After more than six years of debate and revision, the Department of Defense (DoD) has finalized its Cybersecurity Maturity Model Certification (CMMC) program. On Sept. 10, 2025, DoD issued its final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate CMMC requirements into defense contracts. Known as the Acquisition Rule, it formally embeds CMMC into the contracting process and builds on the 2024 Program Rule, which established the framework and substantive requirements.
The Acquisition Rule takes effect on Nov. 10, 2025, with phased implementation culminating in full rollout by Nov. 10, 2028. At that point, contractors will be ineligible for awards unless they hold the required certification level, a requirement expected to affect hundreds of thousands of entities across the defense supply chain.
For small and medium-sized businesses in the defense industrial base (DIB), attention naturally turns to information technology (IT) systems. Yet operational technology (OT), including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, are equally in scope. Understanding how these assets are treated under CMMC is essential for compliance and long-term program readiness.
Specialized Assets: A Defined Category for OT
Under the CMMC 2.0 scoping guide, OT and ICS are designated as “specialized assets,” alongside government-owned systems and test equipment. The intent is clear: These systems are critical to defense production and must be included within assessment boundaries.
The evaluation process, however, differs from that for IT. Contractors are not expected to apply all 110 controls to aging manufacturing equipment. Instead, they are expected to demonstrate a disciplined, risk-based approach that reflects the realities of industrial environments. The burden rests on contractors to document decisions, justify risk posture and maintain traceability within the assessment framework.
Focus on Process Over Perfection
Before undergoing an assessment, contractors must address four foundational requirements for specialized assets, with each requirement centering on clarity of documentation and evidence of a deliberate security posture:
A Compliance Burden That Supports Business
At first glance, these obligations may feel like another regulatory challenge. Yet CMMC also provides leverage for long-needed investments in cybersecurity. Manufacturers that have struggled to secure funding for network inventories, system upgrades or basic risk management processes now have a powerful compliance driver to justify those improvements.
This framework elevates the conversation from checking boxes to building sustainable cybersecurity practices. It allows organizations to align controls with their unique operational risks rather than forcing ill-fitting IT requirements onto production systems. Over time, this approach can strengthen both compliance standing and operational resilience.
Navigating the Process
For contractors in the DIB, specialized assets will remain a complex but unavoidable part of CMMC compliance. Success depends on preparation, including conducting gap analyses, developing risk management frameworks, and embedding documentation into daily operations.
The final rules underscore that compliance is no longer optional. CMMC certification will soon be a condition for securing defense contracts, and OT systems are firmly within scope. Companies that begin building maturity now, before assessments become mandatory, will be better positioned to manage both regulatory risk and business continuity.
This empowers you to apply meaningful, relevant security rather than chasing arbitrary requirements that don’t fit your operational reality.