{"id":209241,"date":"2026-05-05T17:10:00","date_gmt":"2026-05-05T21:10:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/05\/cmmc-low-compliance-rate-few-c3paos-hamper-pentagon-program\/"},"modified":"2026-05-05T17:30:08","modified_gmt":"2026-05-05T21:30:08","slug":"cmmc-low-compliance-rate-few-c3paos-hamper-pentagon-program","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/05\/cmmc-low-compliance-rate-few-c3paos-hamper-pentagon-program\/","title":{"rendered":"CMMC\u2014Low Compliance Rate, Few C3PAOs Hamper Pentagon Program"},"content":{"rendered":"<p><a href=\"https:\/\/www.executivegov.com\/articles\/cmmc-dow-cybersecurity-c3pao-cio\">CMMC\u2014Low Compliance Rate, Few C3PAOs Hamper Pentagon Program<\/a><\/p>\n<p><a href=\"https:\/\/www.executivegov.com\/articles\/cmmc-dow-cybersecurity-c3pao-cio\">https:\/\/www.executivegov.com\/articles\/cmmc-dow-cybersecurity-c3pao-cio<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-05 17:10:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.executivegov.com\">www.executivegov.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. The Pentagon needs additional Cybersecurity Maturity Model Certification third-party assessors to reduce long waits for mandatory audits and increase compliance rates.Firms that don\u2019t follow the CMMC compliance schedule risk losing Pentagon businessGet the latest update on CMMC implementation at the Potomac Officers Club\u2019s\u00a02026 Cyber Summit on May 21!The Pentagon needs more Cybersecurity Maturity Model Certification certified third-party assessors, or C3PAOs, to reduce long waits and costs for mandatory CMMC audits and increase the low rate of businesses achieving CMMC compliance ahead of a key deadline, according to experts who spoke with ExecutiveGov.This lack of CMMC compliance among small and mid-sized contractors could reduce the Department of War\u2019s ability to grow business among smaller and innovative firms, a key initiative of President Trump during his second term. There are 103 C3PAOs authorized to perform CMMC assessments, according to the CyberAB, the sole authorized non-governmental partner of the Pentagon in implementing and overseeing CMMC conformance.Payam Pourkhomami,\u00a0OSIbeyond president and CEO and one of\u00a0Executive Mosaic\u2019s GovCon Experts, told ExecutiveGov that roughly 1 percent of 100,000 defense industrial base customers that are supposed to be CMMC Level 2 certified have achieved Level 2 certification. OSIbeyond is not a CMMC C3PAO.Dig into the latest Pentagon cybersecurity business opportunities at the Potomac Officers Club\u2019s\u00a02026 Cyber Summit on May 21! Hear directly from three top national security cyber executives during their illuminating keynote addresses:Aaron Bishop, chief information security officer and acting principal deputy chief information officerKatherine Sutton, assistant secretary for cyber policyRear Adm. Jason Tama, Coast Guard Cyber Command chiefSign up now!What Are Key CMMC Deadlines?A key deadline in CMMC implementation, known as Phase 3, begins on Nov. 10, 2027. This is when contractors who want to do business with the Pentagon must have an independent assessment performed by a C3PAO every three years.Another important deadline, known as Phase 2, takes place on Nov. 10. This is when the Pentagon can start requiring Level 2 certification, which can be achieved via self-assessment or by C3PAO. The Pentagon can choose to delay both Level 2 and Level 3 certification requirements in a contract to an option period if it chooses. Phase 1, which began on Nov. 10 of last year, can require Level 1 or 2 self-assessment in individual contracts.Trey Hodgkins, CEO of Hodgkins Consulting LLC and an adviser to Fortune 500 companies about the federal technology marketplace, told ExecutiveGov that the Pentagon needs thousands of C3PAOs to reduce high fees associated with C3PAO assessments.How Much Do CMMC Third-Party Assessments Cost?Many small businesses, he said, pay $50,000 to $100,000 individually for both a C3PAO assessment and as consulting to help them prepare for the assessment. These fees may not be steep for larger businesses, but Hodgkins said they are for sixth- or seventh-tier subcontractors in the automotive supply business who might make a couple of parts that go into a tank and whose annual revenue may be around $150,000.Though the Pentagon may give a short term extension on CMMC compliance requirements, Hodgkins said that might not be enough for these firms further down in the supply chain.