Read on grclab.com | Read time: 3 minutes

Welcome to GRC Lab, a weekly newsletter where we provide actionable advice to help you launch, grow and accelerate your career in Governance, Risk and Compliance.

P.S. You can find free tutorials on our YouTube Channel.

Here’s what we got for you today:

This week, I’m thrilled to welcome Jacob Hill, Director of Cybersecurity at Summit 7, as a guest author.

Some of you might remember Jacob from his GRC Academy Podcast, which was the very first podcast I was invited to join. He’s an excellent educator, and I’m very happy that he has agreed to write this guest edition of GRC Lab.

In the article below, Jacob shares his insights on CMMC and its impact on organizations today.

After so many years of waiting CMMC is finally here!

The United States Department of War (DoW) released the Cybersecurity Maturity Model Certification (CMMC) final acquisition rule on August 15, 2025 and it becomes effective on November 10, 2025.

Let’s dive into what CMMC is and what happens next!

Foreign adversaries have been compromising DoW contractor networks and stealing information about critical DoW programs for years.

The department responded by creating contractual clauses focused on the implementation of NIST 800-171’s security controls. NIST 800-171 outlines the controls necessary to protect Controlled Unclassified Information (CUI) on non-government systems.

DFARS 252.204-7012 required contractors to:

The DoW soon discovered that contractors were still not implementing the security controls, so the DoW created provision DFARS 252.204-7019 and contract clause DFARS 252.204-7020.

DFARS 252.204-7019 requires the contractor to submit a NIST 800-171 self-assessment score to DoW to be eligible for contract award.

DFARS 252.204-7020 requires the contractor to allow the government to perform third-party cyber assessments of the contractor’s covered network.

The government has been assessing contractor networks for years under DFARS 7020, and contractors have continued to demonstrate that self-attestation of cyber compliance does not work.

CMMC has three levels, and the requirements vary per level:

Contracts/solicitations will require compliance or certification at a specific CMMC level and the government will not award a contract to a company that isn’t compliant.

The acquisition rule modifies a contractual clause called DFARS 252.204-7021 which is the contractual clause that will require either CMMC compliance or certification at a specified CMMC level.

It is estimated there are 80,000 and 300,000 companies in the Defense Industrial Base (DIB). It is impossible for the government to assess that number of companies.

CMMC expands the capacity to perform independent assessments and establishes an ecosystem of independent assessors called CMMC Third-Party Assessor Organizations (C3PAOs).

From the beginning, the DoW has been focused on protecting their information. Similar to health data in a HIPAA context, or PII in a privacy law context, FCI and CUI are the regulated information that is in scope.

In less than 5 minutes, the Summit 7 Pathfinder Tool shows you:

👉 Get CMMC Confident - take the quiz and get your tailored roadmap today.

CMMC certification assessments have been occurring since the CMMC final program rule became effective back in December of 2024. When the CMMC acquisition final rule is effective in November of 2025, the CMMC phase-in begins.

Each phase of the CMMC rollout introduces progressively higher certification requirements, ultimately leading to full implementation by phase 4. Here’s a breakdown of the timeline:

If your company hasn’t started working on NIST 800-171 and CMMC compliance, it is time to dive in before it is too late!

Large primes are applying more pressure on their subcontractors to become certified because they will be accountable for their subcontractors’ compliance – at all tiers.

Becoming CMMC certified early in the CMMC phase in period will be a competitive advantage, but over time it will become “the norm.”

Identify which CMMC level your organization needs based on the type of information you handle.

This step will determine the CMMC level of assessment and resources required. Plan ahead and think of the contracts you want to go after in the next three years, because CMMC level 1 will be limiting. C3PAOs can be found on the CyberAB marketplace.

Does your team have the technical and cybersecurity skills to address the security controls?

If not, consider hiring a Managed Service Provider (MSP) like Summit 7 to manage your IT environment. Most MSPs are not focused on CMMC and unfortunately will be the cause of many failed CMMC assessments, so choosing the right MSP is critical!

Estimates on how long it takes to go from 0% to 100% CMMC compliance range from 6 – 18 months. The duration varies based on the size and complexity of your organization and systems.

If CMMC certification is in your future, reserve your assessment spot with a C3PAO as soon as you can. There are only 82 C3PAOs as of the time of this writing, and many of them are already booked into 2026.

CMMC certification requires annual affirmations of compliance. Set up regular reviews and training to ensure ongoing compliance.

CMMC may seem overwhelming. I remember encountering this firsthand when I began to research NIST 800-171 for my company many years ago. The good news is there are now excellent resources to help get you started quickly.

In addition to being the premier MSP for DoW contractors, we at Summit 7 offer a ton of free education on LinkedIn and our YouTube channel! We also offer a free CMMC pathfinder tool that helps you know where you are with CMMC and what to do next!

Here are several folks you should follow on LinkedIn to keep up with CMMC:

After learning from Summit 7’s content for so many years, it’s amazing to be part of the Summit 7 team!

NIST 800-171 is the US federal standard to protect CUI.

Soon there will be a contractual clause in the FAR requiring the implementation of NIST 800-171 for federal (non-DoW) contracts. If you want to support the federal government, you will not be able to get away from these security controls.

For the sake of our nation’s security and your business’s survival, the time to comply is now.

Stop drowning in spam. Proton Mail keeps your inbox clean, private, and focused—without ads or filters.

Take control of your inbox

Answer: The correct answer is C.

A) Planning focuses on defining the project but not on discovering vulnerabilities.
B) Development involves creating the system, and while vulnerabilities may be introduced here, they are not likely to be discovered.
C) Testing is where systems are rigorously evaluated for weaknesses, making it the most likely phase for discovering vulnerabilities.
D) By the time of deployment, it’s generally too late for vulnerability discovery to be most effective.