The Clock is Ticking: DoD Cyber Compliance Becomes Contract Reality. CMMC is happening.
On August 25, 2025, the U.S. government quietly cleared the final hurdle to make the Cybersecurity Maturity Model Certification (CMMC) a binding requirement for Department of Defense (DoD) contracts. With this approval, CMMC moves from policy talk to enforceable reality, and it will go live in October 2026.
For years, the question lingered: would CMMC ever actually show up in contracts? That debate is now over. Starting in 2026, DoD contracting officers will have the authority to require a specific CMMC level in solicitations and awards. Without certification, companies will simply not be eligible to compete.
What This Means for Contractors
The defense supply chain is massive, covering 220,000–300,000 contractors and subcontractors.
Roughly 80,000 organizations are expected to require Level 2 certification—a big lift given that fewer than 300 hold final certification today.
Once the rule takes effect, companies will need their status logged in the Pentagon’s Supplier Performance Risk System (SPRS) to be considered for awards.
The clearance process, handled by the Office of Information and Regulatory Affairs (OIRA), moved at a brisk pace of just 34 days. That speed shows how much of a priority this is for both the Defense Department and the Trump administration. Once published in the Federal Register, the rule will have an effective date within 1 to 60 days, officially starting the countdown to compliance.
The Bottom Line
CMMC is no longer a policy idea, it’s a contract requirement. Defense contractors who don’t begin preparing now risk losing eligibility for DoD work in just over a year.
Get certified. Reach out to web@c1risk.com or c1risk.com to learn more info.