The share of defense contractors currently meeting the minimum Cybersecurity Maturity Model Certification (CMMC) standards stands at less than 5%. With more than 337,000 prime contractors and subcontractors in the DoD supply chain now required to certify their cybersecurity posture under rules that took effect November 10, 2025, that gap translates directly into contract eligibility.
“There are heightened cybersecurity requirements,” says Margarita Howard, CEO and president of HX5, an aerospace and defense contractor based in Fort Walton Beach, Florida, “and contractors will not have a choice but to implement them if they want to be a government contractor.”
Howard founded HX5 in 2004. What started as a small, women-owned business has grown into a firm with roughly 1,000 employees operating across 20 states at over 70 government facilities, spread across Department of Defense and NASA programs. That distributed footprint means cybersecurity compliance multiplies across every site, every network, every workforce node.
What CMMC Requires
The CMMC 2.0 final rule amending the Defense Federal Acquisition Regulation Supplement was posted to the Federal Register on September 9, 2025, and restructures how cybersecurity requirements are embedded in defense contracts through three tiers tied to data sensitivity.
Level 1 requires annual self-assessments for contractors handling basic federal contract information. Level 2 covers contractors handling controlled unclassified information — depending on the sensitivity of that CUI, firms either self-assess or undergo third-party verification by a Certified Third-Party Assessment Organization. Level 3, reserved for the most sensitive programs, goes through the DoD’s Defense Industrial Base Cybersecurity Assessment Center.
The program rolls out in phases. Phase 1 covers select solicitations with self-assessments required as a pre-award condition; by the final phase, every applicable DoD contract must carry certification as a condition of award.
The Supplier Performance Risk System is how DoD currently tracks contractor cybersecurity posture. It is in effect the running scoreboard for the standards just described. The average score across the contractor base sits at negative 12. The required benchmark is 110. Contractors who fall short have one formal exit ramp: a conditional 180-day certification window through a Plan of Action and Milestones, available only at Level 2 and above. That window won’t accommodate firms that haven’t started yet.
Katie Arrington, performing the duties of Pentagon chief information officer, framed the stakes plainly, “We expect our vendors to put U.S. national security at the top of their priority list,” she told Defense Scoop.
Howard’s view extends beyond the DoD. She expects the trajectory toward stricter cybersecurity standards to reach all federal agencies over time, a prediction consistent with Pentagon statements about eventual government-wide adoption.
Acquisition Reform
CMMC arrived alongside the most substantial procurement regulatory changes in a generation. The FY 2026 National Defense Authorization Act, signed in December 2025 at approximately $900 billion, includes provisions that directly reshape the compliance burden for smaller contractors.
The most significant shift: the Truth in Negotiations Act threshold was raised from $2 million to $10 million, effective for contracts awarded after June 30, 2026. Contractors below that threshold no longer need to submit certified cost or pricing data.
The per-contract Cost Accounting Standards trigger moved as well, jumping from $2.5 million to $35 million. CAS requires contractors to follow specific government-prescribed methods for tracking and allocating costs across their operations, a compliance burden that historically demanded specialized accounting infrastructure most small firms struggle to maintain. With the per-contract floor now at $35 million, the threshold simply won’t be crossed on the vast majority of small-contractor work, effectively removing the requirement before it starts.
The Federal Acquisition Regulation is being overhauled for the first time in four decades. The first 31 DFARS class deviations took effect February 1, 2026, with additional revisions rolling out through the year. The stated goal is to eliminate regulatory duplication, accelerate procurement timelines, and reduce compliance overhead.
Howard has operated inside that overhead since HX5’s founding, and her approach has been consistent: build the infrastructure before the audits arrive. “From working in the industry, we knew the importance of impeccable record keeping,” she says. “We’ve always ensured our finances, and all our records of everything we say we do must always be supported with the appropriate documentation and recorded accurately.”
That orientation drove HX5’s early investment in government-specialized accounting systems. The government, Howard notes, retains the right to inspect and audit every area of what her company does at any time. The pattern is consistent — identify what compliance will eventually demand, build for it ahead of schedule — and the same logic is driving her cybersecurity positioning now.
HX5’s Bet on Automated Compliance
Howard’s long view of defense contracting turns on automation. She predicts government agencies will deploy AI to evaluate contractor performance and project future procurement needs from historical data. Compliance itself will change form.
“Compliance protocols will be automated,” she says. “Contractors will be required to integrate systems that provide continuous reporting and real-time audit capabilities.”
HX5 is already developing AI tools for deployment across its facilities. In an environment where continuous, real-time security posture may become a contract condition rather than an annual certification event, contractors who build that infrastructure now are positioned for the next round of awards before competitors have started the process.
Firms watching the first wave scramble to catch up will have drawn the same lesson Howard extracted from two decades of government work: the cost of moving late on technologies like cybersecurity and automation outweighs the cost of moving early.
“If you don’t embrace it,” she says, “you’re just going to be gone.”
Recent Comments