The Cybersecurity Maturity Model Certification (CMMC) program is entering a new phase of enforcement. Beginning Nov. 10, new Department of Defense contracts that include CMMC requirements may mandate a Level 2 third-party assessment on file in the Supplier Performance Risk System.
The shift comes after years of uncertainty around rulemaking and multiple changes in program structure. It also arrives as space manufacturers, engineering firms and service providers face increasing pressure from prime contractors to demonstrate compliance ahead of the government deadline.
For many organizations, the approaching deadline means tough decisions must be made on how to implement these requirements without disrupting production, engineering workflows or supply-chain relationships.
A Program Moving into Full Enforcement
The CMMC framework has been in place for a while, Justin Padilla, senior director of cybersecurity services at Kratos, told Constellations.
“The interesting thing about it is the CMMC requirements aren’t new,” Padilla said. “NIST SP 800-171 has been the standard in place with DoD for many years.”
The first iteration of CMMC was released in 2020 during the Trump Administration’s first term and featured five certification levels and third-party assessments. Following push from the industry – particularly on assessment costs and complexity – the framework was streamlined in 2021 to reduce requirements and decrease the levels to just three. The program went into effect in November 2025, with Phase 1 including Level 1 requirements only. The November milestone initiates Phase 2 and the potential of Level 2 third-party assessment requirements.
But even with years to prepare, some contractors may not make the deadline. The CMMC’s long regulatory timeline created hesitation across the industrial base, with companies delaying investment because the program’s future was unclear, Cole French, director of cybersecurity services and CMMC capability lead at Kratos, told Constellations.
“Historically, one of the problems with CMMC is a rulemaking process of five to six years,” French said. “While requirements were defined, the survival of the program hung in the balance.”
Between the skepticism toward the program’s longevity and the expense of third-party assessments, many contractors treated CMMC like it was optional and now may not meet the very real deadline, French said.
“The November milestone is significant,” French said. “It’s the lynchpin.”
The requirement applies to new contracts issued after Nov. 10, so existing contracts are not automatically affected. However, the shift changes how organizations prepare for future work, French said.
Prime Contractors Push Requirements Downstream
Meanwhile, prime contractors are not waiting for the November milestone. Several contractors, including L3Harris, have already issued summer compliance deadlines to their suppliers, French said.
These moves reflect concerns about supplier readiness and the risk of losing critical vendors – removing a supplier raises immediate questions about capability gaps and replacement options, he noted.
“If they remove a supplier from their supply chain, what impact does that have? Do they have somebody else that can do it?” French asked.
For many small and mid-sized firms, the pressure is coming from both government requirements and industry-driven expectations.
Primes should continue to apply pressure, because cybersecurity risk anywhere in the supply chain ultimately becomes a risk to the program, Charles Beames, chairman of the SmallSat Alliance, executive chairman of SpiderOak and TrustPoint and former chairman at York Space Systems, told Constellations.
“The issue is no longer whether the space industry should hold to the July 30 CMMC deadline to improve cybersecurity. It absolutely should,” said Beames, who is also an investor and retired Air Force colonel.
Consequently, cybersecurity preparedness is quickly becoming a baseline requirement for involvement in defense programs, independent of when formal government mandates take effect, Beames said.
Enterprise vs. Enclave: Operational Tradeoffs for Space Manufacturers
Space companies – particularly those with engineering and manufacturing operations – face distinct challenges in meeting CMMC requirements, said Padilla.
Many initially approached compliance as an enterprise-wide effort, but as the deadline approaches, more are shifting toward enclave-based environments, Padilla said.
“Now that we’re getting close to the wire, more organizations are moving towards the enclave model, which is great for a services organization – but for folks in engineering or manufacturing where they build stuff... where they use paper, the enclave isn’t deductive to that model,” Padilla said.
Enterprise compliance models offer flexibility but can take years, Padilla said. Kratos was one of the organizations that pursued enterprise-wide CMMC compliance, but the process took five years from when the original framework was introduced, he said.
There is also uncertainty around how much a business or project can evolve before a reassessment is required.
“A lot of the gray out there right now is around what could trigger a reassessment,” French said. “No one has really defined what a significant change is.”
Enterprise certifications bring additional constraints, since assessments tied to CAGE codes limit the ability to integrate newly acquired entities without triggering another assessment. The DoD has discussed moving to a single identifier, but details are still pending, Padilla said
The alternative approach is the enclave model, which involves achieving CMMC certification for just the portion of the organization’s scope that contains controlled unclassified information (CUI). Enclaves can be deployed faster – often within six to eight months – but can introduce operational friction, especially for developers working across multiple projects or toolchains, French added.
