The CMMC ‘Grace Period’ Myth Could Cost You Your Contract

“WASHINGTON TECHNOLOGY” By By Jacob Horne

“Congress told the DOD to put teeth behind cyber. CMMC is the teeth. Believing DOD will now punt third-party validation another year across the board requires ignoring what’s actually written and how program managers behave when careers are on the line.”

______________________________________________________________________________

“There is a bedtime story making the rounds in the defense industrial base, which goes like this: Once the 48 CFR Cybersecurity Maturity Model Certification acquisition rule hits, everyone gets a 12-month grace period to self-assess at Level 2. No third-party certifications until “Phase 2.” Take a breath, save your cash, revisit it next year.

That story is comforting, but it’s not supported by policy.

I’d lose sleep if I told a small manufacturer or a niche R&D shop to sit tight, only to watch them lose a recompete because a contracting activity exercised discretion and required a Level 2 certification in month two. If you want to gamble, that’s business. But don’t gamble if you don’t know all the rules to the game.

Here’s the plain-English read of what’s actually written.

What 32 CFR 170.3(e) Actually Says

The CMMC program rule (32 CFR), effective Dec. 16, 2024, sets a phased rollout over four years. Phase 1 begins when the 48 CFR final rule becomes effective on Nov. 10, 2025. In Phase 1, The Defense Departmnt intends to include Level 1 self-assessment or Level 2 self-assessment “for applicable solicitations and contracts.” So far, so good.

But the same paragraph also says DOD may, at its discretion, require Level 2 C3PAO certification in place of Level 2 self-assessment for applicable solicitations and contracts.

Those two words – discretion and applicable – are doing the real work. There is no sentence that says “no Level 2 certifications in Phase 1.” None. In fact, the preamble commentary makes the opposite point: a majority of Phase 1 will be self-assessments, not all. If “none” was the intent, they wouldn’t have to monitor PMs’ use of discretion. You don’t “monitor” a prohibition.

Who Decides and Based on What?

People ask, “Okay, whose discretion?” The preamble tells you: program managers and requiring activities. The January 2025 DOD memo then gives them a level determination guide. This guide ties applicability to the attributes of the information handled under the contract.

Here’s the critical part: when a contract requires processing, storing, or transmitting certain defense-indexed CUI categories (think controlled technical information, naval nuclear propulsion information, unclassified controlled nuclear information related to defense, etc.), the memo states Level 2 certification is the minimum assessment requirement. This is the decision logic PMs are told to use.

Does the January memo say “but only after Phase 1”? No. It tells PMs to follow the Phase 1/2/3 timeline in 32 CFR and to apply that determination logic. In other words: in Phase 1, PMs have discretion, and they’ve been handed a rubric that points to certification for certain CUI.

The July 2025 memo doesn’t reverse this. It reiterates Phase 1 should include self-assessment where applicable, warns against jumping ahead in a way that harms competition, and – again – acknowledges some procurements may implement higher requirements in advance of the planned phase. Translation: discretion stands.

The Prime-Sub Reality Check

Even if you’re betting that your particular customer won’t exercise discretion, don’t forget primes. Nothing in the memos prevents a prime from flowing down a certification requirement to subs once certifications are permitted (which they are in Phase 1). Many primes handle sensitive CUI across sprawling supply chains. If you’re Lockheed, Raytheon, or Northrop and you’ve got tens of thousands of suppliers, are you going to wait 12 months to start turning the ocean liner? Instead, you might use every lever available now to de-risk your programs.

If you’re a sub, treat prime policy as a first-order dependency. Plenty of subs will learn about “discretion” not from a contracting activity but from a new supplier quality requirement that lands in their inbox.

Time Isn’t on Your Side

Let’s run with the optimist’s hypothesis: you truly can self-assess for the entire first year. Are you actually safe to wait?

Implementation isn’t a weekend chore. Standing up the environment, closing gaps, writing and living the policies, training people; we’ll say that’s 6-9 months after you secure implementation resources. Now bolt on C3PAO availability and assessment scheduling when the market wakes up at once. Even in the best-case scenario, you’re rolling hot into the end of Phase 1 with a crowded assessment pipeline and option-year cliffs approaching. That’s not a plan; that’s a prayer.

The Risk Questions You Actually Need to Answer

Policy gives PMs discretion and defines applicability by data sensitivity. That means your risk is situational:

• Will your program handle defense-indexed CUI categories called out in the memo?

• Is your customer or component historically conservative on cyber?

• Are you in a mission area (space, aviation, naval, nuclear, missile defense) where a breach would be career-ending for a PM?

  
  

If the answers point to yes, then betting on a blanket self-assessment year is betting against the actual decision logic you’ve been shown.

What I’m Telling Companies (So I Can Sleep)

• Stop repeating the myth. There is no moratorium on Level 2 certifications in Phase 1. There is discretion, and there is a rubric that makes certification “minimum” for certain CUI.

• Build to certify, not to self-score. If you aim for certification, you’ll clear self-assessment by default. The reverse is not true.

• Engage your customer and your prime – now. Ask, in writing, how they intend to apply discretion for your program and whether they will require certification at award or option exercise. Avoid surprises.

• Model the timeline with real constraints. Include implementer backlogs, internal adoption, and C3PAO scheduling. If the math only works when everything goes right, it doesn’t work.

• Treat option years like new awards. Many firms will get hit sooner by an option mod than by a fresh solicitation. Don’t ignore the calendar because it isn’t a “new bid.”

• Document your posture. If you do bet on self-assessment, memorialize the logic, the customer guidance you received, and your plan to pivot. That won’t save an award, but it will save decision-making sanity.

  
  

The Bottom Line

DOD tried “trust us” with DFARS 252.204-7012. Industry didn’t do it. Congress told the DOD to put teeth behind cyber. CMMC is the teeth. Believing DOD will now punt third-party validation another year across the board requires ignoring what’s actually written and how program managers behave when careers are on the line.

If you want to roll the dice, roll them with your eyes open: Phase 1 can include Level 2 certifications. Some PMs will use that discretion, especially where sensitive CUI is in play. Many primes will move even faster. If you prepare to certify, you keep optionality. If you don’t, the “grace period” bestowed by a LinkedIn thread can’t help you.

I’d rather you call me in six months and say, “We were ready early,” than call me in week three and say, “We just lost the contract because we built our plan on a myth. You’re here, and that means you’ve taken the first step in getting informed. Keep your momentum, prepare to be certified, and proceed with confidence.”

The CMMC ‘grace period’ myth could cost you your contract

ABOUT THE AUTHOR:

Jacob Horne is the Chief Security Evangelist at Summit 7 where he specializes in DFARS, NIST, and CMMC compliance for contractors in the Defense Industrial Base. As a former NSA intelligence analyst and U.S. Navy cryptologic technician, Jacob has over 18 years of experience in offensive and defensive cybersecurity operations. As a civilian he has led Governance, Risk, and Compliance teams at AT&T, Northrop Grumman, and the NIST Manufacturing Extension Partnership. His analysis has been featured in numerous industry publications including Lawfare, GovCIO, SC Media, Federal News Network, and Modern Machine Shop Magazine.