As the CMMC program evolves in 2026, following the solidification of the final rule and the timelines for required certification, the Cyber AB wrestles with the need to streamline adoption across contractors while maintaining strict rigor in compliance and audits. That’s where waivers come in. 

Now, across the DIB, executives have to decide whether these waivers are legitimate from a strategic perspective or something so niche and unreliable that they don’t expect to receive one. Understanding this balance is critical for organizations as they shape their long-term compliance and growth.

 

What Is a CMMC Waiver?

A CMMC waiver is an official decision by DoD acquisition leadership to waive the requirement for a formal CMMC assessment in a specific procurement or class of procurements. The 2025 DoD implementation memo authorizes service and component acquisition executives to grant these waivers after following established procedures.

However, a waiver applies only to the assessment requirement, and not to the cybersecurity controls themselves. Contractors must still comply with applicable regulations such as FAR 52.204-21 and DFARS 252.204-7012.

This might sound confusing: meeting control requirements without an assessment. In practical terms, a waiver means:

• You may not need to obtain certification for a particular contract
• You still must implement the required security practices
• Noncompliance with those practices can still affect eligibility

This distinction is central to understanding the policy intent. Waivers provide procurement flexibility, not a shortcut around security.

 

Why the Concept of Waivers Matters 

The existence of waivers signals that the DoD recognizes that innovation and capability sometimes emerge faster than formal compliance processes can accommodate. Emerging technology firms, niche suppliers, and nontraditional contractors often operate outside the typical compliance ecosystem, while still offering mission-critical services and technology.

By preserving the option to waive certification requirements, the DoD is effectively preventing cybersecurity mandates from unintentionally constraining operational agility. At the same time, the DoD is not foregoing the requirement to safeguard federal information.

 

Waivers as a Reflection of Risk-Based Acquisition

CMMC is fundamentally a risk management program, and waivers illustrate how that philosophy extends into procurement decisions. Rather than applying a rigid compliance model across all scenarios, the DoD retains the ability to weigh cybersecurity risk against mission urgency, industrial base participation, and competitive dynamics.

This approach aligns with broader shifts in federal acquisition strategy, where risk tolerance is increasingly contextual rather than uniform. For example, a program seeking a breakthrough capability from a small, innovative vendor may accept the short-term risk of waiving certification while still requiring adherence to core security practices.

That being said, it seems like these waivers are most likely rarer than you’d expect. A waiver does not remove contractual cybersecurity obligations, nor does it shield an organization from liability tied to inadequate controls. More importantly, market forces within the DIB are rapidly shifting toward a baseline expectation of demonstrable maturity. 

In this environment, relying on a waiver as part of a business strategy is probably a long shot not worth investing in. 

 

What Waivers Reveal About the Future of Compliance

Viewed through a broader lens, the waiver framework offers insight into the future trajectory of CMMC and federal cybersecurity oversight more generally.

• It reinforces the notion that compliance will continue to evolve toward a tiered, contextual model. Not every contract carries the same level of risk, and the DoD is signaling its willingness to tailor requirements accordingly.
• It highlights the growing importance of continuous risk management. Rather than treating certification as a checkpoint, acquisition leaders are being empowered to make decisions based on mission needs, threat environments, and supplier capabilities.
• It suggests that flexibility will remain part of the compliance ecosystem… but always within tightly controlled boundaries. The goal is not to dilute standards but to ensure they remain operationally feasible.

 

What Leaders Should Be Thinking About Now

Rather than treating waivers as a contingency plan, executives should use this moment to pressure-test their readiness, governance, and long-term positioning in the defense market. The following actions can help translate policy awareness into practical steps.

• Build a Contingency Plan That Does Not Depend on Waivers: Assume certification will be required and plan accordingly for timelines, budgets, and resources. Treat waivers as an external variable rather than a planning assumption.
• Validate Your Data Exposure Assumptions: Conduct a fresh review of where FCI and CUI actually reside across your environment. Many organizations discover scope creep that changes their required CMMC level and investment priorities.
• Align Cybersecurity Investments With Business Strategy: Ensure your roadmap for CMMC, NIST SP 800-171, or 800-172 is directly tied to growth objectives, such as entering new programs, supporting primes, or expanding into higher-sensitivity work. Security maturity should enable revenue, not operate as a siloed compliance effort.
• Stress-Test Your Ability to Demonstrate Assurance: Beyond implementing controls, evaluate how quickly you can produce evidence (policies, logs, SSPs) to customers or partners. In a waiver scenario, your ability to demonstrate maturity informally may still influence award decisions.
• Engage With Prime Contractors Early: If you operate in a subcontractor role, have proactive conversations with primes about their expectations for certification timelines and acceptable risk posture. Supply chain requirements often exceed minimum regulatory thresholds.
• Strengthen Governance and Executive Oversight: Ensure cybersecurity risk is regularly reviewed at the executive or board level, with clear accountability for compliance progress. This signals organizational maturity to both government customers and partners.
• Monitor Policy and Acquisition Signals: Track updates to DFARS rules, CMMC rollout phases, and acquisition guidance. Changes in waiver usage patterns or assessment requirements can provide early insight into where the market is heading.

 

Meet CMMC Head On with Lazarus Alliance

CMMC waivers occupy a small but meaningful space within the broader compliance landscape. They are mechanisms designed to preserve mission flexibility without compromising the expectation of strong cybersecurity practices. Which doesn’t mean they aren’t confusing. So get some clarity with Lazarus Alliance. 

To learn more about how Lazarus Alliance can help, contact us. 

• FedRAMP
• GovRAMP
• NIST 800-53
• DFARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• ENS
• C5
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• CJIS
• LA DMF
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!

[wpforms id=”137574″]