In September 2025, the Department of War released the final ruling for the Cybersecurity Maturity Model Certification (CMMC) program, with rules taking effect in November. For manufacturers working with the DoW, these changes go beyond policy, they determine whether your company can qualify for future contracts and how sensitive government data must be handled.
| “Many companies underestimate how quickly these new rules will impact their contracts,” says Hunter Roark, Vice President of Technology at Cantey Tech Consulting. “Even small gaps in cybersecurity practices or documentation can prevent a contractor from qualifying for a project. Preparing now isn’t just smart—it’s essential for staying in the running for future Department of War work.” |
The 2025 ruling differs from earlier versions in a key way: compliance must be achieved before work on a contract begins. Any gaps in cybersecurity measures, missing documentation, or delayed updates can directly impact eligibility. This blog explains the ruling, outlines the certification levels, and provides actionable guidance so manufacturers can prepare now.
Understanding the 2025 Ruling
The CMMC Final Ruling establishes a clear framework for cybersecurity compliance across the defense supply chain. The three certification levels remain, but enforcement is stricter and timelines are clearer:
- Level 1 – Foundational: Basic practices, verified annually through self-assessment.
- Level 2 – Advanced: Requires a third-party assessment every three years, with annual affirmations.
- Level 3 – Expert: For high-security environments, requiring direct evaluation by the DoW.
Additionally, contractors must report progress through the Supplier Performance Risk System (SPRS). Any security gaps must be closed within 180 days, or companies risk losing eligibility for contracts.
What is CMMC Compliance?
CMMC compliance means adhering to DoW cybersecurity requirements to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Compliance involves:
- Implementing NIST SP 800-171 and 800-172 security controls based on your certification level.
- Documenting policies, procedures, and training.
- Conducting regular audits and monitoring systems to maintain security.
- Submitting progress and assessments in SPRS to remain eligible for DoW contracts.
In short, it’s not just about passing an audit, it’s about continuous cybersecurity governance across your organization.
How CMMC Compliance Protects Defense Manufacturers’ Contracts
For manufacturers working in the defense sector or acting as a subcontractor for a prime with defense contractor documented CMMC requirements, cybersecurity compliance is now a business requirement, not just an IT task. Beyond protecting sensitive information, compliance ensures your company:
- Remains eligible for new and ongoing DoW contracts.
- Demonstrates reliability to prime contractors and supply chain partners.
- Reduces the risk of cyber incidents affecting operations and reputation.
Early preparation is particularly important for smaller manufacturers. Many prime contractors now require proof of CMMC compliance before even entering into subcontract agreements. Being proactive can prevent costly delays or lost opportunities.
Which Contractors Must Meet CMMC Standards
CMMC compliance applies to:
- Companies handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) under DoW contracts.
- Subcontractors supporting prime contractors.
- International manufacturers accessing or processing U.S. government data.
Exemptions are rare, mostly limited to companies providing commercial off-the-shelf products with no exposure to sensitive data.
Immediate Steps to Achieve CMMC Compliance
| Action | Description / Tip |
| Submit SPRS Self-Assessment | Ensure your self-assessment scores are submitted to the Supplier Performance Risk System (SPRS) to maintain contract eligibility. |
| Confirm Applicable CMMC Level | Identify which CMMC level applies to your current and upcoming contracts so you know the certification requirements. |
| Determine Certification Path | Check whether your company needs third-party certification (C3PAO) or a direct DoW assessment. |
| Update NIST SP 800-171 Controls | Keep your NIST cybersecurity controls current and aligned with CMMC requirements. |
| Audit Systems for Gaps | Conduct a thorough audit of your IT systems, policies, and procedures to identify and remediate vulnerabilities. |
| Leverage Project Spectrum | Use DoW resources such as webinars, training, and free assessments for Levels 1 and 2 to improve readiness. |
| More articles you might like: |
How Cantey Tech Helps Companies Meet CMMC Compliance
Meeting CMMC requirements can feel overwhelming, but Cantey Tech works with contractors to make compliance practical and achievable within your business and budget parameters.
Here’s how we support our clients:
- Assess Readiness Quickly: We evaluate your current cybersecurity controls and documentation to pinpoint gaps that could delay certification.
- Develop Actionable Plans: Our team creates step-by-step remediation strategies with clear timelines, helping you meet CMMC requirements efficiently.
- Support During Certification: Whether you need a third-party audit or guidance for DoW evaluation, we ensure your processes and evidence are fully prepared.
- Maintain Long-Term Compliance: We provide ongoing guidance and monitoring so your cybersecurity practices stay up to date, reducing risk and keeping your contracts secure.
By working with Cantey Tech, companies don’t just achieve compliance, they gain confidence that their systems, policies, and documentation meet DoW standards. This proactive approach minimizes surprises, avoids delays, and strengthens your position in the defense supply chain.
Contact us to get started on your CMMC readiness journey.
| Discover Trusted Cybersecurity Services Near You |