From Shutdown to Rollout: Defense Contractors Caught in the Middle

This Month’s Debrief

We’re now 21 days away from the CMMC rollout and 20 days into the government shutdown—leaving defense contracts with a lot of questions. This edition of VISION will focus on the shutdown, the CMMC rollout, and how they intersect.  

Dig deeper and continue reading below!  

The latest government shutdown is now on its 20th day. With available funds quickly diminishing and no clear path to a resolution, defense contractors need to know these three implications from a prolonged shutdown: 

• New contracts are not awarded during a government shutdown due to a lack of new, approved funding 

• DCSA activities that are not “excepted” will be paused or severely slowed down due to staff shortages or furloughs 

• CMMC ecosystem could be impacted due to paused or slowed-down Tier 3 investigations, needed for key roles such as CCAs, CCPs, and other staff positions at third-party assessment organizations 

Dig deeper: How the Government Shutdown 2025: Implications for CMMC and Cleared Industry 

The government’s three-year phased rollout of CMMC 2.0 requirements into defense contracts begins on November 10, 2025. It’s important to note that the government shutdown itself does not impact the rule’s effective date. However, without having approved funding for new contracts, the actual implementation of requirements in new contracts may be affected until the shutdown is resolved. 

Here’s what you need to know about Phase 1 of the rollout: 

• Phase 1: November 10, 2025 – November 9, 2026 

• Intended to focus on Level 1 and Level 2 self-assessments 

• Requirements can be applied to new contracts and existing contracts with option years occurring Phase 1 

• DoD is allowed to include Level 2 (C3PAO) requirements to select contracts if deemed necessary 

The Latest CMMC Data 

The Cyber AB held its monthly town hall on September 30, 2025, highlighting the largest number of Level 2 certifications completed in a single month. See the key data points below: 

• 382 total Level 2 certifications, 95 new certifications in September 

• 527 total CCAs, 6.25% increase from August 

• 1,048 total CCA applications, 5.22% increase from August 

ISI Insight: CCA certification rates have outpaced application rates for four consecutive months, slowing the assessor pipeline and assessment capacity. With there already being an 8-12 month backlog for many C3PAOs, it is pertinent to schedule your assessment as soon as your scope is defined to avoid the height of the bottleneck. 

Explore: Check out our CMMC Bottleneck Coming page for more insights. 

Several DCSA activities will be paused or severely degraded throughout the duration of the government shutdown. Here are four things you can do to keep your industrial security program ahead of the curve when funding is restored: 

• Continue submitting clearance actions, fingerprints, and documentation through standard channels 

• Maintain all internal security and reporting requirements 

• Continue preparing for previously scheduled Security Reviews 

• If CMMC applies to your business, identify scope and book your assessment if you have not done so already 

Read: The DCSA’s “Notice to Industry” regarding the government shutdown. 

Carahsoft’s CMMC Better Together Webinar Series 

October 22, 2025 | 2:00 PM ET | Webinar 

In this session, our Vice President of Compliance, John Nolan, explores how to move beyond certification and achieve continuous 48 CFR compliance. 

CMMC Ecosystem Explained: Achieving a Holistic CMMC Compliance Solution 

October 30, 2025 | 2:00 PM ET | Webinar 

Join us for a partnered webinar with SMPL-C featuring a panel discussion that breaks down the evolving CMMC landscape and shares practical strategies for defense contractors to build cost-effective, long-term compliance programs as Title 48 takes effect. 

Did you find this helpful? Share it with someone directly or to your entire network by clicking the Share button!

Resources:

Steal Our CMMC Level 2 Strategy | Industrial Security Check | Gauge Your CMMC Readiness

ISIdefense.com | Blogs | Security Advisories