Pentagon’s CMMC Deadline Arrives Amid Government Shutdown

Defense contractors are bracing for a major cybersecurity deadline that could reshape who gets to do business with the Pentagon.

On Nov. 10, the War Department will begin enforcing its Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, marking the start of a three-year rollout aimed at strengthening cybersecurity across the defense supply chain.

The timing is complicated. With many government employees furloughed, contractors are hoping to get clarity on compliance and approval timelines for CMMC.

“The critical question about CMMC — and any other federal initiative related to cybersecurity — is whether these efforts will, in fact, make our national security enterprise more cyber secure,” Professional Services Council (PSC) Vice President of Defense and Intelligence Steve Harris told GovCIO Media & Research in an interview.

What the Nov. 10 Deadline Means for Contractors

Contracting officers will embed CMMC requirements — now codified into the Defense Federal Acquisition Regulation Supplement (DFARS) — into new solicitations and contract renewals. While full compliance isn’t expected until November 2028, Phase 1 focuses on Level 1 self-assessments and select Level 2 certifications.

For contractors handling Controlled Unclassified Information (CUI), certification will now be a prerequisite for doing business with the Pentagon.

DOW CISO Katie Arrington, one of the original architects of the CMMC program, has framed the shift as a cultural transformation.

“It’s a complete cultural shift. I want you to adapt the culture of zero trust, I want you to adapt the culture of cybersecurity,” she said at the UiPath Public Sector Summit in April.

Harris said that PSC members want scalable solutions and clearer guidance to ensure all sizes of firms can fulfill the Pentagon’s needs.

“A one-size-fits-all approach risks excluding valuable partners,” Harris said.

War Department Chief Defense Industrial Base Cybersecurity and Deputy CIO for Cybersecurity Stacy Bostjanick said earlier this year that many DIB firms are still falling short of basic compliance.

“We found 50% of companies failing to meet basic compliance, leading us to develop CMMC to validate that contractors were actively fulfilling their cybersecurity commitments,” Bostjanick said during the Zscaler Public Sector Summit 2025 in Washington, D.C. in March.

Shutdown Adds Uncertainty to Implementation

Ahead of the deadline, PSC members are weighing the costs and benefits of CMMC compliance. Harris said the cost, complexity and ambiguity surrounding CMMC continue to create barriers for small and mid-sized firms.

“We’re seeing real anxiety,” Harris said. “The cost of compliance is not matching reality. Many companies are finding that they need to invest significantly more than anticipated to meet the baseline requirements.”

He added that the limited number of Certified Third-Party Assessor Organizations (C3PAOs) — required for Level 2 and Level 3 certifications — has created a bottleneck. With the shutdown, those delays are only worsening.

“If companies have questions about CMMC requirements, shutdown-related furloughs and other workforce implications will make it difficult for those businesses to access federal government officials who can answer those questions,” he added.

According to Pentagon shutdown plans, most contracting and logistics operations supporting essential activities are expected to continue. But experts say extended disruptions could affect rollout schedules.

“The shutdown doesn’t affect CMMC directly,” Jacob Horne, chief security evangelist at Summit 7, told GovCIO Media & Research in a prior interview. “Depending upon the time that the government is shut down and that acquisition schedules and plans are delayed … if this one stretches, it could change how requirements are issued.”

Harris noted that delays in authorizing assessors could jeopardize contractor eligibility for upcoming solicitations. The Pentagon has tried to ease that transition by allowing conditional certification at Levels 2 and 3 through a 180-day Plan of Action and Milestones. But certain high-risk controls can’t be deferred, which reinforces the seriousness of the requirements.

“There has been some discussion about ways in which CMMC requirements will be incorporated into existing solicitations and contracts, specifically as the department has not issued any guidance or indicated incorporation through a modification,” Harris said.

Looking Ahead

The Nov. 10 deadline marks just the beginning of CMMC 2.0’s phased rollout. Arrington had said before she expects the program to evolve in coming years to address emerging technologies like AI and quantum cryptography.

“I hope that we can change things in the future and use more AI tools in CMMC, that we use more large language modeling tools to help … ensure that you have the cyber culture,” Arrington said in May. “We’ll be able to streamline the audit much better, but we still need the requirements to be dynamic [enough for new tech].”

With new technology, the upcoming deadline and the shutdown, Harris said that firms will face tough decisions around pursuing certification.

“In light of costs, federal contractors — particularly in the supplier base — will need to make decisions about compliance and may choose to delay CMMC certification, choosing instead to retain their CMMC self-assessment for contracts requiring CMMC Level 1 or Level 2,” he said.