DoD Secretary Hegseth Draws A Line: Cybersecurity No Longer Optional

On July 18, 2025, Secretary Pete Hegseth drew a line, declaring that the days of box checking are over and that real cybersecurity in the defense supply chain is now non‑negotiable.
Getty Images
When Secretary of Defense Pete Hegseth talks about strengthening America’s military edge, he does not just mean more ships or jets. He also means securing the digital backbone that makes them work. On July 18, 2025, Hegseth issued a DoD memorandum titled “Enhancing Security Protocols for the Department of Defense” ordering a comprehensive review of all IT and cloud capabilities to protect against supply chain threats from adversaries such as China and Russia. He explicitly directed Katie Arrington, the DoD CIO, to leverage CMMC as a key mechanism for fortifying the Defense Industrial Base. The memorandum required implementing guidance within 15 days and empowered the undersecretary for intelligence and security to audit personnel and insider threat programs of DIB vendors. Hegseth stated “The DoD will not procure any hardware or software susceptible to adversarial foreign influence…” and declared that CMMC must be central to this effort.
That memo came just as CMMC’s formal regulatory framework was finalized. CMMC is no longer optional for companies and contractors who handle Controlled Unclassified Information or Federal Contract Information. The final rule was drafted in 2024 and submitted to OIRA on July 22, 2025. Once approved and published in the Federal Register, it will take effect and trigger Phase 1 implementation. By October 1, 2025, most new Department of Defense contracts will require CMMC. After October 31, 2026, certification will not just be a best practice. It will be the price of admission to the defense market, which is expected to reach $320.86 billion in 2025.
What Is CMMC
CMMC stands for Cybersecurity Maturity Model Certification. It is the framework the Department of Defense created to ensure that every company doing work for the Pentagon, from aerospace giants to small parts suppliers, has cybersecurity practices “up to the task” of defending against cyber intrusions, according to defense.gov.
In plain terms, CMMC requires defense contractors and their subcontractors to implement specified security controls and prove compliance through formal certification. This is not a paperwork drill. It is about safeguarding sensitive unclassified data like contract details and technical drawings that adversaries, including nation‑state hackers, would love to steal.
Under the current CMMC 2.0 version, there are three certification levels, down from five in the original model. Level 1 covers basic cybersecurity for companies handling only Federal Contract Information. Level 2 is for contractors with Controlled Unclassified Information and aligns with all 110 security requirements of NIST SP 800‑171. Level 3 is for the most critical national security programs.
The vast majority of the more than 220,000 companies in the Defense Industrial Base will fall under Level 1 or 2. Level 1 can be achieved via annual self‑assessments, but Level 2 requires a third‑party audit for most contracts handling Controlled Unclassified Information. Self‑attested “good enough” security is no longer good enough.
How CMMC Came About
CMMC was born from hard lessons. For years the Pentagon relied on an honor system that allowed contractors to self‑attest that they followed required cybersecurity rules. Too many companies checked the box without truly being secure.
The results were devastating. “Massive data breaches, intellectual property theft, and nation‑state cyber intrusions that cost billions and compromised national security,” is how one Department of Defense CMMC leader described the fallout, according to Coalfire Federal.
A 2023 Department of Defense Inspector General audit found that eight out of ten contractors reviewed had failed to implement all required security controls from NIST 800‑171. These were the very controls meant to protect critical data.
Meanwhile, Department of Defense networks face millions of intrusion attempts every day, many by state‑sponsored actors. The Department knew voluntary compliance was not working.
Enter Katie Arrington, a former state legislator turned Pentagon cybersecurity official who became the chief architect and evangelist of CMMC. Arrington bluntly voiced the new reality: “If you want to work with the Department of Defense, you have to prove you can protect our data. Period.”
CMMC was first rolled out in 2019 and 2020 with five levels. It encountered delays and was overhauled in 2021 to simplify to three levels, but its core mission never changed. Upon returning to the Department in 2025, Arrington emphasized, “The CMMC is going to stay in place. There’s no question about that.”
The Pentagon had drawn a line. Cybersecurity is no longer an optional add‑on to defense contracting.
CMMC Becomes Mandatory
After years of planning and speculation, CMMC is moving full speed ahead and compliance is now mandatory for defense contractors.
On July 22, 2025, the Department of Defense submitted the final rule to amend Title 48 of the Code of Federal Regulations to the Office of Information and Regulatory Affairs for review. Once approved and published in the Federal Register, the rule will go into effect shortly after. At that point, CMMC requirements can begin appearing in new contracts through a Defense Federal Acquisition Regulation Supplement, known as DFARS clause 252.204-7021. This marks the formal start of Phase 1, where contractors must attest to full implementation of the 110 controls in NIST SP 800-171, which govern how to protect Controlled Unclassified Information. Third-party certification will follow in Phase 2, expected approximately one year later.
These requirements will phase in quickly. “On or after October 1, 2025,” nearly all new Department of Defense solicitations and contracts will include CMMC requirements. By the start of fiscal year 2026, CMMC will be written into almost every new RFP and contract. Until now, only some contracts included CMMC as a pilot or optional requirement. By October 2025, it will flip from niche to nearly universal.
