The Defense Federal Acquisition Regulation Supplement final rule for the Cybersecurity Maturity Model Certification program was recently finalized. The rule confirms the Department of Defense’s plans to include CMMC requirements in DoD contracts.
Implementation will be in phases over three years. “CMMC 2.0” is being rolled out to help strengthen cybersecurity across the Defense supply chain.
Phase 1 began Nov. 10, 2025, and requires new DoD contracts, including Small Business Innovation Research and Small Business Technology Transfer awards, to show a valid CMMC Level 1 or 2 self-assessment and annual affirmation in the Supplier Performance Risk System. Without it, companies will not be eligible for new awards or contract renewals.
The CMMC framework was created in response to years of costly data breaches. Foreign adversaries have stolen critical design and logistics information from U.S. defense contractors, including small suppliers.
CMMC gives DoD real enforcement power: contractors must demonstrate compliance to participate in the defense industrial base.
Think of CMMC as building a digital fortress of layered defenses that protect the “crown jewels” of your research, says Adam Austin of Totem Tech, a leading consultancy headquartered in Utah that provides assistance with CMMC certification and compliance.
Almost every DoD contractor, even SBIR/STTR awardees, handles Federal Contract Information, or FCI, and must meet at least CMMC Level 1 standards. Firms handling Controlled Unclassified Information, or CUI, will need CMMC Level 2. Only commercial off-the-shelf suppliers or micro-purchase contracts are exempt.
Compliance costs are allowable and may qualify for Technical and Business Assistance (TABA) funding in association with an SBIR or STTR award.
Arkansas firms can find guidance through these sources:
- Totem Tech CMMC Readiness Online Workshops
- Arkansas-based Forge Institute, which trains on CMMC
- Arkansas APEX Accelerator
- Free training at Project Spectrum
DoD’s phased rollout gives firms time to prepare, but cybersecurity is now a condition for doing business. Start now! Strong defenses protect both your innovation and your eligibility.
The Coalition for Common Sense in Government Procurement non-profit has published a helpful online guide for more information.