How HX5 Scales Cybersecurity Compliance Across Over 70 Government Sites as CMMC Phase 2 Approaches
How HX5 Scales Cybersecurity Compliance Across Over 70 Government Sites as CMMC Phase 2 Approaches
Publish Date: 2026-05-11 14:20:00
Source Domain: programminginsider.com
When the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program reached its first enforcement milestone on November 10, 2025, the change was narrow but decisive: contractors without a self-attested Level 1 compliance status could no longer win new federal defense work.
For HX5, a Florida-based defense and aerospace services contractor operating across approximately 70 government locations in more than 20 states, that enforcement date fell well within an existing preparation window. Margarita Howard, HX5’s founder and CEO, had been tracking CMMC’s development since before its formal rulemaking cycle closed.
“There are heightened cybersecurity requirements,” she has said, “and contractors will not have a choice but to implement them if they want to be a government contractor.”
Phase 2 arrives November 10, 2026. That phase requires independent, third-party assessments of contractors handling Controlled Unclassified Information, the sensitive but not classified data that flows through most substantive defense work. Contractors who fall short of the required certification by then become ineligible for contract awards in the applicable programs.
The CMMC Framework
The CMMC framework, finalized by DoD in September 2025, organizes defense contractor cybersecurity obligations into three levels. Level 1 covers basic protections for Federal Contract Information and requires annual self-assessment. Level 2 applies to organizations processing Controlled Unclassified Information, requiring either self-assessment or independent certification by an accredited third-party assessor (a Certified Third-Party Assessment Organization, or C3PAO). Level 3 applies to contractors involved in the government’s most critical programs and requires a government-conducted assessment.
The phased schedule gives contractors a runway: Phase 3 follows in November 2027, with full program implementation arriving in November 2028. C3PAO…