\u201cNow the government is telling them they need to put in something that will cost $50,000 to $100,0000 a year,\u201d \u00a0\u2014 Trey Hodgkins, CEO of Hodgkins Consulting LLCBill Greenwalt, senior fellow at the American Enterprise Institute think tank, also believes that CMMC needs thousands of C3PAOs to reduce fees and wait times and encourage more small businesses to pursue CMMC compliance.Greenwalt told ExecutiveGov that he is a supporter of better cyber hygiene between the Pentagon and its contractors, but he\u2019s not a fan of CMMC and its \u201ccheck the box\u201d approach. He believes it\u2019s forcing contractors to comply with a standard that is already outdated.Greenwalt also doesn\u2019t like the adversarial nature of the program with its audits and banishments for not achieving compliance. He dislikes the unfunded mandate nature of the fees, which he said will deter small businesses from entering the federal workforce.\u201cIf there were thousands of [C3PAOs] and things were going fast and it was cheap, most companies wouldn\u2019t be complaining,\u201d Greenwalt said. \u201cThey would say \u2018here\u2019s a paper exercise thing I have to go through, but it doesn\u2019t cost [an excessive amount of money] that\u2019s going to affect my bottom line.\u201dWhat Could the DOW Do Differently With CMMC?Instead, Greenwalt believes the Pentagon should take a more collaborative approach with contractors for better cyber hygiene to help keep small contractors doing business with the department. He proposes the department offer system penetration testing to assess firms\u2019 cyber vulnerabilities and provide them step-by-step processes to improve their cyber defenses.Greenwalt said that long waits and high fees for C3PAOs could be a silver lining for CMMC in that it could demonstrate that the program is unimplementable and inspire the Pentagon or Congress to make changes or scrap the program. Pentagon spokesman Joseph Loewy declined to comment for this article.Are you a GovCon technology executive? Then you cannot afford to miss the Potomac Officers Club\u2019s\u00a02026 Cyber Summit on May 21. Examine meeting CMMC, National Institute of Standards and Technology and zero trust requirements and transitioning prototypes into secure mission systems at the Cybersecurity at Commercial Speed panel discussion. It featuresJohn Baase, Defense Information Systems Agency DOW enterprise identity, credential and access management, or E-ICAM, program managerKhoi Nguyen, Cyber Command Cyber Acquisition and Technology Directorate (J9) command acquisition executiveSecure your seat today!How Can the DOW Reduce CMMC Compliance Costs?There are a variety of ways the DOW could reduce CMMC compliance costs for small businesses. Pourkhomami suggested the department financially subsidize the program, though he declined to provide details. The government, he said, is going to \u201cfront the bill\u201d in the end through contractors including fees in their bids, so figuring out how to get contractors moving will be key and a challenge in the short term.Hodgkins said the Pentagon should approve a cloud computing provider that would allow businesses to run programs like email, data storage and computer assisted design through it.One C3PAO\u2019s PerspectiveRedspin of Nashville, Tenn., is a C3PAO and has been involved in the CMMC ecosystem since its early development in 2020. It was also among the first organizations authorized as a C3PAO to conduct assessments under the initial version of CMMC.Both Pourkhomami and\u00a0Thomas Graham, Redspin senior principal consultant and CISO, disagree with the perception that there are long wait times for C3PAO assessments. Graham told ExecutiveGov that the company\u2019s next available assessment window is around November, though schedules shift and earlier availability can, and often does, open up as Redspin\u2019s assessor team grows.Graham said booking an assessment 6 to 10 months in advance isn\u2019t unusual for a program of this scale, he said, and this timeline often works in an organization\u2019s favor. This is because the period leading up to an assessment is critical for finalizing documentation, validating controls, practicing interviews with your team and ensuring overall readiness. Graham said organizations that use that time effectively tend to have much smoother assessment experiences.Pourkhomami said companies don\u2019t become assessment-ready in timeframes less than three months. Pourkhomami would be more concerned if assessment waits were 18 months long. Additionally, Pourkhomami the number of CP3AOs are growing, he said, which should help alleviate this bottleneck.