Why 2025 Will be the Toddler Year of CMMC

January 20, 2025

It is again that time of year where everyone is asked to clean off their crystal ball and to make predictions of the upcoming year. While most in my industry will be talking about cybersecurity and AI, I’m going to dive a bit into Department of Defense (DoD) cybersecurity compliance.

Unless you have been hiding under a rock (let me know if you have some extra space for me), you probably know that the DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 is now in effect. As you read this, we are already seeing DoD solicitations being published requiring either proof that the vendors are CMMC certified or that at a minimum, they have their assessment scheduled.

So, we are now in year one of a three-year rollout of CMMC, and it is appropriate to think of CMMC as a toddler right now. While we see the potential future of this entity, we also see firsthand the chaos and destruction that those chubby little hands can bring. Time to put away the nice dishes and to child-proof the living room.

My prediction is that CMMC is going to cause a lot of challenges and stress for both the DoD and the Defense Industrial Base (DIB) in 2025. This prediction shouldn’t come as a shock to anyone that has been paying attention to this at all, but I do think it is going to be worse than most have likely predicted.

Why? Well thanks for asking.

First, I think we’ll see a political battle within the new administration on if CMMC should be killed outright or not. We have already seen some minor congressional action to attempt just this, and with a new administration we will see new leadership across the DoD. Irrespective of the cybersecurity benefits of CMMC, CMMC may be seen as excessive overreach by the government on industry and attempts will be made to either kill it outright or further water it down to reduce the burden on industry. Never mind the fact that NIST SP 800-171 has been a contractual requirement for years.

This political uncertainty will have industry question if they need or should invest the time and money into becoming compliant, or if they should wait and see if it does get killed. However, until it gets killed, if it gets killed at all, it is still the law of the land and not pursuing CMMC may impact their ability to compete for DoD contracts.

Secondly, I think that despite a three-year rollout period, many more program management offices will start requiring CMMC compliance in 2025 than expected. I spent years in multiple program management offices, and I’d add CMMC in a heartbeat if I was allowed to. At first glance, there is no downsides for adding CMMC, and the verifiable improved cybersecurity has many upsides. If industry can’t meet their CMMC requirements, it says that they have likely been non-compliant with their existing NIST SP 800-171 requirements. Why would I want to trust them with new contracts? I really would rather work with a company that took cybersecurity and especially the security of the government data I share with them seriously than someone else.

What may not be appreciated, at least initially, in these program management offices is how much your CMMC requirements will reduce your available competition and thus either prevent you from finding a qualified and affordable contractor to award the contract to, or to drive increase contact costs due to a lack of competition. I’ll give kudos to the Army with their NCODE initiative, as it clearly shows that they understand the potential CMMC burden and have stepped up to minimize that impact. I hope the other Services follow suit.

Thirdly, I think there will be a larger demand for CMMC compliance from major DoD primes than from most DoD program offices. For DoD primes, it is about reducing their supply chain risk and their legal exposure. They will want to have their suppliers all CMMC’d or in the process of being CMMC’d in short order so they can compete for the huge and profitable contracts without a concern about CMMC. I think for many smaller suppliers who looked at that three-year rollout period and relaxed, they will find themselves in a bind in 2025 as they look at new deadlines set by their primes.

Fourthly, there simply isn’t likely enough audit capabilities to meet the demand in 2025, especially if the demand is much higher than the DoD estimates as I expect them to be. If you haven’t already signed a contract with a C3PAO and have your 2025 CMMC assessment scheduled, it is only going to get harder in the days ahead to get on an auditor’s schedule. This will lead companies to go down the self-assessment path, and to hope that they can delay the requirement for an independent assessment. Depending on their specific circumstances, this may work, or it may blow up in their face. However, even to do a self-assessment take resources, time, and it really isn’t something you should pencil whip.

I can go on, but I think I made my case that 2025 is going to be year of the CMMC toddler, chubby uncontrolled swinging arms and all. There are certainly going to be some serious growing pains. However, I want to wrap up this post with a reminder of how we got here. There have been several cases where a foreign government has successfully compromised a DoD contractor and we either suspect or can confirm that critical data was stolen. The impact of this ranges from simply ignoring it, to making either minor or major design changes to a program, up to simply canceling a program. My point is that CMMC, at its core, is about improving our national security, and not simply adding yet one more cybersecurity compliance requirement on top of all the other requirements we force DoD contractors to accept. As structured under 2.0, the DoD has made an intentional effort to minimize the impact while holding the line on a set of minimum cybersecurity requirements. That being said, there is still a lot of work across the DIB to reach a suitable level of compliance.

So, welcome to 2025. I know in 2025 I’ll continue to watch closely what happens to CMMC and to see how the DIB ecosystem responds to it. While there will be some challenges ahead, I do look forward to having a higher bar for cybersecurity across the community. I think the citizens that pay for our contracts through their tax dollars deserve our best effort to protect this critical data.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog