This article was featured on i95Business, October 6th, 2025
The CMMC program is a lightning rod program. A program of the Department of Defense, now the Department of War, the Cyber Maturity Model Certification (CMMC) is a verification program intended to safeguard the sensitive data shared with contractors in the Defense Industrial Base (DIB) to align with NIST standards and ensure accountability.
Hampered by a number of delays, and considered by many difficult to implement, it earned the disdain of many contractors over many years. As recently as August 2025, vocal parties questioned whether the rule would ever go into effect.
Nevertheless, the CMMC rule fully published in September 2025. Starting November 10th, 2025, CMMC requirements will begin to be included in all DoW solicitations and contracts over a phase-in period.
In truth, the transition is already underway: official CMMC C3PAO assessments began in January 2025. After 10 months of delivering those assessments as one of fewer than 100 authorized C3PAOs, I can say with confidence: CMMC will change everything.
If it sounds dramatic, that’s because it is. When CMMC is implemented fully across an organization, it can be nothing short of transformative. Not only for individual businesses that had not yet embraced cybersecurity, but for our nation, and by extension - the world.
The United States carries authority and influence across the globe. That power makes us a target. Natural boundaries to our east and west have protected us from invaders and kinetic warfare. Times and technology have changed; the nation who can accumulate, organize, defend and wield information has the upper hand. The greatest vulnerabilities in our information-based society are technology environments where the endpoints, the users, are not well secured.
This is where CMMC comes in. Our national defense supply chain is comprised of thousands of businesses, many of which decide for themselves how to secure the data entrusted to them, often in vulnerable systems. CMMC sets a uniform bar for security, throughout the defense ecosystem.
Its influence will ripple far beyond checklists and controls. CMMC will transform how organizations choose subcontractors and primes, who they trust to form joint ventures and which service providers they bring into their orbit. It will affect mergers and acquisitions, dictate which cloud platforms are viable and reshape daily operations. From higher education institutions and the largest defense primes to the smallest machine shops - every part of the DIB is in scope.
And here’s where the world-changing potential becomes clear: CMMC is not just a defense rule; it’s a global signal. Just as GDPR reshaped how companies worldwide approach privacy, CMMC will set expectations for how organizations handle sensitive data like Controlled Unclassified Information (CUI). International subcontractors and partners who want to work with U.S. defense contractors will need to meet the same standards. Over time, the gravitational pull of CMMC could elevate cybersecurity practices far beyond the DIB, creating a global baseline of protection.
While CMMC 2.0 stops short of requiring “maturity” in the way CMMC 1.0 did, the intent remains: organizations are expected to build stronger security practices and greater operational maturity over time. That’s especially critical for small businesses, who may not have centered operational excellence before. But make no mistake - businesses of any size that embrace the CMMC model are building more than compliance programs. They are building repeatable, effective policies and practices; and well-run businesses that prioritize security benefit everyone - from warfighters to citizens and allies across the globe.
Choosing to work with the DoW or federal agencies is more than a contract decision - it’s a commitment. Not every business will stay the course, and some will inevitably exit. That’s okay. We can’t afford, as a nation, the continued theft or corruption of data that puts all of us at risk. Competition is healthy, but it doesn’t outrank the safety of our neighbors or the warfighters.
Here’s where the real power lies: small businesses, aligned and empowered, working together to safeguard information. CMMC provides a common framework that builds consistency and resilience across the supply chain.
At its core, this is about more than compliance. It’s about the uniquely American mix of sacrifice and capitalism: doing what’s hard because it’s necessary, and in the process, raising the standard for everyone. Eventually, every business that works with the DoW will be required to meet the same bar. When that happens, CMMC won’t just transform the DIB - it will push cybersecurity maturity forward across the entire country.
One of the most world-changing aspects of CMMC is the shift it forces in the tools DIB organizations can use. The future of the DIB is rooted in cloud applications, the lifeblood of today’s dispersed, global workforce. But when sensitive information like CUI is on the line, not all clouds are created equal.
Under CMMC, the choices narrow. Contractors must rely on cloud providers that meet FedRAMP Moderate (or equivalent) standards or higher. FedRAMP, the Federal Risk and Authorization Management Program, sets a rigorous, government-wide baseline for security assessments, authorizations and continuous monitoring of cloud services. In short, it ensures that the platforms federal agencies and their partners use are tested, verified and continually secured.
Why does this matter? Because FedRAMP-authorized clouds set the bar high. While no system can promise perfection, these platforms undergo intense scrutiny designed to keep CUI locked down. Multiply that level of protection across millions of users, and the impact is monumental: a safer, more resilient digital environment for both businesses and the nation.
Here’s where the ripple effect comes in. The economics of supply and demand will encourage more companies to make the investment to become FedRAMP-verified. As adoption grows, secure cloud platforms will become the rule rather than the exception. That’s how CMMC, by demanding higher standards, has the potential to reshape the entire technology marketplace, not just the DIB.
Committing to CMMC reshapes the way companies build partnerships, whether through joint ventures, subcontracting relationships, or external service providers. The framework includes strict flowdown requirements: any subcontractor or external partner who handles CUI is held to the same security obligations as the prime.
This changes the calculus of collaboration. A partner or vendor who can’t pass CMMC isn’t just a risk to themselves – they’re a liability to the entire contract.
And this shift doesn’t stop at U.S. borders. Many primes and defense contractors rely on international subcontractors, suppliers and service providers. Flowdown includes those partners as well. For the first time, U.S. cybersecurity requirements are effectively setting the bar for global players, too.
The ripple effect is enormous. Smaller businesses that invest early in CMMC compliance will become more attractive to primes looking for reliable partners. External and cloud service providers will need to raise their game if they want to stay in the defense ecosystem. Over time, the entire marketplace of partnerships - domestic and international - will shift toward organizations that take security seriously.
That’s how CMMC becomes a filter that separates the worthy from the weak links. It contributes to building a global supply chain where trust is earned.
CMMC is a new program for everyone. Organizations already prioritizing CMMC are already getting assessed by C3PAOs. We can learn from the findings in early assessments.
Contractors define the scope of the assessment by determining where FCI and CUI flow within their organization. They engage a C3PAO to conduct the assessment. After reviewing 110 controls, the C3PAO determines if the organization has MET the controls.
Companies achieving Level 2 status right out of the gate earn bragging rights, and are well positioned to take the early wins when contract requirements list CMMC certification as necessary in November. The dividends on these early movers’ investments are already apparent: primes and other contractors are hustling to fill teams, and partner with organizations that will not be a liability to them.
After dozens of assessments, here are the trends we are observing:
The lessons from these early assessments are clear: progress is being made, but real gaps remain. Organizations that take the time to build detailed documentation, define clear system boundaries, and gather the right evidence are setting themselves up for success in passing an assessment, strengthening their operations long-term. On the other hand, rushing to compliance with vague SSPs, noncompliant cloud tools, or inexperienced providers only delays the inevitable. CMMC isn’t about quick fixes; it’s about building sustainable practices that prove security is real and repeatable.
And the impact doesn’t stop at the Defense Industrial Base. As primes, subs, and service providers around the world adjust to these new requirements, the ripple effect of CMMC will raise the standard for cybersecurity everywhere. Just as GDPR reshaped global approaches to privacy, CMMC is positioned to transform how organizations worldwide safeguard sensitive data. For those willing to do the work, the payoff is more than compliance – it’s resilience, credibility, and a stronger, more secure role in the global economy.