We are closing in on October 1, which is the over/under date for when the new rule for when the final rule requiring the inclusion of CMMC in Department of Defense solicitations will take effect. Billions of electrons have been spilled talking about CMMC already, so I won’t go into detail on that here.
What I do want to highlight is the consequences of noncompliance. The reality is that a lot of contractors won’t comply with requirements without a threat for noncompliance, and the Department of Justice has been diligent in creating that threat.
As we’ve discussed before, the Department of Justice created a task force to pursue fraud related to cybersecurity. The first couple of settlements that the DOJ claimed were not pure cybersecurity matters. One involved security clearances and one involved unapproved drugs; both matters a typical government contractor could distinguish.
Since then, the DOJ has stepped up its efforts, including more directly applicable cases. The most recent one, reported on July 31, 2025, reached a $1.75 million settlement. This settlement was based primarily on a failure to implement controls in NIST SP 800-171, which is included in most DOD contracts. Further, the alleged contractors self-reported the violations, for which the DOJ commended them, and still received a significant fine. This settlement was not an outlier; the last reported settlements were $1.75 million, $9.8 million, $14.75 million, $8.4 million, $4.6 million, $11 million, and $1.25 million. The pace of settlements has increased, with three reported in July alone.
For the most part, CMMC does not change the underlying security requirements; most DOD contracts already have obligations related to NIST SP 800-171. What CMMC does do is to drastically increase visibility and affirmation requirements. The most obvious are third-party attestation requirements for certain DOD contracts. But beyond that, all DOD contractors will receive more scrutiny from staff, partners, consultants, and clients. Expect more whistleblowers and DOJ press releases.
We also expect CMMC like requirements to expand to other agencies. That will expand DOJ’s potential targets from DOD contractors to all federal contractors. If you are a contractor with the federal government, or service those who do, you need to improve your cybersecurity capabilities. If you don’t know what your obligations are, reach out to the author at [email protected].
