In this episode of Thoughts from the Deck, John Hill, CEO of TechSage Solutions, breaks down why the U.S. Department of Defense (DoD) is enforcing the Cybersecurity Maturity Model Certification (CMMC) so aggressively — and what it means for defense contractors and subcontractors.
John explains that the push comes down to protecting two key types of data:
FCI (Federal Contract Information) - details like contract specs, requirements, and schedules that, when combined, could reveal critical insights.
CUI (Controlled Unclassified Information) - more sensitive data such as technical schematics, design drawings, and maintenance schedules.
He emphasizes that hackers target the weakest link — often smaller contractors with minimal cybersecurity. CMMC ensures every contractor in the Defense Industrial Base (DIB) raises their security standards.
John also outlines the CMMC rollout phases:
Nov 2025: Self-assessments and attestations begin for new DoD contracts.
Nov 2026: Third-party (C3PAO) certifications required for most awards.
Nov 2027: Contract renewals and sensitive projects require certification.
Nov 2028: Certification mandatory for all applicable DoD contracts.
The takeaway? CMMC isn't red tape — it's about national defense and protecting critical information.
John closes with an invitation for viewers to schedule a free cybersecurity compliance consultation with TechSage Solutions.
