The government shutdown has been ongoing for nearly a month. Museums closed. Federal employees furloughed. Washington is paralyzed with no end in sight.
But Nov. 10 doesn’t care.
While Congress remains gridlocked over funding, Phase 1 of the Cybersecurity Maturity Model Certification (CMMC) program implementation is still on track, and defense contractors waiting for political clarity before addressing compliance are making a critical miscalculation. Starting Nov. 10, contracting officers can begin including Level 1 or Level 2 self-assessment requirements as conditions of award, regardless of whether the government shutdown has been resolved.
The threats defense contractors face don’t pause during shutdowns. In a recent 60 Minutes interview, retired Gen. Tim Haugh, who led both the National Security Agency and U.S. Cyber Command until April, warned that China has infiltrated critical U.S. infrastructure, from water treatment plants to electrical grids, as part of what Beijing calls “unrestricted warfare.” While Washington argues over funding, China isn’t waiting for Congress to get its act together. Neither should defense contractors.
The real challenge facing the industry is a matter of simple math. As noted by CyberSheath CEO Emil Sayegh, “Assessors are already booked out six to nine months, leaving little room for delay. There are fewer than 500 certified assessors nationwide, and each audit requires two assessors for up to a week.” The bottleneck is already here, before Phase 1 has even begun.
For contracts involving Controlled Unclassified Information (CUI), Level 2 is required. In Phase 1, self-assessments will be enough. In Phase 2, certification by a C3PAO becomes a requirement for many solicitations. Without CMMC compliance, you may lose the ability to bid on DOD contracts. Yet, according to Merrill Research, only 1% of the DIB believes it is completely ready for CMMC.
Some contractors seem to be operating under the assumption that they have time — that the shutdown means everything is on hold, or that Nov. 10 is just another bureaucratic date that will slide when Congress finally resolves its funding impasse. That assumption is wrong on both counts. The CMMC program is mandatory, the phased implementation schedule is set, and contracting officers may include CMMC level requirements in solicitations starting November 10. Companies without the appropriate CMMC status will not be eligible for applicable contract awards.
Since 2008, CyberSheath has helped Department of Defense (DOD) contractors and suppliers achieve, maintain, and prove compliance with DFARS, NIST 800-171, and CMMC 2.0. We deliver end-to-end managed compliance through our Assess, Implement, and Manage (AIM™) methodology, ensuring every customer remains audit-ready and eligible for DOD contracts.
The noise in Washington will eventually pass. CMMC compliance deadlines won’t. Review our case studies to see how we’ve helped organizations address their compliance challenges and reach out to our team to see how we can get you across the finish line, too.