‍

The Secretary of Defense recently issued a memo to the DoD mandating immediate action to ensure all IT and cloud systems are secured from attacks originating from the supply chain.

What this means is that all software and hardware susceptible to foreign interference will not be eligible for procurement, nor will contractors using such technology be authorized to continue providing services to the government or DoD.

The memo goes on to stress a preference for CMMC-certified contractors that also comply with programs that include the Authority to Operate process, the Federal Risk and Authorization Management Program (FedRAMP), the Software Fast Track program, and the Secure Software Development Framework.

Up until now, CMMC had not been mentioned in national defense discussions, but this mention makes it clear that the framework has officially become an essential guideline.

Issued on August 1, 2025, the memo directs the DoD’s CIO to issue guidance within 15 days. As with many emerging frameworks, this situation is evolving rapidly and should signal to government contractors that CMMC certification is no longer on the back burner.

So, what does this mean for existing DoD contracts? Essentially, if your organization handles controlled classified information (CUI), time is of the essence. If CMMC was not front and center in your strategy, it needs to be escalated immediately.

Time to Act: Is Your Organization CMMC Ready?

This new DoD directive highlights a critical shift. CMMC is now a core requirement that will determine eligibility for new contracts and the ability to maintain existing ones.

Delaying the transformation presents a massive risk for contractors as they may find themselves excluded from the supply chain entirely.

The Secretary of Defense has made it all too clear that any technology deemed susceptible to foreign influence will be eliminated immediately. Organizations that lack certifications, specifically CMMC, may lose long-standing contracts, risk reputational damage, and lose their competitive edge.

What Contractors Can Do Right Now

Staying up to date with emerging frameworks is challenging in itself, and contractors must be nimble enough to respond quickly or risk losing lucrative government contracts.

Here are a few suggestions to help you prepare for what comes next:

1. Conduct a Readiness Assessment. Identify gaps against NIST 800-171 and other CMMC Level 2 requirements to understand the scope of work ahead.
2. Prioritize Documentation. Policies, procedures, and system security plans (SSPs) must be airtight. Documentation gaps are among the top causes of failed audits.
3. Evaluate Your Supply Chain. Every vendor that handles CUI must also be compliant and held to the same standards. Initiate conversations with partners now to align priorities and expectations.
4. Engage Expert Support. CMMC-certified consultants or managed security service providers can shorten timelines, reduce costs, and accelerate your path to compliance and certification.

Looking Ahead

The DoD’s August 1 memo is not a simple policy update—it’s a warning shot. Contractors who are quick to respond will be better positioned to safeguard their existing contracts, shore up trust with the DoD, and strengthen their resilience against evolving cyber threats.

CMMC is a new standard in DoD compliance. Organizations that embrace CMMC as a long-term strategy will be poised to thrive in the future defense landscape.

Connect with an expert today.