\u201cIt\u2019s not impossible to get an assessment right now,\u201d \u2014 Payam Pourkhomami,\u00a0OSIbeyond president and CEO and one of\u00a0Executive Mosaic\u2019s GovCon Experts.Redspin has completed over 1,000 assessments, Graham said, and continues to support a large and growing pipeline of organizations preparing for certification. He said the company\u2019s completed assessment count grows almost daily and is a good indicator that the DIB has woken up to the requirement.Graham said Redspin doesn\u2019t offer flat-rate pricing because CMMC Level 2 assessments are highly dependent on the size, scope and complexity of an organization\u2019s controlled unclassified information environment. Factors like subsidiaries, number of physical locations and additional in-scope networks can all impact the overall assessment cost.Assessments are also dependent on the operational nature of the environment as a research and development organization may be vastly different from a manufacturing organization.\u201cThese assessments are not checklist assessments,\u201d Graham said. \u201cThey require validated evidence across all 110 requirements and the 320 associated objectives.\u201dA GovCon attorney called CMMC the latest shakeup to an industry that has experienced vast changes since President Trump started his second term in January of last year.\u00a0Cherylyn Harley LeBon, partner at\u00a0Cohen Seglias, told ExecutiveGov that reduced federal budgets outside of the Pentagon and the intelligence community has business owners reexamining federal business opportunities.CMMC, she said, is making these business decisions even more difficult.\u201cEither you\u2019re going to play the [Pentagon] game and intelligence with CMMC compliance, and go along with it, or you\u2019re going to pivot to something else,\u201d LeBon said. \u201c[But] budgets have decreased in these other agencies and there are fewer opportunities. So where does that leave you? With commercial opportunities and state and local [governments].\u201d       Army Hosts AI Cyber Exercise With Industry Leaders The U.S. Army conducted the\u00a0AI TTX 2.0 tabletop exercise on April 27 at the Pentagon, bringing together 14 senior cybersecurity executives from leading technology firms. The Potomac Officers Club\u2019s 2026 Army Summit on June 18 will tackle how AI is advancing the service\u2019s modernization goals. Secure your seat today. What Was the Focus of AI TTX 2.0? The half-day exercise aimed to advance the adoption of agentic artificial intelligence to enhance cyber defense capabilities. It simulated a future Indo-Pacific crisis where an adversary used AI to launch rapidly evolving cyberattacks beyond human response times.\u00a0 The participating cybersecurity professionals were challenged       US, Allies Issue Joint Guidance on Agentic AI System Security The intelligence and cybersecurity agencies of the U.S., Australia, Canada, New Zealand and the U.K. have released new guidance on securing agentic artificial intelligence systems used in critical infrastructure and defense environments.\u00a0 The latest guidance highlights the growing cybersecurity risks tied to agentic AI. As agencies emphasize governance, oversight and continuous risk assessment, these priorities are expected to shape ongoing discussions across the defense and critical infrastructure sectors. Save your seat now for the\u00a02026 Cyber Summit, which will explore the role of AI in cyber defense, post-quantum cryptography, zero trust and other cyber priorities. What Are the Security Risks of       CISA, Federal Partners Release Zero Trust Guide for Operational Technology The Cybersecurity and Infrastructure Security Agency, along with the Department of War, Department of Energy, Department of State and the FBI, have released\u00a0new guidance to help organizations apply zero trust principles to operational technology, or OT, systems. Zero trust is a major point of discussion at the 2026 Cyber Summit, a GovCon event hosted by the Potomac Officers Club on May 21. Learn more about the evolving cyberthreat landscape and the push toward zero trust ahead of the 2027 deadline. Secure your spot today! What Does the New CISA Guidance Cover? CISA said Wednesday the document, titled \u201cAdapting Zero Trust<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CMMC\u2014Low Compliance Rate, Few C3PAOs Hamper Pentagon Program https:\/\/www.executivegov.com\/articles\/cmmc-dow-cybersecurity-c3pao-cio Publish Date: 2026-05-05 17:10:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209243,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.executivegov.com\/2026\/05\/cmmc-c3pao-long-waits-high-fees.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24],"class_list":["post-209241","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209241"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209241"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209241\/revisions"}],"predecessor-version":[{"id":209245,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209241\/revisions\/209245"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209243"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}