What If… CMMC Disappeared?

Some organizations have been hesitant to take the plunge into CMMC compliance based on doubts about whether it will ever really become a requirement. Considering the numerous fits and starts the program has experienced – including recent questions surrounding Michael Duffey’s statements as part of his nomination review – having some questions about the program’s viability isn’t unreasonable. For the sake of argument, let’s dig into what would happen if CMMC were to simply go away.

First, we need to preface this article by stating this is merely a hypothetical exercise and we believe it’s extremely unlikely that CMMC will disappear. Between the extensive effort which has been put in to get the program up and running, the fact that it incurs minimal direct costs to the government (estimated as less than 0.02% of the total DoD budget for FY2025 (§2-15)), and the appointment of Katie Arrington to the DoD CIO’s office (a critical contributor to and advocate for CMMC), all signs indicate rulemaking for 48 CFR 252.204-7021, allowing the DoD to require certification, will conclude in 2025 and the phased rollout will begin shortly thereafter.

Nonetheless, this question of viability for CMMC is one that many individuals and businesses have, so we believe it merits a response.

On the Origin of DoD Cybersecurity Compliance Requirements

Even without CMMC, DoD suppliers aren’t off the hook for maintaining adequate cybersecurity practices. FAR 52.204-21 defines 15 “basic safeguarding requirements" for all U.S. federal government contractors related to the protection of federal contract information (FCI) on contractor systems. These practices also comprise the core requirements for CMMC Level 1, meaning organizations are obligated to abide by them regardless of whether CMMC becomes required.

CMMC Level 2 is based on NIST SP 800-171 (Rev. 2, per DoD memo). These same requirements are defined within DFARS 252.204-7012 as the foundation for safeguarding covered defense information (CDI), which includes controlled unclassified information (CUI). DFARS 7012 has been in effect since December 2017, meaning organizations with access to CDI are subject to the NIST SP 800-171 requirements, even without CMMC. (Are you seeing a pattern yet?)

DFARS 7012 is supplemented by DFARS 252.204-7019 and -7020 as part of the DFARS Interim Rule, which went into effect in November 2020.

• DFARS 252.204-7019: All contractors with access to CDI must complete a NIST SP 800-171 assessment at the level specified by a given contract (Basic/Medium/High), and must also publish and maintain their assessment scores in the Supplier Performance Risk System (SPRS).

• DFARS 252.204-7020: Provides details regarding processes for NIST SP 800-171 assessments, including via audits by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and flow-down requirements for additional subcontractors.

Another part of the DFARS Interim Rule is DFARS 252.204-7021 which, as mentioned above, is the clause which will allow the DoD to require CMMC as a condition of contract award. This is the only portion of the Interim Rule that is not currently in effect as of April 2025, meaning there are already requirements to complete assessments against NIST SP 800-171 in addition to DFARS 7012 which mandates those requirements.

Level 3, which is based on NIST SP 800-172, includes the only new requirements unique to CMMC. In short, everything except for (i) C3PAO audits per CMMC Level 2 and (ii) the new requirements from CMMC Level 3 is already required for DoD contractors. The CMMC program does not impose these requirements. It’s merely the verification mechanism which allows the DoD to validate compliance without needing to perform audits themselves.

So… What’s the Point of CMMC Then?

History time! 2024 marked the 10-year anniversary of the indictment of Su Bin in relation to his role in the theft of sensitive U.S. government data, including design details for the F-22 Raptor and F-35 Lightning II fighter jets, which the Chinese government has since used to develop fighters such as the J-20 Mighty Dragon. This theft didn’t occur via a smash-and-grab attack targeting major DoD suppliers like Lockheed Martin directly; it occurred over the span of years via infiltration of smaller contractors and subcontractors who only had access to limited pieces of the puzzle.

With enough pieces, one can still get a fairly accurate idea of the big picture. This example highlights the importance of ensuring security farther down the supply chain and provides insight into the thinking behind requirements like those from DFARS 7012.

However, following the requirement for contractors to implement the NIST SP 800-171 practices via DFARS 7012, the DoD continued to be plagued by data breaches through their suppliers – despite those suppliers having attested to meeting the DFARS 7012 requirements, such as those involved in the Sea Dragon project. Recent research has indicated only a fraction of DoD contractors are “fully prepared to meet the Department of Defense minimum cybersecurity requirements” (NextGov/FCW).

CMMC is an effort to proactively verify suppliers’ compliance with the DoD’s cybersecurity requirements prior to providing them with access to sensitive information, rather than learning about non-compliance after an incident has occurred.

Enforcement Mechanisms without CMMC

Since the U.S. Department of Justice announced its Civil-Cyber Fraud Initiative in 2021, the DoJ has reached settlements specifically related to violations of DFARS cybersecurity requirements totaling over $26 million across 5 organizations. With the settlements increasing in frequency and the most recent settlement having occurred a few short weeks ago in March 2025, the DoJ has clearly indicated its intent to hold organizations accountable for the requirement to protect sensitive government data, regardless of whether CMMC goes into effect.

These settlements exclude the value of lost revenue should the DoD exercise its right to determine contractors are ineligible for contracts, terminate existing contracts, and withhold renewals for failing to meet the requirements under the existing DFARS clauses – either temporarily or permanently through debarment. Needless to say, losing an existing contract or the possibility of any future DoD contracts would be a substantial, if not devastating, blow to a supplier depending on those contracts as part of their revenue stream.

Wrapping Up

Businesses constantly deal with many competing priorities which can leave cybersecurity compliance on the back burner. Newly implemented tariffs which will also undoubtedly impact members of the DIB, especially those in the manufacturing sector. However, neglecting to meet cybersecurity requirements – even if CMMC were to disappear tomorrow – means organizations risk losing existing revenue or being ineligible for new contracts.

In these uncertain times, ensuring your organization meets existing compliance requirements is an investment in your stability and longevity which will help you avoid unexpected hiccups in an already difficult environment, and it will poise you for success if (when) the new CMMC requirements go into effect.