Updated 10/1/2025
The long-anticipated Cybersecurity Maturity Model Certification (CMMC) program will be officially codified on November 10, 2025, and will appear in nearly all new Department of Defense (DoD) contracts going forward. Now that the rulemaking process is officially complete, CMMC requirements will be included in Department of Defense (DoD) contracts and there will be a 3-year phased rollout process, marking a significant change in what defense contractors must demonstrate to win new DoD contracts going forward.
The original timeframe for the CMMC requirement to be inserted into contracts can be found in DFARS clause 252.204.7503 which set a date of “On or after October 1, 2025” to begin the mandatory inclusion of DFARS 252.204-7021 (CMMC) into DoD contracts, but without a finalized acquisition rule there has been confusion. To clarify the timing of the requirement, DoD published Class Deviation 2025-O0006 on August 25, 2025 that directs contracting officers to not include the CMMC contract clause (DFARS 252.204-7021), “until the effective date of the final rule for DFARS Case 2019-D041.” That effective date has been finalized with the publication of the 48 CFR CMMC Acquisition Rule.
Once the CMMC requirement clause is in contracts beginning in November 2025, DoD contractors may be deemed ineligible to win new contracts if they do not have the required CMMC certification, so the stakes are very high to ensure there are no disruptions or threats to future business. DoD contractors are expected to evaluate their internal systems, and any cloud service providers (CSPs) to meet stringent security standards when working with Controlled Unclassified Information (CUI).
What the CMMC Acquisition Rule Means for DoD Contractors
Defense contractors need to be prepared to meet CMMC requirements now. The 48 CFR CMMC acquisition rule was the final part of the DoD’s CMMC rulemaking process and will enforce the already-final 32 CFR CMMC program rule, which codified the CMMC framework and enabled third-party assessments beginning in 2025. This acquisition rule requires that most DoD solicitations and contracts include the DFARS 252.204-7021 clause, specifying the required CMMC certification level for all stakeholders involved – primes, subs, managed service providers (MSPs) and cloud service providers (CSPs). Once started, nearly all new DoD contracts will require a minimum of a CMMC Level 1 self-assessment certification, but there is no restriction for requiring a higher level of certification – so don’t wait to begin your CMMC journey!
On June 30, 2025, Lockheed Martin published guidance that compliance is not a future requirement for suppliers handling Federal Contract Information (FCI) or CUI. The memo states, “By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements” and to “Ensure you are keeping Lockheed Martin current on your NIST assessment and level of CMMC readiness…”
For many DoD contractors, CMMC Level 2 will be the target as this is expected to be the most common and sought after certification. CMMC Level 2 certification requires an outside third-party assessor (certified by the Cyber-AB) known as a Certified Third-Party Assessment Organization, or C3PAO, to assess compliance for all 110 controls and 320+ assessment objectives of the NIST SP 800-171 framework.
Determining whether your CSP has the right compliance credentials is a key component to achieving CMMC Level 2 certification. CMMC Level 2 certification requires any CSP that is storing, processing, or transmitting CUI on behalf of a contractor to demonstrate either FedRAMP Moderate Authorization or FedRAMP Moderate Equivalency (by producing a Body of Evidence), per DoD policy. Additionally, the CSP must be listed on the FedRAMP Marketplace.
Deltek Costpoint GCCM: Ready to Support CMMC Compliance
Deltek’s Costpoint GovCon Cloud Moderate (GCCM) solution is purpose-built to support government contractors in achieving their CMMC Level 2 certification, meeting export-controlled ITAR data handling requirements, as well as DFARS 252.204-7012 requirements. Specifically, Costpoint GCCM has:
- Achieved FedRAMP Moderate Ready status, listed on the FedRAMP Marketplace since January 2024.
- Achieved FedRAMP Moderate Equivalency, by completing a thorough assessment against the NIST SP 800-53 controls that comprise the FedRAMP Moderate Baseline and produced a Body of Evidence with guidance and evaluation from Schellman Compliance, a recognized Third-Party Assessment Organization (3PAO).
- Completed all assessments under the latest FedRAMP Rev. 5 standard, reinforcing its commitment to evolving security benchmarks
This means that DoD contractors can confidently demonstrate that they meet the requirements for CMMC Level 2 and Level 3 certification with Costpoint GCCM.
The Deltek Advantage: Documentation and Support
For Costpoint GCCM customers, Deltek delivers a comprehensive Body of Evidence to support CMMC assessments, including:
- Security Assessment Report (SAR)
- System Security Plan (SSP)
- Plan of Action & Milestones (POAM)
- Security Assessment Plan (SAP)
Additionally, Deltek can provide Costpoint GCCM customers with a Customer Responsibility Matrix (CRM) to demonstrate the inherited, shared, and customer responsibilities mapped directly to NIST SP 800-171 controls and assessment objectives. This will clearly show exactly which controls are covered by Costpoint GCCM and which are the responsibility of the DoD contractor.
Why This Matters
Contractors must act swiftly to ensure their IT systems that store, process or transmit CUI, and those of their CSPs, are compliant. A recent article in Forbes Magazine likens the urgency of CMMC with Y2K and warns that “CMMC is a race against adversaries who are already inside the wire.”
Deltek’s proactive approach to achieving FedRAMP Moderate Equivalency for Costpoint GCCM and its deep expertise in government contracting make for a winning combination and a strategic advantage for any organization preparing for CMMC certification.
By choosing Deltek’s Costpoint GCCM, contractors gain more than just a secure, integrated SaaS ERP, they gain a trusted partner in navigating the complexities of government contracting compliance.
