This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Privacy Policy. By clicking “I agree” you agree to our use of cookies and similar technologies.
November 10th is Coming: Is Your CMMC Clock Ticking?
The Department of Defense (DoD) has finalized its game-changing Cybersecurity Maturity Model Certification (CMMC) rules, ushering in a new era of accountability for the Defense Industrial Base. The timeline is now very short: These new requirements become effective on November 10th. If your company, or your subcontractors, handle sensitive government data — be it Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — you have no choice but to act, and act quickly.
What You Need to Know About CMMC, Right Now
DoD is not wasting any time. Starting this November, contracting officers have the authority to include CMMC compliance as a condition for winning new contracts and for exercising option periods on existing ones. This is not a gradual ramp-up you can defer; it is the new reality of contract eligibility.
The new CMMC rules establish a tiered framework determined by the government, based on the sensitivity of the information involved:
- Level 1 (FCI): Requires an annual self-assessment of basic cybersecurity hygiene.
- Level 2 (CUI): The most common level, which requires a self-assessment annually, or a more rigorous external assessment by a certified third-party assessor organization (C3PAO) every three years, depending on the contract’s risk profile.
- Level 3 (High-Value CUI): Reserved for the most sensitive contracts, requiring everything set forth in Level 2 (with additional controls), plus an assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.
For prime contractors, the responsibilities aren’t limited to their own networks. Primes are now explicitly required to flow down the appropriate CMMC requirements to their subcontractors and must verify their current compliance status before they can begin work.
The Hidden Risks of Non-Compliance with CMMC Rules
It is critically important to understand the new emphasis on continuous compliance. Your compliance status is only “current” if there have been no changes that would affect your security posture since your last assessment. This creates a significant risk because failing to maintain continuous compliance could lead to contract disputes and serious enforcement action, including False Claims Act liability.
While a Plan of Action and Milestones (POA&M) can temporarily grant you a Conditional Level 2 or 3 status, you have only 180 days to close those compliance gaps. This short timeline means you cannot afford to delay.
Your Next Move: Don’t Audit Yourself First
Conventional wisdom dictates that contractors and subcontractors should act now, but to do so smartly. Before you schedule an official assessment or conduct an internal self-assessment that could expose unmitigated risks, consider a privileged readiness review.
Working with an outside expert may allow you to pressure-test your systems and identify gaps under attorney-client privilege. This could shield sensitive findings while you rapidly remediate issues, ensuring that when you finally attest to compliance or face an official assessment, your organization is secure, your documentation is flawless, and your liability risks are minimized.
The bottom line is simple: Eligibility now hinges on proven compliance. Partnering with experienced professionals, like Guidepost Solutions, ensures you identify risks, close gaps, and confidently achieve compliance. Secure your systems, validate your documentation, and be prepared to move forward when those new solicitations take effect in November.
Ken Mendelson AIGP, CISSP, CIPP, CISA
Senior Managing Director
Ken Mendelson has spent more than 30 years at the intersection of law, information technology and public policy. As a member of the National Security Practice, Ken manages governance, risk and compliance projects and investigations, and conducts monitorships and third-party audits in connection with mitigation agreements enforced by the Committee on Foreign Investment in the United States (CFIUS). In addition, he assists established and emerging companies with implementing and maintaining cybersecurity and privacy programs by developing cybersecurity policies, procedures and guidelines, and conducting risk-based cybersecurity assessments.
MAGELLAN MonitorshipSBC hotlineEmpire/Liberty Review