You've known about CMMC for a while. Maybe you figured you'd deal with it "eventually." Maybe you thought the deadline would get pushed back again. Maybe you hoped it would just go away.
It's not going away. And "eventually" is now.
The Phase 2 Deadline: June 2025
87 days from now, the DoD flips the switch on Phase 2 enforcement.
What that means:
- All new DoD contracts will require CMMC certification
- No certification = you can't bid
- Your prime contractors will start asking for proof
- Competitors who are certified will take your work
This isn't a soft deadline. It's not a "recommendation." It's a hard contract requirement.
But Hasn't the Deadline Been Pushed Before?
Yes. Multiple times.
CMMC was supposed to roll out in 2020. Then 2021. Then 2023. Then 2024.
People got complacent. "They'll push it again," everyone said.
Not this time.
The DoD published the final rule in October 2024. The regulation is locked in. There's no political appetite to delay it again — not with China stealing defense tech daily.
If you're betting on another extension, you're gambling your DoD revenue stream.
What "No Cert = No Bid" Actually Means
Let's be specific. Here's what happens if you're not certified by June 2025:
Scenario 1: New Contracts
You get an RFP for a $500K job making brackets for the F-35.
The solicitation says: "Offerors must have CMMC Level 2 certification."
You don't have it. You can't bid. End of story.
Scenario 2: Prime Contractor Requirements
Your prime contractor (Lockheed, Boeing, etc.) sends a questionnaire: "Are you CMMC certified?"
You say no. They say, "Get certified or we're finding a new supplier."
They're not bluffing. Primes are on the hook for supply chain security now. If you leak data, they get blamed.
Scenario 3: Existing Contracts
You have a 3-year contract that renews in August 2025.
At renewal time, the DoD adds CMMC as a contract requirement. No certification = no renewal.
Your competitor who got certified? They get your contract.
Why Waiting Until March 2025 Is Too Late
Here's the timeline to get CMMC Level 2 certified:
| Task | Time Required | |------|--------------| | Gap assessment | 2-4 weeks | | Fix technical gaps (MFA, backups, network segmentation) | 8-12 weeks | | Document policies and procedures | 4-6 weeks | | Schedule C3PAO assessment | 4-8 weeks (waitlist) | | Pass assessment and get certified | 1-2 weeks | | TOTAL | 5-7 months |
If you start in January 2025, you might squeak in by June.
If you start in March? You're not getting certified before the deadline. Not even close.
The C3PAO Bottleneck
C3PAOs (the certified auditors who assess you) are already booked solid.
Everyone who waited until the last minute is scrambling. Guess what happens when 10,000 shops need assessments in the next 6 months?
Waitlists.
Some C3PAOs are booking 3-4 months out already. By March, good luck finding one before June.
The Real Cost of Delay
Let's do the math on what procrastination costs you.
Your DoD revenue: Let's say $1M/year (conservative for a 10-person shop)
Lost revenue if not certified: $1M/year = $83K/month
If waiting until March pushes your certification to August (2 months late), you just lost $166K in revenue.
Meanwhile, your competitor who started in December is taking your contracts.
What's Driving the Urgency?
Three things are making this deadline real:
1. Data Breaches Are Accelerating
Chinese hackers stole F-35 design data from a subcontractor in 2014. They built their own knockoff fighter jet (the J-31).
The DoD is done playing around. They're tightening the supply chain or cutting you out.
2. Primes Are Enforcing It
Lockheed Martin, Raytheon, and Boeing are already requiring CMMC proof from subs. They're not waiting for June 2025 — they're doing it now.
If your prime says "show me your cert," you either have it or lose the contract.
3. Insurance & Liability
Cyber insurance companies are starting to ask: "Are you CMMC compliant?"
If you get hacked and leak CUI, you're liable. Insurance won't cover gross negligence (like storing classified data on an unsecured laptop).
What Happens If You Get Hacked Before You're Certified?
Bad news: You have to report it to the DoD within 72 hours.
If you're handling CUI and get ransomware, you can't just quietly pay the ransom and move on.
You report it to the DoD. They investigate. If you weren't following CMMC practices, you lose your contracts.
And if you think "I just won't report it," think again. That's a federal crime (False Claims Act). Penalties include fines, debarment, and jail time.
Can You Just Self-Certify Like Before?
Nope.
The old system (self-assessment) is dead. Everyone lied. The DoD knows this.
Now you need a third-party C3PAO assessment. They check everything:
- Technical controls (firewalls, MFA, backups)
- Policies and procedures (documented and followed)
- Interviews with staff (do they actually know the security rules?)
If you fail, you don't get certified. If you don't get certified, you don't get contracts.
What If You're "Too Small" for CMMC?
Some shops think: "We're only 5 people. This doesn't apply to us."
Wrong.
CMMC applies to every company in the DoD supply chain that handles CUI. Size doesn't matter.
If you make a single bolt for an F-35 and get the technical drawing (CUI), you need CMMC.
The DoD doesn't care if you're a 3-person garage shop or a 500-person factory. Same rules.
What If You Stop Taking DoD Work?
Fair question. Some shops are walking away from defense contracts entirely.
Here's what you're giving up:
- Stable, long-term revenue (DoD contracts are 3-5 years typically)
- Premium pricing (defense work pays better than commercial)
- Diversification (if commercial dries up, defense is a cushion)
And here's what you'd need to replace it:
- New commercial clients (harder to find, price-sensitive)
- Retooling for different work (if your equipment is defense-specific)
- Layoffs (if you can't replace the revenue)
For some shops, walking away makes sense. For most, the cost of CMMC compliance ($25K-$75K) is way cheaper than losing DoD revenue.
What's the First Step Right Now?
Don't panic. But don't wait either.
Here's what you do today:
Step 1: Assess Where You Are
Take the free 2-minute readiness quiz. It'll tell you:
- How far you are from compliant
- What gaps you need to fix
- Rough cost estimate
No signup, no sales pitch. Just a score.
Step 2: Get a Gap Assessment
Hire a consultant (or use an internal IT person) to do a formal gap assessment against NIST SP 800-171.
This costs $5K-$10K and takes 2-4 weeks. You'll get a report listing exactly what's broken.
Step 3: Start Fixing Gaps
The big ones to tackle first:
- Multi-factor authentication (MFA) on all accounts
- Encrypted backups (offsite and tested)
- Network segmentation (CUI isolated from guest WiFi)
- Asset inventory (know what devices you have)
- Incident response plan (what to do when you get hacked)
Most of this is technical work. Budget 2-3 months.
Step 4: Document Everything
CMMC requires written policies. You need:
- Access control policy
- Incident response plan
- Media sanitization procedures
- Password requirements
- Security awareness training records
Boring paperwork. But required. Budget 1-2 months.
Step 5: Schedule the C3PAO Assessment
Once your gaps are fixed and policies are documented, book a C3PAO.
Expect to wait 4-8 weeks for an available slot. Then 1-2 weeks for the actual assessment.
Pass the assessment, get your certification, bid on contracts.
Bottom Line
June 2025 is 87 days away.
If you're not certified, you're locked out of DoD contracts.
If you're waiting for another extension, you're gambling.
If you're hoping your prime will let it slide, they won't.
Start now. Or start losing revenue in June.
Next step: Take the free quiz. 2 minutes. See where you stand. Then decide if you're in or out.