{"id":226915,"date":"2026-06-05T15:17:00","date_gmt":"2026-06-05T19:17:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/05\/cmmc-has-moved-from-planning-to-enforcement-and-contractors-are-feeling-it\/"},"modified":"2026-06-05T15:20:09","modified_gmt":"2026-06-05T19:20:09","slug":"cmmc-has-moved-from-planning-to-enforcement-and-contractors-are-feeling-it","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/05\/cmmc-has-moved-from-planning-to-enforcement-and-contractors-are-feeling-it\/","title":{"rendered":"CMMC has moved from planning to enforcement and contractors are feeling it"},"content":{"rendered":"

CMMC has moved from planning to enforcement and contractors are feeling it<\/a><\/p>\n

https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/cmmc-has-moved-from-planning-to-enforcement-and-contractors-are-feeling-it\/<\/a><\/p>\n

Publish Date: 2026-06-05 15:17:00<\/a><\/p>\n

Source Domain: federalnewsnetwork.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. Terry Gerton You have a lot of background on a very important topic, CMMC. In fact, your company received quite a bit of attention last fall when you released a report that found only 1% of defense contractors said they felt ready for the CMMCs rules that were just then going into effect. We\u2019re about six months later. How have you seen the situation change?
\nEmile Sayegh There\u2019s certainly a rush from certain contractors and subcontractors to essentially become CMMC compliant, get certified, get assessed, and so on and so forth. But what we\u2019ve seen from before, for multiple years as CMMC was being talked about and planned, basically CMMC has moved from planning and PowerPoint and Excel sheets and word documents and project plans to actual implementation now and people are starting to take it much more seriously. So it\u2019s moved basically from writing the policy to actually implementing those policies and not only implementing them, but also making sure that you have the proper evidence that those policies are implemented because when an assessor is gonna come in and audit you or even if you\u2019re doing a self assessment and you\u2019re publishing an SPRS score, there\u2019s a threshold of evidence that you need to maintain. And that\u2019s what needs to go into your self assessment, right? It can\u2019t just be, \u201cI think\u201d or \u201cwe planned\u201d or \u201cit looks good\u201d on an Excel document or a Word document. You have to be able to provide the evidence so that you can enter your SPRS score in the government system, the DOD system. So having said that, I think we\u2019re seeing everything shift from planning to now being part of the operational workflows in companies and people are starting to take it seriously.]]><\/p>\n

Terry Gerton I guess there\u2019s really two sides to the readiness question. One is whether the contractors inside the Defense Industrial Base were themselves ready. The other side is whether the Department of Defense was ready to hold folks accountable. So from the contractors\u2019 perspective, what are they seeing from DOD on the enforcement side?
\nEmile Sayegh Sure. Look, it\u2019s less, frankly, about some dramatic government action. It usually basically starts quietly through contracting friction, through signaling from their contracting officer, the subcontractor will probably start seeing some pressure from the contractor, from the primes, right? So we\u2019ve seen a lot of publicity about that where primes are essentially pushing those requirements onto their subcontractors and asking them to be CMMC compliant, quote unquote, by a certain date. Some dates are sooner than what we\u2019ve heard from the from the government, which has some people, you know, kind of questioning that. But I do think that there is a push for that. So I think it\u2019s it starts, you know, pretty quietly at first, it starts to appear in a contract or impetus from contracting officer or from the prime down to their subcontractors, basically.
\nTerry Gerton Are the subcontractors in this space surprised at this point by the flow down of this requirement or were they expecting it?
\nEmile Sayegh This is a great question and I chuckle a little bit. I mean, CMNC has been around for a while. It\u2019s been talked about for a long time. Nobody should be surprised at this point. The surprise, I would say, is some people did not know that they were handling or they will be handling CUI data. Some subcontractors did not known that this is going to be a requirement by the contractor that they be compliant by a certain date. So I do think that there\u2019s a few subcontractors that probably assumed that because they were sole source, somehow they get an exemption. And certainly, none of those are true. There are no exemptions and come November 10, 2026. They\u2019re going to have to be compliant to still be eligible for new contract award as well as existing contracts at their end.
\nTerry Gerton Emile Sayegh is CEO of CyberSheath. Mr. Sayegh, as the market is helping contractors get compliant, one of the concerns from the beginning was the number and availability of the validators, the third party validators. What are you seeing play out there?
\nEmile Sayegh Absolutely, there\u2019s 80,000 contractors and subcontractors that need to be CMMC compliant and there\u2019s only 100 C3PAOs, third party auditors in this space. So there\u2019s definitely a mismatch between human capacity to do these assessments. And the number of contractors, subcontractors that need to become compliant. But also, I would say, it\u2019s not just the assessors, but also the partners to these contractors and subcontactors that are getting them ready, that are helping them become ready to be CMMC compliant, you know, that are coming in, doing the IT work, doing the cybersecurity work, putting the, all the. Compliance documentation in place, processes and so on and so forth, there\u2019s a shortage of those as well. So there\u2019s the shortage on the readiness side and there\u2019s a shortage on the assessment side. And further, what\u2019s been accentuating all this is what you\u2019ve asked me earlier in the interview about is, are contractors, subcontractors taking this seriously and not waiting until the last minute? What we\u2019re seeing is a lot of firms that are waiting to the last minute, they\u2019re coming to us now, six months away from the November 10th deadline, wanting to be compliant by the November 10th, 2026 deadline. And that\u2019s a tall order. There\u2019s a lot of work that needs to be done. It is still, you know, within the window, but is really stretching it. Everything has to go right for companies to be certified by then. So, you know, you\u2019re seeing this nexus of factors that are happening all at the same time that are creating an urgency as well as a shortage of human capital to be able to execute on these plans.
\nTerry Gerton So if the market is not capable of getting everybody through all of the credentialing that they need to be compliant by the implementation date in November, what happens? Do contractors not perform? Do we just move forward with known gaps? What\u2019s going to happen in November?]]><\/p>\n