“Creating an ecosystem of enclaves could make it difficult to innovate and expand and have your operations be dynamic,” said Padilla, agreeing with French.
Certifying just one facet of its business can also be financially risky for an organization – after investing in their enclave, there’s no guarantee they’ll see demand for that business segment, noted Padilla.
But to an extent, that’s also the direction in which the industry is moving, Padilla said.
Historically, the government would pay a company a certain amount of money to develop a product, and the government would be involved in the development process. That has changed, he said.
The model is shifting to the “If we build it, they will come” approach, where the company has to develop the product first and then show the government, Padilla said.
This adds pressure for companies pursuing the enclave approach – but also provides an opportunity for the organizations to come up with creative and novel solutions, he said.
Some enclaves can be built for as little as $10,000, while others reach $500,000 depending on space, complexity and the number of systems involved, Padilla said.
Who benefits from the contractors that need to play catch up? Enclave providers, according to Padilla and French. “Many enclave providers will provide good service but may oversell,” said Padilla. “They’re probably going to charge a hefty fee.”
“You could probably go out to internet right now and find companies saying we’ll get you CMMC ready in six weeks,” he continued.
Subletting and Shared Enclaves: New Models, New Questions
As enclave providers mature, some are beginning to offer shared environments – effectively leasing compliant infrastructure to multiple organizations, said French.
This approach creates new business opportunities but also raises practical and ethical questions:
· What happens when multiple tenants share the same enclave and one introduces a significant change or incident?
· Can primes rely on sublet enclaves as a stable foundation for their own compliance posture?
· How will DoD classify these services – traditional hosting or cloud services subject to FedRAMP (Federal Risk and Authorization Management Program) and other requirements?
“Enclaves, subletting, is that going to become an acceptable approach? DoD would say if you’re providing a service like that, it’s a cloud service,” French said.
For now, shared enclaves are a fast path to “good enough” compliance for some suppliers. But they also concentrate risk and create new dependencies that the ecosystem is still learning how to price and govern, Padilla and French said.
Who Is Advantaged – and Who Is Exposed
As the November milestone approaches, CMMC requirements are becoming a business issue as much as a cybersecurity issue, pushing companies across the defense supply chain to weigh the costs and risks of building, buying or outsourcing the capabilities needed to meet the requirements.
The organizations that face the biggest challenges come November (or sooner if the prime contractors hold true to their own deadlines) – are the ones that have not taken any steps toward compliance implementation, said French.
Organizations that delayed compliance now face compressed timelines and higher costs. Third-party assessments typically range from $40,000 to $80,000, and enclave implementations vary widely in cost, but will likely be more expensive for last-minute implementers, said Padilla.
“The shorter amount of time that you have to do something that’s big, it usually ends up costing you 10 to 20 times what it would cost,” Padilla said. “Companies that kick the can down the road are at a disadvantage. Very much like CMMC itself … if you wait around for the DoD to make a change, it may take forever – or by the time you start working toward a solution, it may be too late.”
“You don’t have as much time to build it and to account for different scenarios and how much it will cost in the future,” French added.
While CMMC compliance costs do raise the barrier to entry for smaller space firms pursuing defense work, the constantly evolving threat landscape makes the investment worthwhile – regardless of the November deadline, Beames said.
The space sector continues to be targeted by highly capable adversaries looking to penetrate mission‑critical systems and gain access to sensitive technical data and intellectual property, Enhancing cybersecurity throughout the industrial base is essential for protecting national security and strengthening the resilience of the supply chain, Beames said.
Whether or not the DoD rigorously enforces CMMC in November, the real imperative comes from the threat environment itself, Angel Smith, executive director at the SmallSat Alliance, GM for strategic global enablement at Microsoft and president of global public sector at data-centric security firm Virtru, told Constellations.
Organizations should approach cybersecurity with the assumption that compromise is already possible, and that mindset – not the deadline – should drive urgency around meeting requirements.
“We need to strengthen security while preserving the innovation, competition and specialized capabilities that make our commercial space industrial base so effective,” Beames said, echoing Smith. “Zero Trust/secure-by-design architectures that allow operations to continue even when a network is already compromised must be today’s gold standard.”
Explore More:
Will Commercial Space Collaboration Help DoD Solve Overclassification?
Maintaining Cybersecurity as a Service in GSaaS
Threat Briefing 18: Living off the Land Techniques Pose a Persistent Cyber Threat to Space, Critical Infrastructure