Grand odyssey of CMMC nearing implementation

The CMMC requirements will likely become a reality this fall. The Cyber Accreditation Body is focused on scaling up assessors to meet the future demand.

Justin Doubleday@jdoubledayWFED

August 5, 2025 4:41 pm

3 min read

The Cybersecurity Maturity Model Certification requirements are inching closer to a reality, and the organization that oversees CMMC assessors is gearing up for contract requirements that are likely to launch later this year.

The Defense Department submitted the final CMMC acquisition rule to the White House Office of Information and Regulatory Affairs on July 22. OIRA has between 90 and 120 days to review the final rule.

The projected timing means the CMMC acquisition rule is likely to be published and go into effect sometime this fall. DoD already finalized the CMMC program rule last year.

“Once that happens, this grand odyssey of CMMC will finally have — not reached the finish line — really reached the starting line,” said Matthew Travis, chief executive of the Cyber Accreditation Body, during a July 31 presentation at the Digital Government Institute’s 930gov conference in Washington.

The CMMC program has been germinating at DoD since 2019, when officials decided that they needed to verify that defense contractors were meeting cyber standards for protecting controlled unclassified information.

The Cyber Accreditation Body has a no-cost contract with DoD to oversee the training and certification of CMMC assessors, who will ultimately evaluate defense contractor systems that handle CUI.

“It really is the most ambitious cybersecurity conformity regime ever attempted when you think about how vast the defense industrial base is, and how many security requirements are involved in attaining CMMC certification,” Travis said.

For several years, the Cyber AB has been accrediting third-party assessment organizations (C3PAOs) and CMMC Certified Assessor, or CCAs, who work for the C3PAOs.

Travis said there hasn’t been a clear economic incentive until recently to get certified as a CCA, as the training and exam — both cost several thousand dollars — while the timing of the CMMC requirements was unclear as it wound through rulemaking.

“It’s not something where anyone just walk off the street and become an assessor, which is important,” Travis said. “Because there’s a lot at stake when defense contractors are going for their assessments and their certifications. We want to ensure that the people we’re assessing are actual, trained, knowledgeable professionals who are equipped to assess the NIST 800-71 standard and do it properly.”

As of Travis’ presentation, the Cyber AB had accredited 455 CCAs, including 300 “lead CCAs” who head up assessment teams.

But since a projected 80,000 companies in the defense industrial base will require CMMC “level two” assessment — which requires a third-party certification — Travis said many more assessors will be needed as the CMMC requirements scale up in the coming years.

“The limiting factor in how many companies can actually get assessed is on those individuals,” Travis said. “We probably need about 2-3,000 CCAs to fully scale. And to the department’s credit, there’s a three year phased implementation plan to get CMMC to full capacity, full maturity.”

DoD laid out the phased implementation strategy in its program rule last year. The goal is to ensure DoD programs can administer the CMMC requirements as needed, without creating a lengthy backlog of companies that need CMMC assessments before they can compete for contracts.

DoD has also been piloting a shared service approach with cloud service providers and managed service providers to ease the bar for compliance.