Phase 1 will begin once the updated CMMC rule is published and DFARS 252.204-7021 begins appearing in new contracts. If a contract includes CMMC Level 2 compliance, your organization must already be fully compliant with all 110 NIST SP 800‑171 controls at the time of award. Self-attestation is allowed in this phase, but only if all requirements are met. Partial scores and open plans to improve later will not be accepted.
Third-party certification will be required in Phase 2, which is expected to begin approximately one year later. By October 31, 2026, all contractors are expected to be fully certified to continue competing in most defense contracts. While existing contracts may continue to run their course, new awards and option renewals are expected to require certification. For most of the defense industrial base, this date marks the end of the runway.
The consequences are severe. A 2022 Government Accountability Office report estimated that if CMMC Level 2 standards were enforced immediately, more than 50 percent of the Defense Industrial Base would be ineligible for new Department of Defense contracts because they lacked the required security practices. That hypothetical scenario is now becoming real. Companies that delay certification will lose the ability to compete for Defense Department business.
The Pentagon has even suggested legal ramifications for misrepresentation, citing the False Claims Act for egregious cases. But the primary risk is business driven. No certificate means no contract. Even worse, if you suffer a breach, your reputation is on the line, your contracts are in jeopardy, and likely your entire business. CMMC is not just about compliance. It is about building real security.
Big Primes And Small Suppliers
CMMC applies across the entire supply chain. The largest prime contractors, midsize firms and the smallest subcontractors must all comply.
This universality is by design. A chain is only as strong as its weakest link. A 50 person supplier with poor security can be the entry point that lets hackers steal fighter jet blueprints from a major defense contractor. We have seen this story before. The 2020 SolarWinds compromise showed how one software provider’s lapse gave adversaries a back door into federal agencies and Fortune 500 companies. In 2021 the Kaseya attack on a managed services provider rippled through hundreds of downstream businesses. These incidents underscore the reality that a single weak link can become a national security risk.
Prime contractors are already writing CMMC into their subcontracts. Many are refusing to work with partners who lack certification. Some solicitations now explicitly state that subcontractors must hold a current CMMC 2.0 certification to be eligible.
Small and mid‑sized suppliers cannot assume they will fly under the radar. Their larger customers will demand proof of compliance or find someone else who can provide it.
For government buyers, CMMC is also a game‑changer. Acquisition officials are incorporating CMMC into RFPs and evaluating bids with cybersecurity weighted alongside cost, schedule and performance. Contractors that are not certified will not even make it to the selection table.
The message from the top could not be clearer. The Defense Department has stated that these cybersecurity requirements “must be in place before companies can bid on defense contracts,” according to defense.gov.
Many primes are not waiting for the final rule. Subcontractors are already being asked whether they have scheduled their assessment with a CMMC Third Party Assessment Organization. The window to prepare is closing.
How To Prepare Now
For executives and business owners in the defense sector, the question is simple. What do we do now?
- Make Cybersecurity A Leadership Priority. Treat CMMC compliance as a mission‑critical project, not just an IT problem. Dedicate budget and resources and make sure the board and executives understand that losing Department of Defense contracts is a real risk.
- Understand Your Data. Identify what Controlled Unclassified Information and Federal Contract Information you handle and where it resides. Map out who touches that data and scope exactly which systems, networks and people will fall under the CMMC assessment boundary.
- Conduct A Gap Assessment. CMMC is not just one control. It is a structured framework of more than 100 controls mapped to NIST SP 800‑171. Understanding which ones you meet and which you do not is essential. Bring in an experienced team to benchmark your current practices against the standard.
- Work With Experienced Guides. CMMC is complicated. The requirements are technical, the documentation is rigorous and the stakes are high. Partners who have engaged with CMMC since its inception understand the evolving rules, the audit processes and how to navigate certification efficiently. Working with seasoned experts who have guided other firms successfully through assessments, implementation and ongoing management can mean the difference between passing and failing now and in the future. Look for those who can not only get you ready, but also manage your infrastructure to keep you compliant 24x7x365 for years to come. CMMC is not for the faint of heart.
- Remediate Issues. Work with your CMMC partner to close the gaps identified. Update policies, deploy new tools, train employees and prepare your System Security Plan and Plan of Action and Milestones.
- Engage An Assessor Early. For Level 2 certification, line up a CMMC Third Party Assessment Organization well before the rush. Schedules are already filling for 2025 and 2026. If you choose to work with an experienced CMMC guide they will likely have trusted recommendations on which assessors are credible, efficient and understand how to get companies across the finish line and which ones do not.
- Secure Your Supply Chain. Flow down the requirement. Demand compliance proof from your vendors and subcontractors.
- Maintain Compliance. CMMC is not a one‑and‑done checkbox. Certification lasts three years, but annual self‑assessments and ongoing monitoring will be required.
The Days Of Box Checking Are Over
For defense contractors, complying with CMMC is both a challenge and an opportunity. Those who invest in cybersecurity will gain trust and future business. Those who do not will find themselves locked out of the defense market.
Secretary Hegseth summed up both the Pentagon’s and the Trump’s administration stance bluntly: “The days of box checking are over. This is about protecting the nation’s data and holding every contractor to that standard.”
October 2025, when CMMC requirements hit most new contracts, is almost here. By October 2026 there will be no exceptions.
CMMC is not a hoop to jump through. It is the new standard for doing business. For every company in the Defense Industrial Base the choice is clear. Prove you can protect the nation’s data or watch those contracts go to someone else who can.