The rollout of new rules around the Cybersecurity Maturity Model Certification by the U.S. Department of Defense is pushing government contractors to upgrade their internal security practices and protections.Posted by the Federal Register in December, the updated CMMC rules could require DOD contractors to meet at least level two of the three-level certification within the next three years to qualify for certain contracts. Organizations will need to not only meet stricter requirements for security and data encryption, but also maintain regular assessments and inspections.Companies are scrambling to make sure they reach the new requirements before they risk losing lucrative government contracts.According to research from services provider Deltek, 55% of contractors said their government projects will include a CMMC requirement. Just under half of respondents who said their projects include meeting CMMC requirements, 43%, said that they will likely need to meet the level 2 standard, while 34% said they will seek contracts demanding the even stricter level 3 requirements.“After years of delays and light enforcement, 2025 marks a turning point, and those that have been in compliance will see a competitive advantage,” Deltek noted.“This transformation is especially challenging for mid-tier and smaller subcontractors, who often lack the resources of large primes.”This belief was particularly prevalent in the IT services sector, where 70% of respondents expect CMMC requirements for their projects, while 43% believe their contracts will require level 2 status or higher.“This year, CMMC is becoming real. Primes are facing a lot of (compliance) pressure and passing that to their subcontractors,” said Mike Brooks, principal CMMC and DFARS program manager with Deltek.“The ones that are compliant are seeing it as a competitive advantage.”More than two thirds of government contractors are planning to undergo a CMMC assessment before the end of the year, the vast majority of those (83%) being midsize businesses.When it comes to views on cybersecurity as a whole, the report found that many government contractors have the same concerns and priorities as other organizations dealing in the private sector.Ransomware was seen as the top threat, with 57% of respondents ranking it as their biggest worry. Artificial intelligence (AI) was also seen as a primary concern and a top priority, with 56% of companies planning to implement an AI-enhanced platform or service.The report noted, however, that the long-term outlook for AI adoption and growth was not as clear.“AI governance emerged as a top IT challenge, but as it was new to the list of IT operations challenges this year, and will need to be monitored in the coming years to gain meaningful insights,” Deltek said.
