AWS Public Sector Blog

CMMC implementation begins: A new era for defense contractors

The long-awaited Cybersecurity Maturity Model Certification (CMMC) 2.0 is now a reality for the Defense Industrial Base (DIB). With the finalization of both the Code of Federal Regulations (CFR) Title 32 and CFR Title 48 rules, we’ve entered a new era of cybersecurity requirements for defense contractors. This post explores the implications of these developments and what they mean for businesses in the defense sector. This includes organizations in aerospace, defense satellite, healthcare, manufacturing, and higher education that conduct business with the Department of Defense (DoW). AWS supports these organizations in CMMC implementation through comprehensive security services, compliance documentation, and infrastructure that aligns with CMMC requirements across all levels while providing tools and resources to help organizations achieve and maintain certification.

The road to CMMC implementation has been a carefully orchestrated process. The 32 CFR CMMC Final Rule, published on October 15, 2024, and effective as of December 16, 2024, laid the groundwork by establishing the CMMC Program, defining security controls for each CMMC level and outlining assessment and certification processes. Following this, the crucial 48 CFR rule, which integrates CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS), has now been finalized. This means that all contracts that have Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will require an assessment of the contractor or subcontractor environment to ensure they’ve implemented the proper cybersecurity controls.

The DoW has now begun the phased rollout of CMMC requirements in contracts. This marks the start of a new era in defense contracting, where cybersecurity compliance is no longer just a contractual obligation but a prerequisite for doing business with the DoW.

What this means for contractors

November 10th, 2025 CMMC requirements began appearing in select new contracts, with full implementation expected by fiscal year 2028. This gives contractors time to adapt, but it also means that early adopters will have a competitive advantage in the market. Contractors and subcontractors face several significant challenges as they pursue CMMC certification. The requirement for pre-award certification has fundamentally changed the contracting landscape, as organizations must now achieve certification before they can be awarded DoW contracts. Additionally, prime contractors bear the responsibility of ensuring their subcontractors meet appropriate CMMC levels, creating cascading compliance requirements throughout the supply chain. The new framework’s restrictions on Plans of Action and Milestones (POA&Ms) further complicate matters, as organizations must demonstrate proactive compliance rather than relying on reactive planning approaches. Finally, CMMC 2.0 demands ongoing maintenance of cybersecurity practices through continuous monitoring, moving beyond the traditional point-in-time certification model to ensure sustained security posture.

When contractors and subcontractors are ready to move forward, they can follow this five-step plan:

  • Assess current posture – Conduct a thorough gap analysis or self-assessment against CMMC requirements for your targeted level.
  • Develop compliance strategy – Create a comprehensive roadmap for achieving and maintaining CMMC compliance.
  • Initiate certification process – Begin working with a certified third-party assessment organization (C3PAO) to schedule your assessment for CMMC level 2.
  • Supply chain management – Review and update agreements with subcontractors to ensure they meet necessary CMMC levels.
  • Training and documentation – Implement robust training programs and documentation processes to support ongoing compliance.

Conclusion

The implementation of CMMC represents a significant shift in how the DoW approaches cybersecurity in its supply chain. Although it presents challenges, it also offers opportunities for contractors who can effectively navigate the new landscape. Those who embrace these changes and demonstrate their commitment to robust cybersecurity practices will be best positioned for success in future defense contracting.

Expect to see increased scrutiny of cybersecurity practices, not only during the certification process, but throughout the lifecycle of contracts. The DoW’s commitment to enhancing the security of the DIB is clear, and contractors must align with this vision to remain competitive. Organizations that can adapt and comply with these new regulations are more likely to thrive in this new cybersecurity-focused environment. For more information on how to accelerate CMMC with AWS visit https://aws.amazon.com/compliance/cmmc/ or contact CMMConAWS@amazon.com.

TAGS: announcements, AWS Public Sector, cybersecurity, defense, government, U.S. Department of Defense, CMMC, DFARS, NIST, Defense Industrial Base

TAGS: , , , ,
Paul Keastead

Paul Keastead

Paul Keastead is an Senior Assurance Consultant with AWS Security Assurance Services (SAS) and a Lead Cybersecurity Maturity Model Certification (CMMC) Certified Assessor. He helps organizations achieve and maintain their compliance objectives in the cloud. Leveraging his experience as a FedRAMP Assessor and over a decade of expertise in national security and public sector technology compliance, Paul works closely with customers, partners, and AWS teams to align security and compliance requirements with business objectives.

Brian Stucker

Brian Stucker

Brian Stucker is a senior solution architect and specializes in security and compliance within Amazon Web Services (AWS) worldwide public sector (WWPS). He has over 18 years of experience in infrastructure security and leadership, with a passion for problem solving and doing more with less. Outside of work he enjoys spending time with his family and traveling.­­

Rachel Kahn

Rachel Kahn

Rachel Kahn is the AWS Global Governance, Risk, and Compliance Lead. She has 25 years experience in cybersecurity and compliance including serving as the founder of a security advisory firm, a Chief Information Security Officer, and a Vice President of Sales and Alliances.