The Department of Defense published its final Cybersecurity Maturity Model Certification rule on October 15, 2024. The rule became effective December 16, 2024, establishing mandatory cybersecurity standards for contractors handling sensitive government information.
More than 337,000 prime contractors and subcontractors in the DoD supply chain are affected. Contractors unable to meet CMMC requirements will become ineligible for contract awards. Small businesses, subcontractors, foreign entities, and commercial product suppliers must all comply.
Margarita Howard, CEO and president of HX5, has been preparing for this shift. She sees heightened security standards not as a burden but as a competitive differentiator and necessity for government contractors.
"We have already seen cybersecurity standards being enforced more across the board," Howard says. "There are heightened cybersecurity requirements, and contractors will not have a choice but to implement them if they want to be a government contractor."
Three Levels of Compliance
CMMC 2.0 establishes a three-tier framework based on information sensitivity. Level 1 applies to contractors handling Federal Contract Information. These contractors must implement 15 security controls enumerated in Federal Acquisition Regulation 52.204-21 and complete annual self-assessments.
Level 2 requires compliance with NIST 800-171 standards for Controlled Unclassified Information. Contractors may need third-party assessment by a CMMC Third Party Assessor Organization or can perform self-assessments depending on CUI type. The Pentagon estimates 8,350 medium and large entities will require Level 2 third-party assessments as contract award conditions.
Level 3 demands the highest protection for critical programs and high-value assets. Contractors must comply with both NIST 800-171 and NIST 800-172, then undergo review by DoD's Defense Industrial Base Cybersecurity Assessment Center.
The challenge: Only 4% of defense contractors currently meet minimum CMMC standards. The average Supplier Performance Risk System score across surveyed contractors sits at -12, far below the required 110 to meet CMMC standards.
Beyond DoD Requirements
While CMMC applies specifically to Defense Department contracts, Howard expects cybersecurity requirements to spread across federal agencies. Katie Arrington, performing the tasks of DoD Chief Information Officer, has stated that DoD seeks to "federalize" CMMC government-wide.
Federal agencies beyond the Pentagon already pursue enhanced cybersecurity capabilities. The 2025 National Defense Authorization Act includes Section 1532, mandating expansion of secure, high-performance computing infrastructure for federal defense agencies to support AI training and development.
"We try to stay ahead of those changing technologies, AI and cyber," Howard says. HX5 develops and uses AI tools internally while integrating AI into operations. The company, like most operating in the current defense and aerospace contracting environment, views early AI adoption as essential for survival.
And cybersecurity infrastructure must support AI implementation. As AI systems interact with classified data, contractors must ensure implementations meet federal security standards across all locations. For HX5, operating in over 20 states means cybersecurity investments multiply across numerous facilities.
The National Industrial Security Program Operating Manual governs how contractors handle classified information, with the Defense Counterintelligence and Security Agency overseeing compliance. Government approval is required before contractors can store or generate classified material on automated information systems.
Workforce Implications
Implementing robust cybersecurity requires specialized personnel. The shortage of cybersecurity professionals affects both government agencies and contractors, and the competition for qualified talent could intensify as more contractors seek CMMC compliance.
Howard addresses this through selective hiring and retention: HX5 prefers candidates with experience supporting NASA or the Department of Defense. "Experience in their respective fields, while supporting these agencies' respective programs and missions, is very different from experience gained working in the commercial world," she says.
The company emphasizes industry certifications and looks for people with deep regulatory knowledge. Many HX5 employees have remained with the company for over a decade. This retention provides stability during technological transitions and preserves institutional knowledge about security protocols and compliance requirements.
Preparing for Automated Compliance
Looking toward 2035, Margarita Howard anticipates fundamental changes in how the government evaluates contractor cybersecurity. She expects AI systems to monitor contractor networks continuously for threats. Automated responses might isolate breaches instantly. Government agencies may maintain real-time visibility into contractor security postures.
"Compliance protocols will be automated," Howard predicts. "Contractors will be required to integrate systems that provide continuous reporting and real-time audit capabilities."
This vision aligns with DoD's 2024 Defense Industrial Base Cybersecurity Strategy, which emphasizes routine evaluation of contractor CMMC compliance. The strategy notes that while DFARS specifies minimum cybersecurity requirements, the department must support efforts by contractors to exceed these requirements through risk-informed decisions.
And the Defense Counterintelligence and Security Agency's Defense Industrial Base Cybersecurity Assessment Center can audit contractors despite their reported CMMC status. If audit results differ from contractor-reported compliance, DoD relies on the audit and can update the Supplier Performance Risk System accordingly. Contractors could face contractual penalties for noncompliance.
The Competitive Advantage
Most contractors view CMMC as a compliance burden. Howard sees opportunity. Contractors unable or unwilling to invest in cybersecurity infrastructure will lose eligibility for federal work. This creates market consolidation favoring contractors with established security capabilities.
"We've invested heavily in technology infrastructure to meet these future demands," Howard says.
Contractors can’t wait until 2035 to develop capabilities, achieve certifications, or modernize operations. "If you don't embrace it, you're just going to be gone," she says.
