For years, defense contractors and their suppliers have been waiting for clarity on the Cybersecurity Maturity Model Certification (CMMC). The initiative has had a stop-and-go feel since its announcement, with deadlines shifted, rules rewritten, and enforcement delayed. Many companies in the defense industrial base began to wonder if it would ever truly arrive.
That period of uncertainty appears to be over. With the Department of Defense’s (DoD) new rule package cleared for publication on September 10th, 2025, in the Federal Register, CMMC is moving from theory to reality. “We didn’t want to lose credibility and just cry wolf,” said Christoph Eicken, PhD, Chief Operating Officer of Ecuron™ Inc., a CMMC Registered Practitioner Organization in a recent chat with WHN. “Now that finally things are moving along, it’s actually being put into contracts soon.”
What is CMMC?
The Cybersecurity Maturity Model Certification is the DoD’s framework for protecting sensitive but unclassified information that flows through the defense supply chain. Specifically, it’s a certification program for long existing cybersecurity requirements from FAR & DFARS rules. It’s a set of steps all DoD contractors and subcontractors must take to safeguard their systems (email, computers, etc.) that house critical data from hacks and cyber threats from nation-state actors, and insider risks.
Two categories of information drive the program:
– Federal Contract Information (FCI): Information generated by or provided to a contractor in connection with performing a DoD [CE1] contract but not intended for public release. Examples include project schedules, specifications, or basic purchase details.
Suggested Alternative wording:
Federal Contract Information (FCI): Information not intended for public release that is provided by or generated for the U.S. Government under a federal contract to develop or deliver a product or service to the Government. It does not include information the Government makes public (e.g., on websites) or simple transactional information needed to process payments.
– Controlled Unclassified Information (CUI): More sensitive than FCI, CUI includes technical data, engineering drawings, schematics, or research information that, while not classified, could pose risks to national security if compromised. Examples include engineering drawings, specifications, and research data. Unlike FCI, CUI is supposed to be [CE2] marked.
CMMC is designed to ensure this information remains secure no matter where it resides—whether at a prime contractor or a small harness shop several tiers down the chain.
Clearing Up Misconceptions
Many in the industry assumed CMMC might be abandoned under the Trump administration, particularly during broader cost-cutting discussions. In fact, it was born under Trump’s first term. “This whole CMMC program was actually started under the first Trump administration,” Christoph explained. “Those cost-cutting efforts you may have heard about under DOGE never put CMMC on the chopping block, because the program doesn’t cost the DoD anything. In contrast, it ensures that the DoD receives what it’s paying for.”
The program’s turbulence came under the Biden administration as rollout schedules shifted multiple times, prompting frustration and the sense that the “goalposts” kept moving. The big change was that the requirements were scaled back significantly to align with long existing requirements. With the recent approval of the Defense Federal Acquisition Regulation Supplement (DFARS) rule by the Office of Information and Regulatory Affairs (OIRA), the initiative is now back on track. of CMMC—to a senior DoD cybersecurity role underscores that momentum[CE3] .
Who Must Comply
If you are doing business with the DoD, directly or indirectly, CMMC applies to you. That means not just the Lockheeds and Boeings of the world, but also the niche suppliers that produce components, wiring harnesses, electronic assemblies, PCB’s or specialized metal treatments.
“An estimated 80,000 companies will be required to become CMMC Level 2 certified. But even the DoD doesn’t even have a clear picture of the exact number of sub-sub-subcontractors,” Christoph noted. “But if you touch DoD-related FCI or CUI, you’re in scope.”
The key is this: CMMC requirements flow down through the supply chain. If your product, service, or component is part of a DoD contract—even if your direct customer is another supplier—you will need to demonstrate compliance at the appropriate level.
The Three Levels of CMMC
CMMC 2.0, the streamlined version introduced in 2021, includes three levels of certification:
– Level 1 – Foundational
Focused on protecting FCI, Level 1 requires companies to implement 17 basic practices such as strong password policies, antivirus protection, and limiting access to systems. Contractors must perform an annual self-assessment and submit results to the Supplier Performance Risk System (SPRS).
– Level 2 – Advanced
This level addresses CUI and aligns with the widely recognized NIST SP 800-171 standard. It includes 110 security practices covering access control, incident response, configuration management, and more. Most companies handling CUI will fall into Level 2. Compliance may require either self-assessment or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), depending on contract requirements.
