunities. “If I own a business in the Defense Department space, I’m going to go out and get assessed,” he explains, even without certainty about which contracts will require it.
A major challenge, Crusius points out, is the limited number of assessors. There are fewer than 100 certified third-party assessor organizations (C3PAOs), each with a limited number of teams. With roughly 100,000 companies expected to need assessments, that’s about one team per thousand contractors — a recipe for a surge in demand. The phased approach is designed to prevent a bottleneck, but he warns that a “run on the bank” is still possible as deadlines approach.
Crusius encourages companies to ask pointed questions before hiring assessors or consultants. Businesses should know how many assessments a provider has completed, how many have been successful, and whether any results have been challenged by the government. “You don’t want to pay for it twice,” he says, noting that a faulty assessment could cost a company both time and contract opportunities.
He also flags a potential risk as more organizations jump into the assessment business to meet rising demand. While training requirements and standards exist to protect the integrity of the process, some assessors may be inexperienced. “There are always going to be folks who have higher standards than others,” Crusius observes. He urges caution, recommending that contractors work with qualified, well-trained assessors and avoid untested providers.
Crusius believes the DoD’s main priority is ensuring that enough qualified vendors are in the pipeline to bid on contracts — and that those vendors are taking cybersecurity seriously. He recalls early CMMC discussions where leaders made it clear: if companies don’t want to protect the information DoD is entrusting to them, they won’t be allowed to compete for business.
Please fill out the requested information below