Terry Gerton You have a lot of background on a very important topic, CMMC. In fact, your company received quite a bit of attention last fall when you released a report that found only 1% of defense contractors said they felt ready for the CMMCs rules that were just then going into effect. We’re about six months later. How have you seen the situation change?
Emil Sayegh There’s certainly a rush from certain contractors and subcontractors to essentially become CMMC compliant, get certified, get assessed, and so on and so forth. But what we’ve seen from before, for multiple years as CMMC was being talked about and planned, basically CMMC has moved from planning and PowerPoint and Excel sheets and word documents and project plans to actual implementation now and people are starting to take it much more seriously. So it’s moved basically from writing the policy to actually implementing those policies and not only implementing them, but also making sure that you have the proper evidence that those policies are implemented because when an assessor is gonna come in and audit you or even if you’re doing a self assessment and you’re publishing an SPRS score, there’s a threshold of evidence that you need to maintain. And that’s what needs to go into your self assessment, right? It can’t just be, “I think” or “we planned” or “it looks good” on an Excel document or a Word document. You have to be able to provide the evidence so that you can enter your SPRS score in the government system, the DOD system. So having said that, I think we’re seeing everything shift from planning to now being part of the operational workflows in companies and people are starting to take it seriously.
Terry Gerton I guess there’s really two sides to the readiness question. One is whether the contractors inside the Defense Industrial Base were themselves ready. The other side is whether the Department of Defense was ready to hold folks accountable. So from the contractors’ perspective, what are they seeing from DOD on the enforcement side?
Emil Sayegh Sure. Look, it’s less, frankly, about some dramatic government action. It usually basically starts quietly through contracting friction, through signaling from their contracting officer, the subcontractor will probably start seeing some pressure from the contractor, from the primes, right? So we’ve seen a lot of publicity about that where primes are essentially pushing those requirements onto their subcontractors and asking them to be CMMC compliant, quote unquote, by a certain date. Some dates are sooner than what we’ve heard from the from the government, which has some people, you know, kind of questioning that. But I do think that there is a push for that. So I think it’s it starts, you know, pretty quietly at first, it starts to appear in a contract or impetus from contracting officer or from the prime down to their subcontractors, basically.
Terry Gerton Are the subcontractors in this space surprised at this point by the flow down of this requirement or were they expecting it?
Emil Sayegh This is a great question and I chuckle a little bit. I mean, CMNC has been around for a while. It’s been talked about for a long time. Nobody should be surprised at this point. The surprise, I would say, is some people did not know that they were handling or they will be handling CUI data. Some subcontractors did not known that this is going to be a requirement by the contractor that they be compliant by a certain date. So I do think that there’s a few subcontractors that probably assumed that because they were sole source, somehow they get an exemption. And certainly, none of those are true. There are no exemptions and come November 10, 2026. They’re going to have to be compliant to still be eligible for new contract award as well as existing contracts at their end.
Terry Gerton Emil Sayegh is CEO of CyberSheath. Mr. Sayegh, as the market is helping contractors get compliant, one of the concerns from the beginning was the number and availability of the validators, the third party validators. What are you seeing play out there?
Emil Sayegh Absolutely, there’s 80,000 contractors and subcontractors that need to be CMMC compliant and there’s only 100 C3PAOs, third party auditors in this space. So there’s definitely a mismatch between human capacity to do these assessments. And the number of contractors, subcontractors that need to become compliant. But also, I would say, it’s not just the assessors, but also the partners to these contractors and subcontactors that are getting them ready, that are helping them become ready to be CMMC compliant, you know, that are coming in, doing the IT work, doing the cybersecurity work, putting the, all the. Compliance documentation in place, processes and so on and so forth, there’s a shortage of those as well. So there’s the shortage on the readiness side and there’s a shortage on the assessment side. And further, what’s been accentuating all this is what you’ve asked me earlier in the interview about is, are contractors, subcontractors taking this seriously and not waiting until the last minute? What we’re seeing is a lot of firms that are waiting to the last minute, they’re coming to us now, six months away from the November 10th deadline, wanting to be compliant by the November 10th, 2026 deadline. And that’s a tall order. There’s a lot of work that needs to be done. It is still, you know, within the window, but is really stretching it. Everything has to go right for companies to be certified by then. So, you know, you’re seeing this nexus of factors that are happening all at the same time that are creating an urgency as well as a shortage of human capital to be able to execute on these plans.
Terry Gerton So if the market is not capable of getting everybody through all of the credentialing that they need to be compliant by the implementation date in November, what happens? Do contractors not perform? Do we just move forward with known gaps? What’s going to happen in November?
Emil Sayegh I mean, they have they have a period of time to cure for sure the deficiencies and also we just have to keep in mind that not all 80,000 plus contractors don’t all have to be compliant by November 10th. The contractors that have contracts that require CMMC compliance, those have to be complaint. There’s subcontractors that also have to be compliant. And then as new contracts get published and have the CMMC clause in it, then the contractors that want to bid on those new contracts also have to be compliant at that time. So there’s a sequencing out of the 80,000 the government estimates about 8,000 have to be compliant within the first year, so the year that we’re in now. So, you know, we’re about 1,200 now, so there’s a Delta of about, you know, 6,800 contractors, subcontractors that are somehow still trying to get through it. And we’re adding about 200, close to actually 180 certifications per month as an industry. So we’re making progress and, you know, hopefully by the deadline, the most critical companies would have gotten their certifications and the ones that have not either will have plans to radiate within a certain short period of time, or they would have an alternative to those companies and those contracts.
Terry Gerton There’s talk that these kinds of requirements may extend across the rest of the federal government beyond DoD. How does what you’re seeing now in the defense sector inform you about how federal cyber mandates might play out more broadly? What would you expect to see?
Emil Sayegh I mean, we’ve seen it in the GSA with their announcement about a CMMC-like requirement. And I do think that this is the right move. CMMC is a great ecosystem, creating a new standard is hard because you gotta create an ecosystem around it. You gotta create auditors. You gotta create a readiness industry, whether it’s software, whether it’s hardware, whether it services that come in and help these companies get ready. So I’m very encouraged with what the GSA has done. And I expect that to transcend the entire federal ecosystem, if you will. And, you know, this is really about protecting mission critical information and frankly, strengthening supply chain resilience to improve our national security readiness. This is what this is all about. Our adversaries, our foreign adversaries definitely have been taking some of our most precious IP in this country. And I think the Defense Department, the Department of War has decided to draw a hard line and put these deadlines in place. And we’re going to start seeing other other federal agencies follow suit.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
