Terry Gerton You bring a wealth of expertise to a critical subject—CMMC. Last autumn, your firm made headlines with a study revealing that a mere 1% of defense contractors felt prepared for the newly enacted CMMC regulations. Now, roughly half a year on, how has the landscape shifted?
Emil Sayegh There’s definitely a surge among various contractors and subcontractors scrambling to achieve CMMC compliance, secure certification, and undergo assessments. However, looking back over the years as CMMC was being discussed and developed, the program has essentially transitioned from theoretical planning—PowerPoint decks, spreadsheets, policy documents, and project timelines—to real-world execution. Organizations are now treating it with far greater seriousness. The focus has shifted from merely drafting policies to actively putting those policies into practice. Beyond implementation, companies must also ensure they possess adequate documentation proving those policies are in effect. When an assessor arrives to conduct an audit, or even during a self-assessment where you’re submitting a SPRS score, there’s a required level of evidence you must maintain. That evidence must feed into your self-assessment—it can’t simply be based on assumptions, intentions, or what looks good on paper. You need concrete proof to input your SPRS score into the Department of Defense’s system. So overall, I’m observing a transition from the planning phase to integration into daily business operations, and people are genuinely taking this seriously now.
Terry Gerton I suppose the readiness question really has two dimensions. One concerns whether Defense Industrial Base contractors themselves are prepared. The other concerns whether the Department of Defense is equipped to enforce accountability. From the contractors’ standpoint, what signals are they receiving from DoD regarding enforcement?
Emil Sayegh Honestly, it’s less about dramatic government intervention. It typically begins subtly through contractual friction—signals from their contracting officer. Subcontractors will likely start feeling pressure from prime contractors. We’ve seen considerable coverage of this dynamic, where primes are essentially cascading these requirements down to their subcontractors and demanding they achieve CMMC compliance by specific deadlines. Some of those deadlines are actually earlier than what the government has communicated, which has raised some eyebrows. But I do believe there’s genuine momentum behind this. So it starts relatively quietly—appearing in contract language or through direction from a contracting officer or flowing down from primes to their subcontractors.
Terry Gerton Are subcontractors in this space caught off guard by this requirement cascading down to them, or were they anticipating it?
Emil Sayegh This is an interesting question, and I have to smile a bit. CMMC has been in the works for quite some time and has been widely discussed. Nobody should be caught off guard at this point. Where the surprise lies, I think, is that some organizations didn’t realize they were handling—or would be handling—CUI data. Some subcontractors weren’t aware that their prime contractor would require them to be compliant by a certain date. I do believe there are some subcontractors who assumed that being a sole-source provider might grant them some kind of exemption. None of that holds true. There are no exemptions, and come November 10, 2026, they’ll need to remain compliant to stay eligible for both new contract awards and existing contract renewals.
Terry Gerton Emil Sayegh serves as CEO of CyberSheath. Mr. Sayegh, as the marketplace works to help contractors achieve compliance, one persistent concern from the outset has been the limited number and availability of validators—the third-party assessors. What trends are you observing in that area?
Emil Sayegh Absolutely. There are roughly 80,000 contractors and subcontractors that need to achieve CMMC compliance, yet only about 100 C3PAOs—third-party auditors—operate in this space. There’s clearly a significant gap between the human capacity to conduct these assessments and the volume of organizations needing to become compliant. But it’s not just the assessors; it’s also the partners helping these contractors and subcontractors prepare—the firms stepping in to handle the IT work, the cybersecurity measures, and assembling all the compliance documentation and processes. There’s a shortage on that front as well. So we’re facing a deficit on both the readiness preparation side and the assessment side. Compounding all of this is what you asked me earlier—whether contractors and subcontractors are taking this seriously instead of procrastinating. What we’re seeing is a wave of companies waiting until the last possible moment. They’re approaching us now, just six months from the November 10th deadline, wanting to be compliant by November 10, 2026. That’s an ambitious timeline. There’s substantial work involved. It’s still technically achievable, but it’s cutting it extremely close. Everything would need to go perfectly for companies to earn certification by then. So you’re witnessing a convergence of factors happening simultaneously—creating both urgency and a shortage of skilled professionals capable of executing these plans.
Terry Gerton So if the market lacks the capacity to process everyone through the credentialing pipeline needed to meet the November implementation deadline, what’s the outcome? Do contractors simply fail to perform? Do we proceed with acknowledged vulnerabilities? What’s the realistic scenario for November?
Emil Sayegh Well, there is a grace period to address deficiencies, and it’s important to remember that not all 80,000-plus contractors need to be compliant by November 10th. Only those with contracts mandating CMMC compliance must meet the requirement. Certain subcontractors also need to comply. Then, as new contracts are issued containing the CMMC clause, contractors bidding on those opportunities must be compliant at that point. So there’s a phased rollout among the 80,000. The government estimates approximately 8,000 need to be compliant within the first year—which is the current year. We’re at about 1,200 now, leaving a gap of roughly 6,800 contractors and subcontractors still working through the process. The industry is adding approximately 200—actually closer to 180—certifications per month. So progress is being made, and hopefully by the deadline, the most critical organizations will have secured their certifications. Those that haven’t will either have remediation plans in place for a brief window or the government will transition to alternative contractors and arrangements.
Terry Gerton There’s discussion about these types of requirements potentially expanding across the broader federal government beyond DoD. How does what you’re observing in the defense sector inform your perspective on how federal cybersecurity mandates might evolve more widely? What should we anticipate?
Emil Sayegh We’ve already seen movement at GSA with their announcement of a CMMC-like requirement. I believe this is the right direction. CMMC represents a robust ecosystem, and establishing a new standard is challenging because you need to build an entire ecosystem around it—auditors, a readiness industry encompassing software, hardware, and service providers that help organizations prepare. I’m very encouraged by GSA’s actions. I expect this approach to spread throughout the broader federal ecosystem. At its core, this is about safeguarding mission-critical information and, frankly, fortifying supply chain resilience to bolster our national security posture. That’s the fundamental objective. Our adversaries—foreign adversaries—have been actively targeting some of our nation’s most valuable intellectual property. I believe the Department of Defense—the Department of War—has decided to establish firm boundaries and enforce these deadlines. We’ll likely see other federal agencies following this lead.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
