If you work anywhere in the DIB, you’ve heard about the“Golden Dome,” the Trump administration’s push for a layered missile-defense architecture. It’s among the biggest new starts in years.
But beyond the headlines and debates, real contracting pathways are forming. Major defense contractors are making significant investments in the infrastructure to take on the workload¹.
It seems the timeline will collide with the rollout of CMMC, and though it's tough to know how it will play out, a few realities are already coming into focus, specifically, that GovCons need to be prepared for.
Eligibility Requirements
Eligibility is going to require CMMC.
For contractors to get in on the action, proposals will require a current C3PAO Certification (for targeted Level 2 projects).
Without it, you’re not eligible, no matter how strong your technical volume is. Expect RFP language to call for assessment status, SPRS scoring, and evidence artifacts.
Supply chains will tighten.
CMMC readiness will become a discriminator. Don't be surprised to see primes pre-qualifying CMMC-ready subs; many primes started this vetting in 2024.
Greater emphasis on data segregation through CMMC Enclaves.
Expect RFPs to encourage CUI-enclaves to reduce scope and accelerate assessment cycles.
What Contractors Should Do To Prepare
-
Close your NIST 800-171 (Rev. 2) gaps—now.
Run a control-by-control gap analysis; update your SSP, network diagrams, data flow maps, and POA&Ms.
-
Decide your target level by contract type.
Map your pipeline: FCI-only work (Level 1) versus CUI-handling (Level 2). Right-size your compliance path per line of business.
-
Scope ruthlessly and design your enclave.
If necessary, create the smallest CUI boundary possible to limit assessment scope and cost with a CMMC enclave.
-
Harden subcontractor management.
Build a repeatable flow-down package: required clauses, policy extracts, minimum control set, evidence lists, and an onboarding checklist. Pre-screen subs for Level 2 pathways; consider partnering with C3PAOs to run readiness workshops across your supply base.
-
Budget to timelines, not wishes.
Given the signals that most new DoD contracts will require CMMC, back-plan your assessment readiness: 90–180 days to implement, harden, and generate evidence is common even for well-postured shops.
Book your assessment asap to avoid bottlenecks.
¹ https://www.orlandosentinel.com/2025/08/21/space-coasts-l3harris-opens-100-million-satellite-facility-to-support-trumps-golden-dome/