– Level 3 – Expert
Reserved for the largest primes handling the most sensitive data, Level 3 involves a government-led assessment against NIST SP 800-172. Christoph estimates that only about 1,500 companies nationwide will fall into this category.
Phased Rollout
DoD is not flipping the switch overnight. Instead, certification requirements will be introduced in phases:
– Phase 1 (2025–2026): Most companies will begin with self-attestations at Level 1 or Level 2, while DoD retains the right to require third-party assessments in select contracts.
– Phase 2 (Late 2026 onward): Third-party assessments become the standard for Level 2 contractors, reducing reliance on self-attestations.
– Phase 3 and beyond: Level 3 requirements take effect, though they apply only a limited number of contracts, likely major primes.
This phased approach is intended to smooth the transition, but Christoph cautioned against complacency. “The DoD has the right to put certification requirements in contracts already in Phase 1. So it’s really at their discretion. Prime contractors can require certification requirements at any time.” he said.
Implementation Challenges
While the technical requirements of CMMC can be demanding, Ecuron has found that the hardest part for many companies is simply understanding where their sensitive information resides.
“One of the most important things in CMMC is to get the scope right,” Christop explained. “The whole point is to protect FCI and CUI, and this is a surprisingly huge pain point for companies. They don’t really know how the information flows into their systems, how it moves throughout the company, and where it lives. That’s the foundation—and if you get that wrong, nothing else works.”
This scoping issue ripples across departments. Sales teams, contract managers, and manufacturing staff all play a role in handling CUI, which means compliance cannot be siloed in IT. “One of the biggest things in general is that it’s being treated as an IT issue, and CMMC is much broader,” Christoph emphasized.
Preparing for Certification
Ecuron and other Registered Practitioner Organizations do not conduct the certifications themselves—that’s the job of C3PAOs. Instead, they help companies get ready by assessing current practices, identifying gaps, and designing remediation plans.
“The process is always the same,” Christoph said. “First we take a look at what is in place, understand how the data flows within the company to tackle scoping. From there, we help implement what’s missing, and later support clients in maintaining compliance.”
This preparatory work can make the difference between a smooth audit and a costly setback. For small suppliers with limited resources, getting ahead of the curve is especially important.
Looking Ahead
With the Federal Register publication scheduled for September 10th, the clock is ticking. Contractors and subcontractors who want to stay competitive in the defense space should begin preparing now. As Christoph put it: “Most important thing is to figure out how your FCI and CUI come into your company, how it flows, and how to minimize that scope to reduce cost and liability. If you know that, you’re already halfway there.”
Bottom Line
For years, reporting on CMMC felt like warning of a storm that never arrived. But with rules moving into contracts and assessments on the horizon, the program is no longer hypothetical. It is a requirement—one that will reach across every tier of the defense supply chain.
For the wiring harness industry and related sectors, October marks not just another deadline but the real beginning of enforcement. Companies that act now to understand their data, define their scope, and prepare for certification will be ready when the rule takes effect. Those who delay risk more than noncompliance—they risk being left out of future DoD opportunities.
If you would like to keep on top or CMMC news or if you would like more information, check out Ecuron’s website (https://www.ecuron.com) and sign up for their newsletter. If you have any specific questions for Christoph, you can reach him at [email protected].
Phased Roll Out of CMMC:
| Phase | Target start (based on Sep 10th 2025 publication) | What DoD includes in solicitations/contracts during this phase |
| Phase 1 | Nov. 10th 2025 (effective date of the 48 CFR rule) | DoD intends to require Level 1 (Self) or Level 2 (Self) for all applicable awards; at DoD’s discretion, may require Level 2 (C3PAO) instead of Level 2 (Self) in some cases. |
| Phase 2 | Nov. 10th 2026 (1 year after Phase 1 start) | In addition to Phase 1, DoD intends to require Level 2 (C3PAO) as a condition of award for applicable efforts; at discretion, may begin requiring Level 3 (DIBCAC) on some efforts. |
| Phase 3 | Nov. 10th 2027 (1 year after Phase 2 start) | Level 2 (C3PAO) requirements for all applicable awards (and for options on contracts awarded after the effective date). DoD also intends to require Level 3 (DIBCAC) for all applicable awards (with discretion to place Level 3 at an option). |
| Phase 4 (Full implementation) | Nov. 10th 2028 (1 year after Phase 3 start) | CMMC requirements in all solicitations and contracts that include FCI/CUI, including option periods on contracts awarded prior to Phase 4. |