As the head of U.S. Cyber Command and the National Security Agency (NSA) recently stated, the Defense Industrial Base (DIB) sector is “is being actively targeted by our adversaries and competitors.” These attacks routinely target intellectual property and sensitive information. They also disrupt military operations and threaten the U.S. Department of Defense (DoD) supply chain, which includes hundreds of thousands of domestic and foreign companies. In response, the DoD has emphasized the need for stringent cybersecurity requirements for contractors within its supply chain to maintain national security.
The Cybersecurity Maturity Model Certification (CMMC) is a mechanism developed to protect unclassified information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), that resides on DIB systems and networks. The CMMC measures an organization’s cybersecurity hygiene, in alignment with industry standards outlined in the NIST SP 800-171 rev2 and NIST SP 800-172 frameworks.
The latest evolution of CMMC requires DIB organizations to reconsider risk and compliance practices.
Importance of CMMC 2.0 in 2025
The Pentagon budget for FY25 is $849.8 billion. Achieving the required CMMC level is essential to qualify for DoD contracts and provide trust and credibility within in the DoD supply chain.
The DoD published the CMMC 2.0 rule in October 2024, which is streamlined to three maturity levels:
- Foundational – Focuses on basic cyber hygiene practices. It includes 17 practices that are required to protect FCI.
- Advanced – Aligns with the security requirements in NIST SP 800-171. It includes 110 practices aimed at protecting CUI.
- Expert – Aligns with a subset of the requirements in NIST SP 800-172. This level focuses on advanced and progressive cybersecurity practices to protect CUI from Advanced Persistent Threats (APTs) and is required for high-priority DoD programs.
Initial implementation is already underway. The table below outlines each phase of the implementation timeline:
| Phase | Timeline | Details |
|---|---|---|
| Phase 1 | December 2024 | Where applicable, solicitations require Level 1 or 2 Self-Assessments. |
| Phase 2 | December 2025 | Where applicable, solicitations will require Level 2 Certification. |
| Phase 3 | December 2026 | Where applicable, solicitations will require Level 3 Certification. |
| Phase 4 | December 2027 onwards | All solicitations and contracts will include CMMC Level requirements as a condition of contract reward. |
Considerations for Organizations in the DIB Sector
To prepare for upcoming deadlines, organizations should ask themselves:
What type of data do we hold?
CMMC 2.0 places greater scrutiny on DIB organizations handling CUI, which involves information about DoD contracts, sensitive but unclassified information, information under protections from federal laws, and information related to national security or law enforcement. Specific examples include:
- Personally Identifiable Information (PII).
- Protected Health Information (PHI).
- Export-controlled or International Trade Data.
- Contractor sensitive information.
- Unclassified Controlled Technical Information (UCTI) – sensitive but unclassified military information including operational plans, development of military technology, and surveillance methods.
DIB organizations with any form of CUI MUST be Level 2 Advanced CMMC-compliant, and those handling CUI for high-priority DoD programs MUST be Level 3 Expert CMMC-compliant.
How long will CMMC compliance take, and how much will it cost?
Achieving and maintaining CMMC compliance has time and cost implications, which vary significantly due to:
- The size of the organization.
- The level of certification required.
- Complexity of existing systems.
- Existing gaps in cybersecurity posture.
- Implementation of necessary controls.
- Employee training and awareness.
- Third-party certification.
For many organizations, the upfront costs and effort can be substantial, but they are outweighed by the long-term benefits of improved security posture, access to government contracts, and mitigating cyber risk. On average, organizations should expect to spend several months to a year achieving initial compliance, with ongoing maintenance and periodic audits required after that. Planning, allocating sufficient resources, and being aware of any contractual deadlines will help in meeting CMMC requirements on time.
Are the organization-defined NIST SP 800-171 and NIST SP 800-172 controls aligned with our risk management policies and procedures?
When preparing for CMMC compliance, security controls from NIST SP 800-171 and NIST SP 800-172 should align with the organization’s risk management policies and procedures. This ensures that cybersecurity posture is both compliant and suitable for the organization’s operational environment. Organizations should:
- Conduct a gap analysis of cybersecurity and risk management measures to determine areas lacking compliance or requiring enhancement.
- Map NIST SP 800-171 and NIST SP 800-172 controls to the organization’s risk management policies and procedures.
- Implement tailored controls, such as creating and updating policies and procedures, deploying necessary technologies (e.g. encryption, access controls), and continuously reviewing controls to ensure ongoing compliance.
- Document and communicate the risk management strategy across the entire organization.
CMMC 2.0 expands on NIST 800-171’s 14 security domains with three new domains (for a total of 17). These new domains emphasize cybersecurity asset protection, breach recovery, and how CUI data held within their environment is impacted. These new domains include:
- Asset Management.
- Recovery.
- Situational Awareness.
Are our subcontractors and third parties aware of CMMC requirements?
Subcontractor compliance is also a key consideration, and by October 2025, it will be the prime contractor’s responsibility to ensure all subcontractors meet the appropriate CMMC requirements.
A subcontractor’s required certification level is based on the information that will flow to the sub-contractor or supplier during fulfillment of the contract. This means there could be differing requirements for CMMC compliance between prime contractors and subcontractors. For example, a prime contractor handling high-priority CUI data requires CMMC Level 3 compliance, and only passes FCI data to its subcontractors, requiring them to only be CMMC Level 1-compliant.
Featured Insight
Achieving CMMC Compliance
To achieve CMMC compliance, organizations are advised to conduct the following initiatives:
CUI Boundary Analysis
Understanding the type of data handled by an organization is key in determining the level of certification required. For example, Advanced Level 2 compliance is not necessary for all organizations and is solely required for organizations handling CUI.
To help navigate the compliance requirements within the CMMC, a CUI boundary analysis can determine whether organizational information is classified as CUI, identify and map CUI data flows, and define clear distinctions between CUI and non-CUI data.
Cyber Gap Analysis and CMMC Self-Assessment
A cybersecurity maturity assessment is the first step in identifying gaps in existing practices, controls, and documentation. Based on the results of the gap analysis, focus on key CMMC domains that need improvement, which can include data protection, access control, or incident response, etc.
The CMMC self-assessment is required annually to achieve Foundational Level 1 compliance. This level focuses on the protection of FCI aligned with Federal Acquisition Regulation (FAR) Clause 52.204-21.
Mock Audit
Ensuring all required documentation, such as system security plans (SSPs), policies, and training records, is ready can greatly speed up the formal assessment process. This can be achieved by conducting mock audits to verify that all requirements are met.
For Advanced level compliance, an official assessment conducted by a CMMC Third-Party Assessor Organization (C3PAO) is required, and for Expert level compliance a DoD governing body will conduct the assessment.
Third-Party and Subcontractor Engagement
As mentioned earlier, prime contractors have the responsibility to ensure all subcontractors are CMMC compliant based on their required level. Engaging with subcontractors and third parties early to identify information flows can ensure a seamless certification process.
Due to the nuanced set of requirements in the CMMC, acting early will give organizations a competitive advantage by prioritizing their cybersecurity maturity. To plan and navigate the complexities of your organization’s CMMC compliance in 2025, contact CrossCountry Consulting.