ALGORITHMIC WARFARE: Industry Plagued by CMMC ‘False Starts’
9/29/2025
By Josh Luckenbaugh
The first phase of the Defense Department’s long-awaited Cybersecurity Maturity Model Certification program is set to begin in November — and yet, many defense companies are struggling to even pass a pre-assessment of their networks.
The CMMC program is the department’s mechanism for verifying that contractors are compliant with the Pentagon’s cybersecurity requirements. The regulation outlining the program’s acquisition policy and standardized contract language — known as the 48 CFR rule — was published to the Federal Register in September and goes into effect on Nov. 10, at which point the first of the program’s four implementation phases will begin.
Rhia Dancel, technical scheme lead for information security at NSF — a third-party organization, or C3PAO, certified to carry out CMMC assessments — said in an interview 25 percent of the companies her firm evaluates experience a “false start,” meaning they fail to pass the pre-assessment that validates their readiness for an actual assessment.
The pre-assessment is “really a readiness check to confirm that required documentation is available and that the … assessment scope can be determined,” Dancel said. “We’re reviewing your system security plan for completeness, accuracy and consistency, but we’re not looking at adequacy and sufficiency for your implementation. … We’re just making sure that your SSP is approved, it’s all there and documented.”
https://www.nationaldefensemagazine.org/articles/2025/9/29/algorithmic-warfare-industry-plagued-by-cmmc-false-starts
