SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Secure digital chain connected factories military vehicles defense supply chain compliance
#
Supply Chain
#
Lockheed Martin
#
Defence

Defence contractors urged to act quickly as CMMC compliance looms

Tue, 9th Sep 2025
Author image
By Kaleah Salmon, Journalist

The Department of Defence's final 48 CFR rule requiring mandatory CMMC certification for contractors has cleared its last regulatory step and is now awaiting official publication.

The Office of Information and Regulatory Affairs (OIRA) approved the rule, which will soon appear in the Federal Register. Enforcement of the Cybersecurity Maturity Model Certification (CMMC) is anticipated to begin as early as October 2025, with phased implementation through 2028.

Certification urgency

Compliance platform Secureframe has warned that the rapidly approaching changes leave defence subcontractors with limited time to achieve CMMC 2.0 readiness, which could affect their ability to participate in future Department of Defence (DoD) contracts.

"CMMC compliance is no longer optional, and the final 48 CFR rule will make it enforceable law," said Shrav Mehta, CEO at Secureframe. "Subcontractors who delay certification risk being shut out of billions in defence work. Automation is the fastest, most reliable way to get compliant now and stay compliant over the life of the contract.

The new regulation requires nearly all new defence contracts to meet specific cybersecurity standards. The DoD aims to secure sensitive data across its supply chain, with both prime contractors and their subcontractors needing to demonstrate cybersecurity controls.

Changing requirements from primes

While the regulation has just passed the final approval stage, some of the major prime contractors are no longer waiting for the rule's publication to enforce compliance within their supply chains. Lockheed Martin, General Dynamics, and the Defence Logistics Agency have each begun requesting evidence of NIST SP 800-171 and CMMC 2.0 alignment from their suppliers. Subcontractors unable to show clear progress towards these standards are already being excluded from contract proposals.

This trend, combined with the new federal regulation, is expected to prompt a significant wave of compliance efforts across the defence industrial base in the coming months.

Steps for subcontractors

Secureframe has outlined several actions defence subcontractors can take immediately to meet the new requirements:

  • Identify their required level: Level 1 for those handling only Federal Contract Information (FCI), involving 15 FAR requirements; Level 2 for those managing Controlled Unclassified Information (CUI), which necessitates full implementation of NIST 800-171.
  • Close compliance gaps by completing gap analyses - POA&Ms, or plans of actions and milestones, are not permitted at Level 1 and will slow down assessments at Level 2.
  • Keep supplier scores current by updating the Supplier Performance Risk System (SPRS) and any prime-specific portals to reflect their real-time posture.
  • Engage certified third-party assessors early, as capacity to conduct assessments is limited and scheduling in advance increases the likelihood of timely certification.
  • Automate readiness, using compliance automation tools to streamline evidence collection, policy creation, and continuous monitoring, thereby reducing both the cost and time involved in obtaining certification.

Adopting automation solutions

Demonstrating the impact of automation tools on compliance, defence subcontractor Manufacturing Consulting Concepts (MCC) recently completed a CMMC Level 2 assessment and cited significant time savings.

"Using Secureframe to get NIST 800-171 and CMMC compliant has saved us at least 500 hours over the past two years," said David Hoenisch, Lead Cybersecurity Engineer at MCC. "With Secureframe, I genuinely felt like we had a partner in the process. They were in it with us and they cared about our success."

Secureframe has launched what it calls Secureframe Federal, a platform intended to support subcontractors through the compliance process. Its features include automated evidence gathering, standard policy templates, continuous monitoring, and integration with accredited third-party assessors, aiming to maintain ongoing eligibility for defence projects as requirements change.

Looking ahead

With phased enforcement set to begin shortly, Secureframe continues to urge defence subcontractors to take prompt action and prepare for mandatory CMMC certification under the new federal rule.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Agentic AI surge in 2026 sparks fresh cyber security risks
TXP warns on low code, AI overload & supplier risk in 2026
AI-native attacks drive shift to continuous cyber tests
Cybersecurity, AI set to shake IT leaders in 2026
Backslash unveils MCP Security to safeguard AI coding

Top stories

Enterprises pivot to risk-aware, human-centric AI in 2026
Cyber leaders warn resilience gap as boards eye 2026
AI bubble cools as HR shifts to outcomes & new roles
Keeper links identity security alerts into ServiceNow
Safe AI coaches staff to cut cyber attack errors