What is the Government Shutdown’s Impact on CMMC?

Experts warn that a prolonged government shutdown could slow acquisition schedules and impact Cybersecurity Maturity Model Certification (CMMC) timelines for War Department contractors and program officers.

“We could see a potential delay of the broader rollout of certain CMMC requirements and new contracting opportunities,” Michael Gruden, a cybersecurity attorney and former Pentagon branch chief, told GovCIO Media & Research. “If certain employees [in the CMMC program office] are not working, then those programs are going to be delayed.”

The Pentagon finalized the main legal framework for the updated CMMC in September, but peripheral programs and contract releases may face delays, experts said.

CMMC 2.0 outlines the security controls for all three CMMC security levels, establishes processes for monitoring compliance and defines the roles in ensuring cybersecurity for the federal government, contractors and third parties.

The rule applies to all DOW contractors and subcontractors that “process, store or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems.”

The only excluded parties are those with contracts exclusively using commercial off-the-shelf items and contracts that do not exceed the micro-purchase threshold.

In its shutdown plans, the Pentagon said it would continue a wide range of operations, including “contracting, contract administration, contract payment (for contracts funded with prior year funds) or logistics operations in support of excepted activities.”

“The shutdown doesn’t affect CMMC directly,” Jacob Horne, chief security evangelist at Summit 7, told GovCIO Media & Research. “The regulation goes into effect Nov. 10, 2025, at which point requirements will show up in new solicitations and contracts.”

Gruden emphasized that the Pentagon completed much of the rulemaking around CMMC prior to the shutdown, leaving the potential length of the shutdown as the main hurdle to CMMC implementation across the DOD.

“Depending upon the time that the government is shut down and that acquisition schedules and plans are delayed,” said Gruden. “If this one stretches, it could change how requirements are issued.”

Horne echoed the sentiment, saying, “if the shutdown were to last that long and affect new contracts and solicitations, then CMMC would be affected like every other [Defense Federal Acquisition Regulation Supplement (DFARS)] clause.”

Horne added that CMMC would go into effect in November “whether the PMO is back at work or not.”

In some cases, the Pentagon may respond by accelerating contract releases. “We might see … requirements being released sort of simultaneously,” Gruden said. “Companies may see them appear more quickly or in greater volume.”

“We might see residual delay in terms of when they’re hitting industry and being publicized,” he added.

Subcontractors may face added pressure, he said, as prime contractors seek to secure their cyber supply chains.

“They’re being requested to even obtain certification sooner than primes,” Gruden said. “Primes are trying to determine who in their cyber supply chain is capable to perform and obtain the necessary CMMC requirement.”

The phased implementation of the DFARS rule remains on track, Gruden said, and a shorter shutdown will not affect the implementation.

“The clock is already ticking,” Gruden said. “There’s no further activity required of the government [to implement DFARS] … contingent upon a shutdown or funding.”