Big changes are coming to the defense contracting world.
Starting November 10, 2025, the Department of Defense (DoD) will officially begin including CMMC (Cybersecurity Maturity Model Certification) requirements in contracts, RFPs, and RFIs through the DFARS 7021 clause. This marks a major shift in how cybersecurity compliance is enforced across the defense industrial base.
Here’s what you need to know:
CMMC Is Now Enforceable
The inclusion of DFARS 7021 means that CMMC requirements are no longer theoretical—they’re contractually binding. If your organization handles Controlled Unclassified Information (CUI), you must meet the required CMMC level to be eligible for contract awards.
Not All Contracts Will Include CMMC Immediately
While it’s unclear which contracts will be first, eventually all DoD contracts will require CMMC compliance. That means now is the time to assess your readiness and begin remediation if needed.
Non-Compliance = Disqualification
If your organization fails to meet the mandated assessment requirements, you will be disqualified from contract consideration. This applies to both prime contractors and subcontractors.
CUI Must Be Secured Throughout the Supply Chain
Whether CUI flows upstream, downstream, or both, it must be protected at every stage. That means your vendors, partners, and subcontractors must also be compliant.
How LaScala Can Help
LaScala specializes in helping defense contractors navigate the complexities of CMMC, NIST 800-171, and DFARS compliance. From gap assessments to remediation and ongoing monitoring, we’re your partner in building a secure and compliant future. Let’s talk before November 10. Visit www.lascala.com or contact us to schedule a consultation.
Contact LaScala today to discuss your current challenges and learn how a co-managed approach can secure your business.
Ready to get started? Contact Us
