DoD Clears Path for CMMC Rollout with Regulatory Progress and Cost-Effective Certification Model

In a significant step toward full implementation of the Cybersecurity Maturity Model Certification (CMMC) program, the Department of Defense (DoD) is tackling two longstanding challenges that have delayed the effort for years: regulatory barriers and affordability for small and medium-sized businesses. Speaking at the Professional Services Council’s Acquisition Conference, Stacy Bostjanick, DoD’s Chief of Defense Industrial Base Cybersecurity, detailed how the agency is overcoming both issues to bring the program closer to reality.

After finalizing the initial rule establishing CMMC as a formal initiative last summer, DoD is now close to submitting a second critical regulation to the Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA). This pending rule, which will amend the Defense Federal Acquisition Regulation Supplement (DFARS), is expected to solidify key CMMC requirements, including definitions for controlled unclassified information (CUI) and formal solicitation provisions. The regulatory process was delayed by a Trump-era freeze and executive order mandating the repeal of ten existing rules for every new one—a complication that placed the CMMC DFARS rule in a holding pattern. With that freeze now lifted, DoD is reaffirming its commitment to seeing CMMC through, dispelling rumors that the initiative might be abandoned.

Simultaneously, DoD is addressing the economic hurdles facing the defense industrial base—particularly the smaller contractors required to comply with CMMC Level 2 or Level 3. Out of approximately 220,000 to 300,000 companies in the defense supply chain, an estimated 80,000 will need to reach Level 2 compliance and around 1,500 will need Level 3. The limited number of accredited Third Party Assessment Organizations (C3PAOs), currently hovering around 50 to 60, has raised concerns about backlogs and resource shortages.

To combat these bottlenecks, DoD recently piloted a promising solution in collaboration with managed service providers (MSPs) and cloud service providers (CSPs). The pilot demonstrated that shared service models can significantly reduce both the time and cost required for certification. One company, for instance, was able to go from zero to 110 NIST SP 800-171 controls in just two months at a cost of $1,300 per seat, plus $32,000 for the assessment—results considered highly cost-effective by federal standards. While MSPs can prepare contractors for compliance, the final assessment still must be conducted by an unaffiliated C3PAO, maintaining the program’s integrity and independence.

According to Bostjanick, many of these providers now offer templates, technical guidance, and step-by-step support to assist contractors through the compliance journey. Importantly, contractors working with MSPs can inherit between 80% and 90% of required cybersecurity controls, reducing the complexity of implementing safeguards internally. However, she emphasized the need for companies to thoroughly understand and follow their customer responsibility matrix, which outlines the remaining controls they must address independently.

Major cloud vendors—including Microsoft, Google, Amazon Web Services, and Oracle—have joined the effort, partnering with MSPs to provide compliant environments, often through secure virtual desktops. Some of these systems even support automatic transition to continuous monitoring modes if sensitive data is downloaded outside of approved platforms. This integration of technical capability and regulatory compliance is a promising development for the defense ecosystem.

DoD is also developing an online marketplace, in collaboration with the Cyber AB (the accreditation body for CMMC), to showcase approved MSPs and CMMC-support services. Bostjanick noted that criteria for listing on this platform are still being finalized, but she expects the marketplace to help contractors navigate the complex cybersecurity landscape more easily and affordably.

Despite all this momentum, it will be more than a year before CMMC becomes a standard part of contract awards. In the meantime, DoD is planning a phased rollout. The initial six-month phase will still allow self-attestation, but with tighter constraints: companies must close out plans of action and milestones (POA&Ms) within six months, a dramatic shift from previous timelines that stretched indefinitely. Annual affirmations of compliance with NIST 800-171 will also be required.

Bostjanick concluded with an optimistic outlook, praising industry partners for stepping up to the challenge and delivering affordable, scalable solutions. With regulatory clarity on the horizon and a growing ecosystem of MSPs and CSPs offering turnkey compliance services, the long-awaited CMMC program appears to be finally turning the corner.

Disclaimer: This summary is for informational purposes only and does not guarantee accuracy or offer legal or regulatory advice. For the full article, visit Federal News Network: https://federalnewsnetwork.com.