CMMC compliance is no longer an option. Contractors who delay certification risk losing contracts, revenue, and long-term competitiveness.
By Steven J. Ursillo, Jr., CMMC Certification Lead and Information Assurance and Cybersecurity Partner at Cherry Bekaert, and Brian Kirk, Senior Manager, Information Assurance and Cybersecurity at Cherry Bekaert
The cybersecurity landscape is evolving rapidly, and for government contractors, particularly those in the manufacturing sector, there is a growing storm of regulatory pressures that cannot be ignored. Amid ongoing concerns about tariffs, trade restrictions, and economic uncertainty, cybersecurity is at risk of being overshadowed. But for organizations that serve the Department of Defense (DoD), postponing Cybersecurity Maturity Model Certification (CMMC) preparation is a dangerous gamble—one that could soon jeopardize their ability to compete, win contracts, or even operate.
The Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to standardize cybersecurity practices across its vast and complex supply chain. With the Defense Industrial Base (DIB) composed of over 300,000 contractors, including many small to mid-sized manufacturers, the stakes are high. CMMC ensures that contractors can securely handle Controlled Unclassified Information (CUI) and are not unwitting gateways for threat groups seeking to infiltrate U.S. defense systems.
The CMMC program requires defense contractors handling CUI to implement the NIST 800-171, Rev. 2 security requirements and, in most cases, obtain a third-party assessment. Final rulemaking is expected by late 2025, when certification will become a contractual obligation. In simple terms: no certification, no contract, no DoD money.
Despite these clear signals, many government contractors are not actively preparing for CMMC requirements; why is this the case?
For many, the regulatory burden has been mounting from all sides, especially in the manufacturing and supply chain sector. The complexity of preparing for CMMC compliance, including costs, scope, and questions about applicability, is being further strained by uncertainty surrounding tariffs and trade restrictions. These overlapping priorities have absorbed the attention of leadership and legal teams, slowing the progress toward meeting regulatory requirements. Whether navigating Section 301 tariffs on Chinese imports or adjusting to changing materials costs, companies are understandably stretched thin.
A recent report conducted by Merrill Research found that most contractors are unprepared to meet DoD cybersecurity requirements and risk losing eligibility for future contracts. The report revealed a significant gap between perception and reality. While 75% of respondents believed they were CMMC compliant based on self-assessments, only 4% actually met the requirements when evaluated by a third party.
Ignoring CMMC due to current distractions may solve a short-term problem, but it will create a much bigger one down the road. Noncompliance in cybersecurity poses a significant threat to a company’s ability to operate, compete, and remain viable in an increasingly regulated market.
Manufacturers are particularly at risk, as many rely on legacy systems and operate with limited IT staff. As such, they are frequent targets for ransomware and supply chain attacks. And these vulnerabilities are not hypothetical. According to IBM’s 2023 Cost of a Data Breach Report, the average cost of a data breach in industrial sectors now stands at $4.9 million.
Adding to the urgency is the fact that prime contractors are already beginning to require CMMC-level compliance from their subcontractors, even before the rule takes effect. Procurement professionals are now under pressure to ensure that every link in the supply chain can be trusted with sensitive data.
Even if a manufacturer doesn’t directly hold a DoD contract, they may still be expected to prove compliance as part of their prime’s cybersecurity due diligence. Inaction now could result in fewer partnership opportunities and lost revenue.
For contractors who are overwhelmed or unsure of where to start, the good news is that preparing for CMMC often delivers broader business benefits:
With an increased focus on national cybersecurity, future regulations will likely become even more stringent. CMMC preparation enhances companies’ security and attractiveness as trusted partners in high-stakes federal environments. Getting ahead of CMMC now can build the foundation for long-term resilience.
With the final Acquisition Rule expected to go into effect in late 2025, the window for preparation is closing fast. Certification often takes months of preparation, gap analysis, remediation, and documentation. Companies that wait until the rules are in effect may already be too late to participate in upcoming defense projects.
While tariffs and trade policies may dominate today’s headlines, CMMC is tomorrow’s contract requirement. For defense manufacturers and procurement teams alike, CMMC is a strategic imperative that will define who gets to compete and grow in tomorrow’s defense economy.
About the authors:
Steven Ursillo Jr. is a Partner and CMMC Certification Lead in the Firm’s Information Assurance and Cybersecurity practice. With over 20 years of experience, he specializes in information system security, cyber fraud prevention and detection, security and privacy governance, risk management, internal control over financial reporting, and IT assurance issues. He has provided end-user security awareness training and performed live hacking demonstrations on simulation systems including network, wireless, mobile, application and web application attacks.
Brian Kirk is a Senior Manager in Cherry Bekaert’s Cybersecurity practice, with over 12 years of experience in cybersecurity advisory, risk, and attest services. He has successfully led a team in conducting various assessments and audits to establish compliance with several key cybersecurity standards and frameworks. These include readiness assessments and examinations for the Cybersecurity Maturity Model Certification (CMMC), National Institute of Standards and Technology (NIST), Defense Federal Acquisition Regulation Supplement (DFARS), International Organization for Standardization (ISO) 27001, System and Organization Controls (SOC), and Health Information Trust Alliance (HITRUST). Brian holds multiple certifications, including a Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified HITRUST CSF Practitioner (CCSFP), Certified CMMC Professional (CCP), and Certified CMMC Assessor (CCA).
Women Powering Manufacturing: Breaking Barriers
Tune in for a timely conversation with Susan Spence, MBA, the new Chair of the ISM Manufacturing Business Survey Committee. With decades of global sourcing leadership—from United Technologies to managing $25B in procurement at FedEx—Susan shares insights on the key trends shaping global supply chains and what they mean for the manufacturing outlook.
Get In Touch
Google news and SEO compliant, Industry Today’s state-of-the-art digital media platform offers bespoke media campaigns that target key decision makers and buyers to achieve your marketing and promotional goals.
Contribute
Showcase your brand and promote your business to our highly targeted audience. We offer detailed Google Analytics with measurable ROI to assure success. Submit your content for review by our Editorial team who will contact you to discuss the project further.
About Us
Reach Your Targeted Audience and Grow Your Business. Learn more About Industry Today.
Contact Us
© 2025 Industry today. All Rights reserved.
