With new federal rules taking effect, Defense Industrial Base (DIB) companies can no longer afford to delay meeting cybersecurity mandates.
With the release of Title 48, U.S. Department of Defense (DoD) contract solicitations will soon begin requiring contractors to affirm their adherence to the Cybersecurity Maturity Model Certification (CMMC). Established by the DoD, CMMC is a framework designed to strengthen the cybersecurity posture of defense contractors, with requirements structured across three certification levels. Its goal is to protect sensitive unclassified data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), throughout the defense supply chain.
Most DIB organizations will eventually need to undergo third-party assessments to achieve certification. Yet despite clear directives, many contractors and subcontractors continue to take a “wait and see” approach, believing they still have time to prepare. But given the often-lengthy certification process, waiting may prove costly: once a contract includes CMMC requirements, it’s too late to start. Companies must already be compliant or risk disqualification — jeopardizing future bids and damaging relationships with prime contractors who rely on them.
According to the DoD, most companies in the DIB will fall under CMMC Level 2 and pass an assessment by a certified third-party assessor organization (C3PAO). Those that fail to meet the standard will not be awarded contracts. Those who falsely affirm compliance face serious consequences, including penalties and damages up to triple the full contract value, loss of DoD business, and long-term revenue disruption.
A pass or fail process
Achieving CMMC compliance isn’t just a box to check — it’s a rigorous, time-consuming process that can take months of preparation, especially for companies seeking Level 2 certification or higher. And according to cybersecurity experts, many organizations are significantly overestimating their readiness.
“Most businesses think they’re prepared,” says Charlie Sciuto, chief information security officer at St. Louis-based SSE, a provider of outsourced managed IT and cybersecurity services. “But in reality, many fall short when their program is held up to true audit scrutiny. This isn’t a casual review. It’s a pass-fail assessment that leaves no room for interpretation.”
SSE is a Registered Provider Organization (RPO), a designation established by the DoD to help companies prepare for CMMC. RPOs, accredited by the Cyber AB, provide services like gap assessments, remediation, policy development and continuous monitoring. While they can’t issue certifications (only C3PAOs can do that), RPOs are often the most practical and cost-effective way to get and stay compliant.
“CMMC is different from other audits, where you might be able to fix issues after the fact,” Sciuto explains. “This process is brutal because it’s binary: you either meet the requirement or you don’t. The assessor isn’t there to help or guide you. If you don’t have the compliance evidence in hand, you fail. It’s that harsh.”
Early action beats last-minute panic
That reality is pushing a growing number of companies to get proactive. One of them is Protection Engineering Consultants (PEC), an Austin, Texas-based consulting engineering firm specializing in physical security and protective design of structures and infrastructure to minimize risks related to terrorism, extreme accidents and natural disasters.
Rather than gamble with timing or attempt to go it alone, PEC began preparing early for CMMC Level 2 certification, knowing that future contract eligibility would depend on it. With a steady stream of important national security work tied to DoD programs and prime contractors, PEC understood that waiting could jeopardize their role in upcoming projects.
“We didn’t want to make the mistake of assuming we could pull this off last minute,” said Eric Sammarco, senior principal and information security officer at PEC. “By the time CMMC requirements start appearing in contracts, it’ll be too late to react. You either have it, or you’re out of the running.”
PEC had successfully built a NIST 800-171 program in-house prior to engaging with an RPO, but not without significant effort and cost.
“We did the DIY route before,” said Krystal Johle, principal and facility security officer at PEC. “It took months of internal work and a lot of overhead to get our score where it needed to be. With CMMC, we just did not have the desire or bandwidth to take on that risk again.”
Self-assessments miss the mark
They’re not alone. SSE, which completed a DoD Joint Surveillance Voluntary Assessment (JSVA) and was one of the few firms to achieve a perfect DoD score on its CMMC Level 2 certification, has seen the pattern repeatedly: companies believe they’re audit-ready when they’re not.
“On average, companies score a -84 in our evidence-based gap assessment findings,” says Sciuto. “However, in situations where companies had previously self-assessed and submitted their own score, their self-scoring is often as much as 124 points higher than the evidence-based reality. With CMMC, that’s not a near miss. That’s going to fail.”
The most common reason companies fall short is not due to firewall or antivirus protections; it’s documentation.
“Policies and procedures account for nearly half of what you’re being evaluated on,” explains Sciuto. “It’s not enough to say a control is in place. You need to show exactly how it works, who’s responsible, and provide ongoing proof that it’s being maintained over time. If you can’t produce that documentation, you will not pass. Period.”
Guidance makes the difference
The unforgiving structure of a CMMC audit is one reason PEC prioritized early preparation and partnered with an expert RPO to guide the process.
“We’re a small business,” notes Sammarco. “We don’t have a dedicated IT department or the resources to manage this on top of our day jobs. Working with an RPO meant we had experts walking alongside us, people who live and breathe this stuff. So, we weren’t on an island trying to interpret federal security standards.”
Adding their RPOs’ guidance also helped make a complex and often overwhelming process more manageable.
“They didn’t just hand us a report and walk away,” Johle said. “They helped us renew and strengthen what we’d already built, and they recommended tools that made compliance more achievable, without pulling us away from our actual work.”
One weak link can sink a bid
CMMC success requires early action, sustained effort, and strategic support. With CMMC-required DoD contract solicitations expected to scale in 2025, the window for delay is closing fast.
“We’re already seeing large primes ask their subs for updated compliance scores,” says Johle. “We don’t want to be the bottleneck in a proposal. If we’re not certified, they move on, and we lose the work.”
That ripple effect across the defense supply chain is what makes CMMC different from previous cybersecurity initiatives.
“A single non-compliant subcontractor can jeopardize a prime’s entire bid,” adds Sciuto. “That’s why companies that procrastinate on CMMC are going to find themselves locked out. Not just of new opportunities, but potentially existing partnerships as well.”
It’s not just about passing an audit, either. CMMC requires sustaining compliance over time.
“CMMC isn’t a one-and-done event,” explains Sciuto. “You’re expected to maintain your controls continuously and be ready for reassessment every three years. If you don’t have a long-term plan — and the documentation to back it up — you’re setting yourself up to fail later, even if you pass the first time.”
For Protection Engineering Consultants, partnering with an RPO like SSE was strategic and not tactical. It wasn’t just about quickly checking a box; it was about making smart decisions for the long-term success of the firm.
“The time and cost of certification are too high to risk doing it wrong,” says Sammarco. “Companies that understand what’s at stake will bring in an RPO. Because the truth is, you can’t afford to do this alone.”
