TL;DR: CMMC waivers are rare, time-bound exceptions that apply only at the procurement level, and the DoD says they do not remove underlying cybersecurity obligations, according to Secureframe’s analysis of the January 2025 memo and 32 CFR rule. Delaying certification in hopes of a waiver leaves contractors exposed to lost awards, flowdown pressure, and avoidable contract risk.
NHIMG editorial — based on content published by Secureframe: The Myth of CMMC Waivers and the contract risk they create
By the numbers:
- Secureframe says automated workflows can cut CMMC readiness timelines by 60%, moving organisations from a 12-18 month manual process to a 4-6 month sprint.
Questions worth separating out
Q: What fails when defence contractors plan around CMMC waivers instead of certification?
A: The failure mode is governance drift.
Q: Why do CMMC waivers not remove the underlying security burden?
A: Because the waiver changes assessment requirements, not the need to protect controlled information.
Q: How should contractors measure whether CMMC readiness is real?
A: They should measure whether they can produce current SSPs, active POA&Ms, scoped inventories, access review records, and system boundary evidence without last-minute reconstruction.
Practitioner guidance
- Treat waivers as procurement exceptions, not planning assumptions Build bid and delivery plans around the expectation that certification will be required, and only treat a waiver as a narrowly scoped, time-bound procurement decision.
- Map CMMC scope to identity and access ownership Identify every human account, service account, vendor access path, and privileged role that can touch FCI or CUI, then assign named owners and evidence responsibilities.
- Prepare assessment evidence before the solicitation window closes Collect SSP, POA&M, access review, logging, and system boundary evidence as part of normal operations so the team is not scrambling after an RFP appears.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- The full quotation from the Northrop Grumman supplier notice and how it changes subcontractor expectations.
- The article’s 7-myth comparison table that maps each misconception to the source memo and 32 CFR rule.
- The DoD memo’s waiver conditions, approval path, and quarterly reporting obligations.
- Secureframe’s readiness automation claims, including timeline reduction, enclave provisioning, and documentation workflows.
👉 Read Secureframe's analysis of CMMC waiver myths and defence contract risk →
CMMC waivers and contract risk: what DIB teams need to know?
Explore further
CMMC waivers are a procurement exception, not a governance strategy. The article shows that many suppliers are treating waiver language like an operational option when it is really a narrowly governed acquisition decision. That distinction matters because compliance programmes fail when they are built around exceptions instead of control baselines. Practitioners should treat waiver discussions as contract-specific risk management, not as a substitute for certification.
A question worth separating out:
Q: Who is accountable if a supplier fails CMMC requirements?
A: The supplier remains accountable for meeting the level required by its contract, but primes and contracting chains also shape the scope by deciding what data flows down. In practice, accountability sits with the organisation that accepts the work and the control owners who must prove access, documentation, and remediation are in place.
👉 Read our full editorial: CMMC waivers are a myth for most defense contractors