CMMC Is Now Contractual: Compliance Is No Longer Optional for Connecticut Defense Contractors

CMMC Explained

Foreign adversaries increasingly view smaller Defense Industrial Base partners as the easiest entry point to steal intellectual property and disrupt U.S. capabilities. 

Defense subcontractors—many of whom develop highly innovative and sensitive Controlled Unclassified Information—have been a prime target.

In Connecticut alone, more than 700 manufacturers make up the contractors and subcontractors at the core of the Department of Defense’s supply chain.

DoD has made combatting these attacks a top priority and its updated Cybersecurity Maturity Model Certification requirements are a direct response to this reality.

The CMMC program was introduced in 2019 as a means of verification of the existing DoD cybersecurity requirements.

It was followed by CMMC 2.0 in 2021, simplifying the original framework to a three-tiered model, each incorporating security requirements from existing regulations and guidelines.

CMMC is a third-party verification to certify that all of the program requirements have been fully implemented at the appropriate level by defense contractors and subcontractors.

This strengthens DIB security and ensures the protection of Federal Contract Information and Controlled Unclassified Information.

The Deadline Is Here

Every company participating in defense contracts, or seeking to do so, is subject to certain CMMC requirements.

After years of speculation and preparation, the CMMC program is now officially in effect.

On November 10, 2025, the official regulation governing program implementation, the CMMC final rule, went into effect, formally integrating the CMMC program into defense contracts.

This rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) and officially outlines the compliance requirements for defense contractors.

CMMC compliance has moved from voluntary to mandatory for applicable solicitations and contracts representing a major shift in how cybersecurity requirements are enforced across the Defense Industrial Base.

The DoD has begun a phased rollout of the CMMC program as a condition for contract awards, options, and period extensions.

A critical obligation of the rollout is the flow down of the requirements to subcontractors.

Prime contractors are responsible for ensuring CMMC compliance throughout their supply chains.

Subcontractors must meet the same level of certification as the prime contractor if they handle the same type of information.

Primes are required to verify a subcontractor’s compliance status before awarding a subcontract that involves FCI or CUI.

Why The Urgency?

Bottom line: the eligibility of every contractor and subcontractor to participate in federal contracts with the DoD at any level of the supply chain will depend on their CMMC compliance status.

The real concern is that many companies chose to ignore the upcoming CMMC requirements.



But with the rule now in effect and a phased rollout underway, companies needing certification must start the process immediately.

Understanding The CMMC Levels

CMMC’s three tiers will be defined in the contract, will depend on the information type shared within the contract, and have increasingly stringent certification requirements:

• Level 1 (Foundational): Safeguards FCI through basic cybersecurity practices. Level 1 compliance requires an annual self-assessment and submission of an annual affirmation of full compliance in the Supplier Performance Risk System (SPRS).
• Level 2 (Advanced): Protects CUI, requiring compliance with all 110 controls of the NIST SP 800-171 standard. CMMC implementation Phase 1calls for a Plan of Action and Milestones (POAM) closing self-assessment with affirmation reported in the Supplier Performance Risk System (SPRS). Phase 2 will involve certification assessments from a CMMC Third-Party Assessment Organization (C3PAO) every three years.
• Level 3 (Expert): The most robust certification level protects critical CUI. Full CMMC Level 2 certification is required along with 24 additional NIST SP 800-172 practices that will be subject to a government-led assessment.

The complex nature of CMMC 2.0 certification means that achieving and maintaining it is not an overnight process. Depending on an organization’s existing cybersecurity controls and its required certification level, certification can take anywhere from a few months for Level 1, to more than a year for Levels 2 and 3.

CMMC Phase 1 Readiness

With the CMMC program’s implementation Phase 1 now in effect, participation in a CMMC Level 1 government contract mandates that all compliance requirements are fully met without exception at the time of assessment.

Level 2 contractors must now show their readiness by posting self-assessment results with minimum implementation of 80% of all practices, and an affirmation of continuous compliance in the Supplier Performance Risk System (SPRS) before contract award.

An Affirming Official (a senior-level leader) must personally attest to the accuracy of the company’s submission. Full C3PAO certifications may start being required in this phase but will be mandatory starting in Phase 2, November 10, 2026.

CMMC Level 3 full compliance will start being mandatory beginning with Phase 3 implementation on November 10, 2027.

The Cost of Compliance

CMMC certification is not easy or fast, and cost is a major compliance factor.

CCMC costs are based on the organization’s assessment scope, including geographical footprint, IT complexity, security readiness, technology and infrastructure, and the chosen assessment level.

Upgrades to existing technology and required third-party assessment add up quickly.

From several thousand dollars to well over six figures, companies need to not only budget for initial financial impacts, but future costs associated with maintenance and compliance cycles.

Don’t Go It Alone

CMMC compliance can feel overwhelming and out of reach, but it is a necessity for anyone in the DIB. Companies do not have to figure it all out on their own; help is out there.

CONNSTEP’s Cybersecurity Consultant Anna Mumford has guided over 100 manufacturers with their regulatory cybersecurity compliance preparation.

Anna’s IT expertise, including a cybersecurity management degree and over 20 years of experience in her field, has given her a deep understanding of the cybersecurity landscape, particularly the intricacies of CMMC compliance. Anna holds certifications as a CMMC CCP (Certified CMMC Professional) and a CMMC CCA (Certified CMMC Assessor).

Anna, along with CONNSTEP’s team of cybersecurity experts, ensures Connecticut manufacturers, especially those involved in federal contract work, are prepared, protected, and in compliance with cybersecurity regulations.

Begin with Bootcamp

A great starting point for organizations to gain the essential knowledge to achieve CMMC 2.0 Level 1 & Level 2 compliance and certification readiness is CONNSTEP’s CMMC Bootcamp.

Designed for business owners, company management, senior leadership, and individuals responsible for their organization’s cybersecurity compliance, in 5 half-day workshop sessions, our cyber experts give participants the tools to:

• Understand the CMMC 2.0 program and requirements
• Identify, mark, and properly scope CUI/FCI
• Master CMMC implementation and compliance evidence documentation
• Develop customized policies, procedures, System Security Plan, CMMC scoping documentation, Incident Response Plan, and risk management methodology
• Understand the CMMC Certification Assessment Process
• Build a strong culture of security within your organization
• Safeguard American innovation and national security information against cyber threats

The next CMMC Bootcamp session is now available for registration, starting in March 2026. Don’t wait until it’s too late to secure your eligibility. Register today at https://www.connstep.org/cmmc-bootcamp/.

Financial Assistance

The Cybersecurity Adoption Program (CAP) was created to assist Connecticut’s small and medium-sized manufacturers with the financial costs associated with seeking cybersecurity assessments and CMMC Certification.

CAP is a grant program funded by the Connecticut Department of Economic and Community Development’s Manufacturing Innovation Fund and administered by the Connecticut Center for Advanced Technology.

Eligible companies can apply for grant funding up to $35,000 to assist with cybersecurity assessments and CMMC adoption. They will be required to pay half the cost.

Up to $10,000 can be used for CMMC guidance and initial assessments, with the balance allocated to remediation projects, such as training programs and CMMC Level 1 & 2 remediation, performed by a qualified cybersecurity consultant.

Proposed projects must have a minimum total value of $5,000 and can be used to cover CMMC Bootcamp attendance along with additional one-on-one CMMC guidance from CONNSTEP.

Applications for CAP are now open. Interested manufacturers can learn more about eligibility criteria, funding uses, and the application process by visiting the official program page: https://grants.ccat.us/s/funding-program/a1uDn000000G2hGIAS/cybersecurity-adoption-program-cap.