I spent over two decades in the Marine Corps working alongside defense systems, supply chains, and the people who keep them running. One thing I learned early: in the defense world, the weakest link in your chain is the one your adversary will exploit. That principle now applies directly to your software partners.
As of November 10, 2025, the Cybersecurity Maturity Model Certification program is no longer a future requirement. It is live. DoD contracting officers are authorized to include CMMC clauses in solicitations, and contractors who cannot demonstrate compliance risk losing their eligibility to bid [1]. If your software partner does not understand what that means for how they build, host, and maintain your systems, you have a problem.
The Regulatory Reality
CMMC 2.0 is a three-tiered cybersecurity framework that requires defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to implement specific security controls and prove compliance through assessments [2]. The rollout is phased across three years. Phase 1, which began in November 2025, requires Level 1 and Level 2 self-assessments. Phase 2, beginning November 2026, will require third-party assessments from certified C3PAO organizations for Level 2. Phase 3, starting November 2027, introduces Level 3 requirements assessed by the Defense Industrial Base Cybersecurity Assessment Center [1].
The DoD estimates that 62% of defense contractors will be subject to Level 1 requirements [3]. Level 2, which applies to contractors handling CUI, aligns with the 110 security controls in NIST SP 800-171 Rev. 2 [4]. By 2028, CMMC will be mandatory for every applicable DoD contract involving FCI or CUI, except those exclusively for commercial off-the-shelf items [5].
This is not theoretical. DoD solicitations already appearing on sam.gov contain explicit CMMC language requiring verified compliance as a precondition of award [6].
What This Means for Software
If your organization handles CUI, every system that touches that data, including custom-built software platforms, client portals, project management tools, and internal dashboards, falls within the CMMC assessment scope. That means your software partner's architecture decisions directly affect your compliance posture.
Specifically, defense contractors should expect their software partners to demonstrate competence in several critical areas.
Secure hosting and data residency. The DoD requires that all cloud service offerings used to store, process, or transmit CUI must be FedRAMP Moderate or Higher authorized [7]. Standard commercial cloud environments, including standard tiers of Microsoft 365, do not meet this threshold [7]. Your software partner needs to understand the difference between commercial cloud, GCC, and GCC High environments and architect accordingly.
NIST SP 800-171 alignment. Any custom software handling CUI must be built with the 110 NIST controls as design requirements, not afterthoughts. This includes access controls, audit logging, incident response procedures, encryption standards, and system integrity monitoring [4]. Software that was not designed with these controls baked in from the start will require expensive retrofitting or full replacement.
ITAR and export control awareness. For contractors working with ITAR-controlled technical data, cybersecurity and export control obligations are intertwined. The DOJ's December 2025 settlement with Swiss Automation Inc. demonstrated that even small suppliers processing technical drawings face overlapping compliance requirements under both DFARS cybersecurity provisions and the ITAR [8]. Your software partner must understand that the same data triggering NIST SP 800-171 controls may also restrict access to U.S. persons only.
Supply chain flowdown. CMMC requirements flow down to subcontractors at every tier that processes, stores, or transmits FCI or CUI [9]. If your software partner uses third-party services, open-source dependencies, or offshore development resources, those elements become part of your compliance surface. You need full visibility into their supply chain.
Red Flags to Watch For
The defense industrial base includes an estimated 70,000 to 75,000 companies handling CUI, yet only 1,500 were participating in the DoD's voluntary cybersecurity information-sharing programs as of early 2024 [10]. Confusion remains high across the sector, and that confusion extends to many software vendors who claim defense experience without the compliance infrastructure to back it up.
Watch for partners who cannot articulate the difference between CMMC Levels 1, 2, and 3. Watch for partners who host on standard commercial cloud without FedRAMP authorization. Watch for partners who have never produced a System Security Plan or conducted a gap assessment against NIST SP 800-171. And watch for partners who treat cybersecurity as a feature to be added later rather than an architectural foundation.
The DOJ's Civil Cyber-Fraud Initiative increasingly uses the False Claims Act to investigate contractors who misrepresent their cybersecurity compliance [3]. Third-party CMMC assessments may provide a layer of defense against FCA allegations, but only if the underlying systems were built to meet the standard. A software partner who cuts corners on security architecture does not just create a technical risk. They create legal exposure.
What to Demand
Your software partner should be able to produce documentation of their security practices, demonstrate alignment with NIST frameworks, explain their hosting architecture in the context of FedRAMP requirements, and provide clear answers about how CUI is handled within any custom platform they build. They should understand DFARS 252.204-7012 and be prepared to support your organization's CMMC certification process, not just build features.
At Kortex Digital Labs, we build custom platforms for defense contractors and subcontractors with security as the architectural foundation, not an afterthought. Every system we deliver is designed to support your compliance posture from day one.
Start your project plan at kortexdigitallabs.com/project-planner
References
[1] DefenseScoop, "Pentagon Begins Enforcing CMMC Compliance, but Readiness Gaps Remain," November 10, 2025.
[2] IBSS Corp, "CMMC 2.0 Explained: What DoD Contractors Need to Know in 2025," November 2025.
[3] Latham & Watkins LLP, "Pentagon Issues Cybersecurity Maturity Model Certification Requirements for Defense Contractors," September 2025.
[4] Alston & Bird, "CMMC: New Era of Cybersecurity Compliance for Defense Contractors," November 2025.
[5] Holland & Knight, "CMMC Goes Live: New Cybersecurity Requirements for Defense Contractors," September 2025.
[6] PreVeil, "CMMC News: List of Contracts & Solicitations," Updated January 2026.
[7] BDO, "Closing the Gaps: DFARS 7012-7021 Updates, CMMC Integration, and What Contractors Need to Know," October 2025.
[8] Crowell & Moring / Government Contracts Legal Forum, "An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.," December 2025.
[9] Dickinson Wright, "Preparing for CMMC: Navigating DoD's New Cybersecurity Rules," March 2025.
[10] RClick / DoD CISO, "DoD's Defense Industrial Base Cybersecurity Strategy Highlights the Existing State of Confusion," April 2025.