Have you received an email claiming that CMMC is now law and that you can no longer wait to meet its cybersecurity requirements? The FuzeHub team received an email like this recently, so we asked Paul LaPorte of the Advanced Institute for Manufacturing (AIM) to help us separate fact from fiction.
Paul is the Cybersecurity Coordinator for AIM, the New York Manufacturing Extension Partnership (NY MEP) Center for Mohawk Valley, and he’s helped many small-to-medium manufacturers over the years. AIM’s priority cluster is cybersecurity, and this NY MEP Center delivers customized programs, on-site risk assessments, and training to protect businesses from cyber threats.
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is a framework that provides a unified standard for cybersecurity controls and processes across the U.S. Department of Defense (DoD) supply chain. CMMC 2.0, the current version, has three compliance levels and is aligned with established frameworks from the National Institute of Standards and Technology (NIST).
Manufacturers can determine which CMMC level they need to meet by checking their contracts. This level (1, 2, 3) is largely a function of the sensitivity of the data that’s handled. Level 1 applies to companies that handle basic Federal Contract Information (FCI), and Level 2 applies to companies that handle Controlled Unclassified Information (CUI). Level 3 is for highly sensitive CUI.
Relatively few defense contractors need to achieve Level 3 CMMC certification. Most (62%) need to achieve Level 1, and a smaller number (35%) need to achieve Level 2. That’s worth remembering because Level 1 requires a self-assessment while Level 2 requires compliance with NIST 800-171 controls and an external audit for validation. A CMMC certification is valid for three years, so a self-assessment (Level 1) or external audit (Level) is performed once every three years.
Is CMMC Now Law?
Emails like the one that FuzeHub received claim that “CMMC is now law” because its final rule was published in the Federal Register on September 10, 2025, and there are less than 60 days before the rule goes into effect on November 10, 2025. Publishing a rule in the U.S. Federal Register isn’t the same as passing a piece of legislation, but the semantics are less important than the requirements.
As Paul LaPorte explained, the final CMMC rule was indeed approved and its requirements will begin rolling out this November. This is a gradual roll-out, however, and it will happen over a four-year period. In other words, every company that holds a contract with CMMC requirements will not face a “you can no longer wait” moment on November 10, 2025, when the final CMMC rule goes into effect.
Who is Effected and When?
Here are the number of companies that will be effected during each of the next four years, according to LaPorte.
- Year 1: 1,104
- Year 2: 5,565
- Year 3: 18,554
- Year 4: 229,818
As you can see, every company that holds a contract with CMMC requirements does not risk losing that contract on November 10, 2025. It’s also important to note that there’s a difference between existing contracts and new contracts. As most business owners know, one party to an existing contract cannot unilaterally change its terms and conditions.
How Will DoD Treat New Contracts vs. Existing Contracts?
The email that FuzeHub received stated that from November 10, 2025, forward, “all new DoD solicitations and contracts will include some level of CMMC requirements as a condition of contract award.” When we asked Paul LaPorte if this statement was accurate, he explained that there may be a difference in how DoD treats renewals of existing contracts vs. brand-new contracts.
“We don’t know how many new contracts there are,” he added before noting that the four-year rollout “gives a lot of time for the rule to be adjusted if things aren’t going well.” The CMMC program has already experienced several delays and changes since its initial announcement in 2019, and the initial CMMC 1.0 version underwent a major revision in 2021.
What Do Holders of Existing Contracts Need to Do?
If your company holds a contract with a CMMC requirement, LaPorte recommends checking the contact’s expiration date. If this contract is up for renewal next year, now is the time to get started on your cybersecurity journey. “If you are not currently handling documents marked as CUI, then it is more likely that you will be required to obtain Level 1 Certification,” LaPorte says, adding that “and while we don’t know the certification levels that are included in these rollout numbers, I would suspect that they are going to prioritize Level 1 certification for the first couple of years.”
That’s good news for most contract holders because Level 1 is what LaPorte calls a “much lower bar” and “you don’t need to be an auditor” to perform an annual self-assessment. He also notes that there are only 66 certified Level 2 auditors in the world, and that this could create a certification bottleneck among the 229,000+ companies that are part of the defense industrial base.
What if You Want to Become a Defense Contractor?
Companies that aren’t part of the DoD supply chain but want to bid on defense contracts can also act now. As LaPorte notes, it’s unclear whether companies that lack a CMMC certification will be ineligible to submit bids. In fact, it could be the case that companies are allowed to bid if they obtain a CMMC certification in a certain amount of time.
LaPorte also advises companies against seeking a higher level of certification than they really need. There’s a cost to hiring a Certified Third-Party Assessor Organization (C3PAO), so beginning with a Level 1 self-assessment is a more affordable (and easier) place to start. Later, and if it’s necessary, pursing a Level 2 CMMC certification is an option.
Where Can Small-to-Medium Manufacturers Learn More?
Small-to-medium manufacturers with existing contracts can ask their contracting agents for more information about the final CMMC rule. As LaPorte explains, many Tier 1 suppliers have secure portals that support these communications. NY MEP can also provide resources and information to existing contract holders and companies that want to enter the DoD supply chain.
To get started, contact your local NY MEP center. There are 10 regional centers and one statewide center, FuzeHub. If you don’t know your regional NY MEP center, submit a request for assistance to FuzeHub. A member of our Manufacturers Solutions Program will respond within 24 to 48 hours, or on the next business day.