Attention Kitsap Defense Contractors: New Cybersecurity Requirement Takes Effect November 10

See story in Kitsap Sun submitted by, Steve Treanor, Help Desk Cavalry

For Kitsap-based businesses that contract with the Department of Defense (DoD), a new cybersecurity milestone is rapidly approaching. Beginning November 10, 2025, all contractors must meet updated cybersecurity standards or risk losing their contracts. This change isn’t just bureaucratic—it’s critical for national security, business continuity, and maintaining competitive eligibility.

What’s Changing:

• The DoD has finalized a rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to include the Cybersecurity Maturity Model Certification program (CMMC). 
• As of November 10, contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must comply with new assessment requirements. 

What Contractors Need to Do:

1. Determine which CMMC level applies – depending on whether you’re handling FCI only, or CUI. Levels 1, 2, and 3 have different obligations. 
2. Self-assess or third-party assessment – some levels require self-assessment, others require audit by certified external assessors. 
3. Register results and affirm compliance – you’ll need to post assessment outcomes in systems such as the Supplier Performance Risk System (SPRS) and maintain ongoing compliance throughout the contract.  

Why This Matters to Kitsap Businesses:

• Defense-contracting firms risk losing existing contracts or failing to qualify for new ones. 
• Cyber threats are growing in sophistication. These rules are designed to ensure that even subcontractors protect sensitive data.
• Non-compliance doesn’t just risk revenue—it can harm reputation and future business relationships.

Challenges and Tips:

• Cost and resources: Third-party assessments, implementing required controls, documentation—all this may take time and money. Start early.
• Knowledge gap: Some firms may be unfamiliar with where their vulnerabilities lie. It might be useful to hire consultants or partner with cybersecurity experts.
• Ongoing obligation: It’s not a one-time check-off. Continuous monitoring, reporting, and adherence to the rules will be required.

Take aways

The November 10 deadline is firm. For Kitsap defense contractors, getting ahead of these cybersecurity requirements isn’t optional—it’s essential for staying in business with the DoD. If you haven’t started preparing, now is the time. The costs of non-compliance will likely far exceed the investments needed to meet the new standards.

Steve Treanor leads Help Desk Cavalry, a Kitsap County managed-service provider that has accomplished CMMC Level 2 and is certified as a Cyber-AB Registered Practitioner Organization (RPO), to help Defense Industrial Base Contractors prepare for CMMC certification.