Pentagon Begins Enforcing CMMC 2.0 Compliance, But Readiness Gaps Remain

Pentagon Begins Enforcing CMMC 2.0 Compliance, But Readiness Gaps Remain

An amendment to the Defense Federal Acquisition Regulation Supplement (DFARS) went into effect this Monday, officially mandating that all U.S. Department of Defense solicitations and contracts include requirements for CMMC 2.0.

Although the road to CMMC 2.0 has been six years in the making, significant readiness gaps persist across the defense industrial base. 

Experts and DDOS contracts explain that APS are driven by the cost of compliance, the program’s controversial history, widespread misconceptions about what the rule change actually means, and challenges in proving compliance.

Controversy and Confusion
CMMC 2.0 is a three-tiered cybersecurity framework requiring defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to implement appropriate security controls based on data sensitivity. When bidding on new contracts, companies must now demonstrate that their networks — and those of their supply chains — meet one of the three compliance levels defined by CMMC.

The program was originally introduced in 2019 under the Trump Administration to ensure defense contractors safeguard the Department’s sensitive data from adversaries. However, the lengthy rule-making process and unclear messaging contributed to a “wait-and-see” mindset across portions of the industrial base.

Further complicating adoption, many contractors perceive that CMMC is introducing new requirements — in fact, many of the controls already existed under NIST and DFARS. What changed is the verification mechanism: contractors must now prove compliance. As cybersecurity experts note, contractors have accepted and been paid under these requirements for years — the challenge is now demonstrating that compliance has been implemented and maintained.

Readiness Gaps
Earlier this year, a report by Redspin found that a significant portion of the defense industrial base did not feel prepared for CMMC’s implementation, with some companies admitting they hadn’t taken any action. Many firms are now racing to catch up for fear of losing contract opportunities.

For many companies the major hurdles aren’t purely technical: they revolve around processes, internal responsibilities, policies, documentation, and the capability to generate evidence of compliance. Contractors may have implemented controls but lack the required governance, procedures, and accountability mechanisms — and this can delay full compliance by many months.

The issue is compounded when vendors operate hybrid environments that blend local and cloud infrastructure, which may necessitate a full redesign of workflows and documentation to meet certification standards.

Incoming Changes and Impacts
As the Pentagon advances with the phased rollout of CMMC 2.0, uneven adoption among contractors could cause significant shifts in how the Department collaborates with its supplier network. Some companies will position themselves as “hyper-ready” and gain a competitive edge; others may fall behind. This could lead to supplier attrition, re-shoring of contracts, or diversification within the defense industrial base.

Failure to comply may not just mean losing contracts — it could open the door to bid protests, False Claims Act litigation, and other regulatory or legal exposure down the line.

How Risk Cognizance Can Help with CMMC Compliance and Readiness 

The compliance and readiness challenges posed by CMMC 2.0 map directly to the capabilities offered by Risk Cognizance. The platform can help defense contractors close readiness gaps and maintain continuous compliance by providing:

• Automated control mapping and gap analysis: Aligns CMMC requirements with NIST and DFARS controls, identifying and tracking remediation needs.
• Continuous monitoring and evidence collection: Automates documentation and proof of compliance, easing audit readiness.
• Hybrid IT and supply chain visibility: Supports compliance tracking across both on-premises and cloud environments, and throughout multi-tiered supply chains.
• Vendor and third-party risk management: Simplifies assessment and oversight of subcontractor compliance — a critical component of CMMC.
• Centralized dashboards and reporting: Provides clear, real-time visibility for executives, PMs, and auditors to communicate compliance posture effectively.

By integrating these capabilities, Risk Cognizance enables defense contractors to proactively achieve and sustain CMMC 2.0 readiness — reducing risk, avoiding costly delays, and strengthening their competitive position within the Defense Industrial Base.