TL;DR: CMMC has moved from policy intent to active enforcement, with NIST 800-171 Rev. 2 requirements already legally embedded under DFARS 7012 since 2017, according to Secureframe’s coverage of Katie Arrington’s keynote. The practical question is no longer whether compliance matters, but whether contractors can prove cyber posture, supply chain readiness, and business survivability under scrutiny.
NHIMG editorial — based on content published by Secureframe: Katie Arrington on when DIB organizations should get CMMC certified
Questions worth separating out
Q: What breaks when organisations treat CMMC as a checklist?
A: When CMMC is treated as a checklist, teams often focus on paperwork instead of whether controls are actually implemented, reviewed, and provable.
Q: Why does CMMC matter to smaller subcontractors?
A: Smaller subcontractors matter because attackers often target weaker points in the supply chain, not just the prime contractor.
Q: What do security teams get wrong about supplier access?
A: Teams often assume supplier access is temporary or low risk, then fail to review it with the same discipline as internal access.
Practitioner guidance
- Convert compliance tasks into evidence chains Link access reviews, remediation records, and control ownership to the specific contractual requirements that auditors and primes will ask for.
- Map subcontractor access to explicit lifecycle controls Inventory who can reach defense data, which external parties retain access, and how offboarding is verified.
- Tie privileged access to business-critical systems Review administrative and elevated access across systems that store sensitive defense information, then reduce standing privilege wherever possible.
What's in the full article
Secureframe's full article covers the operational detail this post intentionally leaves for the source:
- How Katie Arrington frames the enforcement timeline and why that matters for DIB contractors
- The way primes and agencies are flowing CMMC expectations down into supplier contracts
- Why subcontractor transparency and POA&M ownership change procurement conversations
- Which public support programs and reimbursement paths may help smaller organisations close gaps
👉 Read Secureframe's coverage of Katie Arrington's CMMC enforcement message →
CMMC enforcement is here: what DIB teams need to re-evaluate?
Explore further
Compliance debt has become supply chain risk debt: CMMC is not just a certification gate, it is a way of forcing unresolved security obligations into contract accountability. Organisations that deferred NIST 800-171 work or treated POA&Ms as a parking lot now face a harder reality: delayed remediation becomes a business eligibility problem. For identity teams, this means evidence of access governance and privileged control is now part of commercial readiness, not just internal hygiene.
A question worth separating out:
Q: Who is accountable when CMMC gaps are found?
A: Accountability sits with the organisation that is using the access, storing the data, or bidding for the contract. In practice, that means leaders cannot outsource responsibility to a consultant or a prime contractor. The business must be able to show current controls, a real remediation path, and evidence that gaps are being closed.
👉 Read our full editorial: CMMC is shifting from checkbox to survivability for DIB firms