Emile Sayegh I mean, they have they have a period of time to cure for sure the deficiencies and also we just have to keep in mind that not all 80,000 plus contractors don\u2019t all have to be compliant by November 10th. The contractors that have contracts that require CMMC compliance, those have to be complaint. There\u2019s subcontractors that also have to be compliant. And then as new contracts get published and have the CMMC clause in it, then the contractors that want to bid on those new contracts also have to be compliant at that time. So there\u2019s a sequencing out of the 80,000 the government estimates about 8,000 have to be compliant within the first year, so the year that we\u2019re in now. So, you know, we\u2019re about 1,200 now, so there\u2019s a Delta of about, you know, 6,800 contractors, subcontractors that are somehow still trying to get through it. And we\u2019re adding about 200, close to actually 180 certifications per month as an industry. So we\u2019re making progress and, you know, hopefully by the deadline, the most critical companies would have gotten their certifications and the ones that have not either will have plans to radiate within a certain short period of time, or they would have an alternative to those companies and those contracts.
\nTerry Gerton There\u2019s talk that these kinds of requirements may extend across the rest of the federal government beyond DoD. How does what you\u2019re seeing now in the defense sector inform you about how federal cyber mandates might play out more broadly? What would you expect to see?
\nEmile Sayegh I mean, we\u2019ve seen it in the GSA with their announcement about a CMMC-like requirement. And I do think that this is the right move. CMMC is a great ecosystem, creating a new standard is hard because you gotta create an ecosystem around it. You gotta create auditors. You gotta create a readiness industry, whether it\u2019s software, whether it\u2019s hardware, whether it services that come in and help these companies get ready. So I\u2019m very encouraged with what the GSA has done. And I expect that to transcend the entire federal ecosystem, if you will. And, you know, this is really about protecting mission critical information and frankly, strengthening supply chain resilience to improve our national security readiness. This is what this is all about. Our adversaries, our foreign adversaries definitely have been taking some of our most precious IP in this country. And I think the Defense Department, the Department of War has decided to draw a hard line and put these deadlines in place. And we\u2019re going to start seeing other other federal agencies follow suit.Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

CMMC has moved from planning to enforcement and contractors are feeling it https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/cmmc-has-moved-from-planning-to-enforcement-and-contractors-are-feeling-it\/ Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":226916,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/04\/GettyImages-2153383852-e1744148045657.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-226915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226915"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=226915"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226915\/revisions"}],"predecessor-version":[{"id":226917,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226915\/revisions\/226917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/226916"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=226915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=226915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=226915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}