Earlier this month, DoD issued the long‑awaited final DFARS rule implementing CMMC, with an effective date of November 10, 2025 and a phased rollout under which CMMC requirements will be applied selectively in Years 1–3, then become mandatory for all contracts involving FCI/CUI starting November 10, 2028 (excluding purely COTS contracts). Program offices now have discretion to insert CMMC requirements into new solicitations during the initial phase, which will make requirements uneven across portfolios and timeframes.
Recent industry commentary highlights that the Pentagon is actively seeking feedback from small businesses about their plans and challenges for complying with CMMC 2.0, signaling that the Department is attuned to potential supply‑chain disruption but not backing away from enforcement. The messaging stresses that small firms must begin assessing and upgrading cybersecurity controls now if they want to remain eligible for defense work.
This environment creates both risk and opportunity: small GovCon firms that achieve early CMMC readiness can differentiate themselves in teaming discussions and recompetes, while laggards may find themselves locked out of IDIQ teams, OT consortia, and sensitive task orders. Executives should align capex, IRM, and proposal positioning around a clear CMMC story that can be credibly communicated to both DoD customers and primes.
For GovCon executives, this is now a live go/no‑go and investment gating factor rather than a future risk: pipeline reviews must identify where CMMC clauses are likely to show up first, and mid‑tier and small defense contractors need concrete POA&M‑to‑certification roadmaps tied to 2026–2028 recompetes. BD leaders should also expect OEMs and large primes to tighten CMMC‑related flow‑down and due‑diligence standards for subs, affecting teaming, NDA/MSA templates, and bid‑team composition.