Government Cybersecurity

Pentagon demands cybersecurity certification — its own budget office got hacked

CMMC went mandatory for DoD contracts same day CBO confirmed foreign breach.

November 10, 2025 4 min read

On 10 November 2025: CMMC became mandatory for all new DoD contracts. Same day: Congressional Budget Office confirmed a breach by suspected foreign hackers. The government demanded certification. Its own house had the doors unlocked.

What CMMC requires

  • Level 1: 17 basic security practices. Self-assessment. Minimum.
  • Level 2: 110 controls aligned with NIST 800-171. Third-party assessment.
  • Level 3: Government-led assessment for sensitive programs.

The CBO breach

Foreign hackers accessed internal communications, budget projections, and policy assessments. CBO data reveals what the government plans before announcements. Nation-state intelligence goldmine.

For European businesses

  1. Start assessment now. Subcontractors need CMMC too.
  2. NIST 800-171 is baseline.
  3. Build for Phase 2. Third-party certification is coming.