The Schellman Blog

The Cybersecurity Maturity Model Certification (CMMC) has officially shifted from proposed framework to an enforceable requirement for organizations supporting the U.S. Department of Defense (DoD). With the Final Rule now in effect and contractual mandates accelerating, defense contractors and subcontractors can no longer treat CMMC as a future initiative.

As federal agencies increasingly rely on cloud technologies to support mission-critical operations, ensuring those systems meet consistent security standards is essential. The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach for assessing, authorizing, and continuously monitoring cloud services used by the U.S. government.

For years, the Cybersecurity Maturity Model Certification (CMMC) lived in a world of drafts, delays, and speculation. Now, however, there are two key rules underpinning the CMMC program. The first is the foundational  32 CFR Part 170, which went into effect in December 2024 and formally established the CMMC framework.

The long-anticipated Cybersecurity Maturity Model Certification (CMMC) Final Rule, published on September 10, 2025, officially became effective November 10, 2025. This shift from voluntary guidance to mandatory, enforceable contract requirements under the Defense Federal Acquisition Regulation Supplement (DFARS) marks a turning point for every organization that supports the federal defense supply chain. This critical milestone also signifies that full implementation is just beginning.

As the Department of Defense (DoD) continues to accelerate its Zero Trust strategy, organizations supporting national security missions face increasing expectations for how they secure, monitor, and manage sensitive information.

FedRAMP 20x is progressing quickly, with phase 2 just around the corner. Designed to modernize and streamline the authorization process, FedRAMP 20x is reshaping how cloud service providers (CSPs) achieve and maintain authorization to operate (ATO) in the federal marketplace.

If you develop or sell commercial-off-the-shelf (COTS) technology that ends up in Department of Defense (DoD) environments, there’s a new bar you have to clear. Katie Arrington, the acting DoD CIO has issued a new memo that directly impacts how you manage your software supply chain, and it’s going to change how COTS vendors prepare for procurement.

This signals document reviews the current state of software security initiatives in the federal government and the Department of Defense (DoD), highlighting key programs and policies aimed at enhancing cybersecurity. This includes the recent Executive Order 14306 (signed on June 6th), the DoD’s new Software Fast Track (SWFT), and SSDF and associated CISA attestations under the Biden Administration, part of which were rescinded via Executive Order 14144.