TelcoNews US - Telecommunications news for ICT decision-makers
United States

Guides

#
5g & beyond
#
internet of things
#
software-defined networking
#
space technologies
#
unified communications

Search

Busy it office security shield monitors us defense contractor american flags
#
Procurement
#
IT Department

US defence firms race to meet strict new DoD cybersecurity rules

Wed, 19th Nov 2025
Author image
By Melvin Hipolito, Editor

The US Department of Defence (DoD) is pressing ahead with the phased enforcement of its Cybersecurity Maturity Model Certification (CMMC), placing thousands of defence contractors in a race to prove their compliance or risk losing contracts and revenue streams. As deadlines approach, industry participants are weighing timelines against practical realities of certification and the risk of being shut out of new or existing work.

Compliance deadlines

The rollout of CMMC is tied to the Title 48 rule, which will require contractors and subcontractors to document compliance with enhanced cybersecurity standards. By November 2025, all new DoD contracts will require companies to submit a self-assessment score to the Supplier Performance Risk System (SPRS), with a minimum threshold of 88 out of 110 for Level 2 certification. As the staged enforcement continues, select contracts will mandate third-party audits by November 2026, while all option periods and renewals are brought under compliance by November 2027. Full enforcement, covering almost all contracts except those for commercial off the shelf (COTS) items, will arrive by November 2028.

Contracting challenges

The phased approach does not ensure a gradual experience for all. Contracting officers hold broad discretion to initiate compliance requirements early, creating unpredictability for suppliers. Prime contractors are reportedly increasing oversight and placing new obligations on their subcontractors, with some already withholding new purchase orders from partners lacking clear evidence of compliance progress.

"The reality is, this goes way beyond IT. CMMC is about policy, procedure, personnel, and even physical security. It's an organizational state of compliance that companies need to be able to demonstrate fully," said Charlie Sciuto, Chief Information Security Officer and Chief Technology Officer, SSE.

Assessment bottlenecks

Concerns over certification timelines are being compounded by capacity limits in the compliance ecosystem. Of an estimated 300,000 organisations in the Defence Industrial Base, approximately 80,000 must meet Level 2 certification by late 2026. Yet, fewer than 2% are currently certified, and with fewer than 100 Certified Third-Party Assessment Organisations (C3PAOs) available across the US, a severe backlog is anticipated. The assessment process itself often takes between six and nine months, presenting logistical hurdles for late adopters.

"This is like a thousand-lane highway suddenly merging down to ten lanes. Companies that wait will find themselves in a traffic jam with no way to get certified in time for an award," said Sciuto.

Financial risks

Non-compliance extends beyond delays. Primes are reportedly ranking suppliers by their SPRS scores and restricting the flow of confidential unclassified information where necessary. Additionally, deliberate misrepresentation of compliance status could trigger liability under the False Claims Act, with damages of up to three times contract value. However, Sciuto warns that the more immediate threat is exclusion from bidding rounds and loss of expected revenue.

"You may be working on a program and expecting a new task order in 2026. If you're not prepared to submit a compliant self-assessment, your prime may tell you, 'Sorry, you can't participate.' That's revenue you were counting on, and now it's gone overnight. It's not just about penalties and damages; it's about being out of the game," said Sciuto.

Path to compliance

Companies are urged to start with a gap assessment to identify readiness for CMMC. Such assessments, typically taking about four weeks, provide a basis for remediation projects-which may last two to three months. Mature organisations may achieve readiness in three to six months, but less mature ones could take up to nine months. Engaging Registered Provider Organisations accredited by the Cyber AB can help streamline preparation, while selecting experienced assessors is considered essential.

"Get a gap assessment from someone who's been through and passed the certification process themselves. It's a very different conversation when you're talking to someone who can say, 'Here's exactly what an auditor will expect to see,'" said Sciuto.

As enforcement tightens, early engagement with assessors, effective project management, and clear internal ownership of cybersecurity practices are emphasised.

"Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritise DoD cybersecurity compliance," said Stacy Bostjanick, Chief Defence Industrial Base Cybersecurity, DoD CIO.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Myriota launches HyperPulse 5G NTN for IoT in remote regions
Half of global mobile users may switch for satellite coverage
Explained: Trump signs order for national AI platform
Enterprise security to be reshaped by AI, cloud & automation
Providing a more secure guest Wi-Fi experience is good for business

Top stories

Small Cell Forum maps path to interoperable 5G NTN
Satellite, eSIM & loyalty to reshape 2026 telecoms
Expereo to manage Kingspan Light, Air + Water network
Cyber leaders tip 2026 shift to resilience over prevention
Infobip sees Black Friday rich messaging volumes surge