Rumors abound in the defense industry about the fate of the Cybersecurity Maturity Model Certification (CMMC) program. Some suggest the Department of Defense might cancel it or delay it. However, recent statements from top DoD officials provide a much clearer picture. Below, we break down what the DoD is actually saying about CMMC’s future, addressing the key questions on industry minds.
A recurring question across the Defense Industrial Base (DIB) is whether the Department of Defense (DoD) might cancel or abandon the Cybersecurity Maturity Model Certification (CMMC) program. Some speculate that changes in administration, executive orders, or industry resistance could lead to the program being halted.
However, the DoD has consistently and publicly stated that CMMC is not going away. James Gillooley, IT Management Specialist for the DoD and official with the CMMC PMO, made this clear at CS2 Reston:
“You've had these requirements since 2017. CMMC is an operational reality…The DOD keeps saying it. It's not going away. This administration is not going to kill it…So be prepared: implement NIST SP 800-171 and get your assessments as soon as possible. And don't count on a self-assessment.”
This position is echoed by Katie Arrington, currently performing the duties of DoD CIO and one of the original architects of the CMMC framework. During her keynote at TechNet Cyber in May 2025, she stated:
“Heard about that thing called CMMC? Yeah, it’s happening. So knock it off. If the industry doesn’t understand it’s happening, I don’t know what more of a statement the president could have made than putting me in the position he put me into.”
The legal basis for CMMC further reinforces this continuity. CMMC is mandated under Section 1648 of the FY20 National Defense Authorization Act (NDAA), which required the creation of a cybersecurity framework for the defense supply chain. That statute gave rise to the 32 CFR rule, which formally codifies CMMC as DoD policy. The final 32 CFR rule was published in October 2024 and is now a binding federal regulation.
But What About Executive Orders?
Recent executive orders concerning cybersecurity—such as those modifying EO 14144 or 13694—do not repeal statutes or override existing regulations like 32 CFR. Executive orders operate within statutory authority but do not eliminate congressionally mandated programs. Despite online speculation and internal confusion within companies, no executive order has impacted the legal standing of CMMC.
At this stage, reversing the CMMC rule would require congressional action. Congress would either need to repeal Section 1648 of the FY20 NDAA or issue a resolution of disapproval under the Congressional Review Act (CRA). The CRA process involves a defined window based on active legislative days, and by June 2025, that window had closed. There is no public indication that Congress is pursuing any effort to repeal or replace the underlying statute or regulation.
In short, the program cannot be paused indefinitely by executive fiat, nor is there any procedural pathway currently active to reverse it. CMMC remains in effect, and preparations for its contractual enforcement are ongoing within the DoD.
CMMC is not going away.
The DoD isn’t going to kill it. No executive order is going to kill it. DOGE isn’t going to kill it.
CMMC a statutory mandate, backed by regulation, and already in effect.
Another common question is whether CMMC will face more delays before it truly takes effect. It’s true that CMMC’s rollout has seen several shifts and postponements in the past. The program was initially unveiled in 2019–2020, then underwent a revamp to “CMMC 2.0” in late 2021, which introduced a lengthy rulemaking process. These steps, combined with changes in administration, created uncertainty about the timeline.
Indeed, some defense contractors have taken a wait-and-see approach, assuming further delays. Cole French, a CMMC assessment lead at Kratos Defense, observed that hesitancy in the industry is largely due to CMMC’s history of postponements: “the delays that have hampered the CMMC program for quite some time… I think there’s a belief that those are going to continue.” According to French, many still believe CMMC “is not going to come to fruition, or somehow… there’s going to be another set of delays.” This belief has led some companies to hold off on serious preparations.
However, current DoD officials are working to dispel the notion that CMMC will slip indefinitely. Yes, there have been recent administrative speed bumps – notably, an early 2025 regulatory freeze (via executive order) paused progress on finalizing the CMMC rule for a short period. But Gillooley explained that the Pentagon is actively working through that issue: the department’s goal is to get the final CMMC rule published by summer or fall 2025, once the temporary freeze is resolved. In other words, any pause is seen as temporary, not a permanent delay.
Katie Arrington has also underscored that waiting on CMMC is not wise for contractors. She reminded everyone that the core security standard behind CMMC (NIST SP 800-171) has been a contractual legal requirement since 2014, even if enforcement has been lax. The CMMC program exists to verify those longstanding requirements are finally being implemented. Thus, from the DoD’s perspective, the time for delay is over – companies should be actively shoring up their cyber defenses now. As French noted, “Once we see a hard date, then we’re really going to see people start to move on this.”
The bottom line is that while CMMC’s exact start date for contractual rollout has shifted, the DoD is signaling that the era of continuous postponements is ending. Companies would be unwise to assume they have endless time.
CMMC is already operational under 32 CFR. Companies that want to stay competitive are already pursuing certification.
The final step before CMMC becomes contractually required is the publication of the 48 CFR rule. This rule will insert CMMC clauses into defense contracts. Based on the timeline for previous DoD rules, the 48 CFR rule is projected to be finalized between June and October 2025.
Once published, DoD will begin a phased rollout of CMMC requirements in new contracts. Some contracts will require certification immediately. CMMC will be a condition of contract award, not something companies can address after winning work.
Here is the tricky part, primes can begin requesting CMMC as a requirement for subcontracting work now since those are private contracts. Your prime is likely to require CMMC long before the DoD does. If you have not heard from your prime, reach out and find out their timeline today.
For small and mid-sized defense contractors, the convergence of CMMC implementation and DOGE (Defense-wide Organizational Guidance for Execution) budget constraints poses an existential risk. This is deeper than compliance – it’s about your company’s survival.
CMMC demands significant investment in cybersecurity infrastructure, policy, and third-party assessment. DOGE, meanwhile, is tightening defense budgets, prompting both DoD and prime contractors to reduce spending and cut supplier rosters. For contractors still sitting on the sidelines of CMMC compliance, this combination could be financially devastating.
If revenue declines before companies allocate resources for CMMC readiness, they may not recover in time to stay competitive in the defense ecosystem. But while that risk is real, so is the opportunity—early CMMC adopters are poised to gain a strategic advantage.
The number of certified contractors remains small, and many suppliers are still in wait-and-see mode. That presents a rare moment for early movers to enter a less crowded, higher-trust vendor pool.
Prime contractors are already screening their supply chains. As seen at CS2 Reston, some primes are already requiring a valid NIST SP 800-171 assessment score and even a completed CMMC Level 2 certification as a prerequisite for doing business.
Certified suppliers will be easier to flow down work to, and in some cases, the only ones eligible. For companies seeking to strengthen prime relationships or pursue new teaming opportunities, certification prior to rollout or early in the rollout means differentiation—not just compliance.
CMMC is not going away, nor is it being subjected to endless delays. The program’s policy framework is already in effect and operational, and the contract mandate is expected within months.
Smart contractors are using the current window to implement NIST SP 800-171 controls, update their System Security Plans, remediate gaps, and even undergo voluntary CMMC assessments now – to gain a competitive edge now – and so that when the requirement hits, they are 100% ready.
DOGE is going to reduce contract awards. CMMC will restrict who’s eligible to receive what’s left.
If you’re not preparing now, you’re gambling that your budget survives DOGE and that you’ll have time, money, and access to assessors later. Many small contractors will lose that bet.
But early CMMC adoption flips that equation. Instead of waiting, you shape the competitive field—helping primes meet contract requirements, reducing competition, and staying ahead of enforcement.
CMMC isn’t going away, and its significance for your business goes way beyond compliance—it may be the thing that keeps you in the defense business post-DOGE.