Current Issue

Defense Sales Update

The Road to CMMC Compliance

By on
Defense market participants must meet new cybersecurity standards by 2025.

Vendors selling to the Department of Defense are facing a critical deadline. By 2025 they will need to ensure their security procedures comply with the requirements of a uniform set of standards designed to protect national security.

Dubbed Cybersecurity Maturity Model Certification, the mandated policies and procedures govern practices for restricting access to sensitive data on a need-to-know basis, and protecting such data from both accidental loss and transmission into the wrong hands through cyberattacks.

“Once the requirements are finalized, organizations that don’t have CMMC certification will no longer be able to bid on DoD contracts,” says Matthew Weber, senior cybersecurity consultant at BlueVoyant. “So if 30 percent of your business comes from DoD contracts, failing to get CMMC certification means losing nearly a third of your revenues.”

Because CMMC is still in its rule-making phase, some companies have decided to wait until the rule is finalized to begin preparation. However, it can take anywhere from nine to 18 months for an organization to achieve CMMC compliance, so companies that are choosing to wait risk the loss of DoD contracts.

“The most common mistake we see is having a wait-and-see mindset, especially since so many companies are behind in terms of cybersecurity basics,” says Weber. 

Getting it Done
While the roads to certification will vary widely, the experience of one California manufacturer of steel parts suggests that applicants can face significant challenges. Some 80 percent of the company’s sales go to the defense industry, so getting certified was a must. 

Like many other small- to medium-sized organizations, the company started a do-it-yourself initiative which petered out after six months when the technological challenge became too great. Help was needed to interpret the CMMC requirements, which are not the clearest.

The company first turned to a general security firm, which seemed like a good idea until it became clear that the organization was not specifically knowledgeable about CMMC requirements. The steel parts maker then took on the services of a cloud-based consulting firm with some 50 CMMC projects under its belt. 

That decision proved beneficial, and now the company expects to achieve CMMC compliance by the end of 2023. The result will be a dramatically different IT structure, with everything in the cloud. The company had to invest in new hardware and upgrade its firewall along with security cameras that could send notifications when someone approached a building’s doors. 

Total cost? The first-year investment will come to nearly $200,000; succeeding years will require $135,000 as fees to the consulting firm. 

Reaching Out
“One of the best things you can do is reach out to an organization that’s an authorized CMMC accreditation body and have an assessor do a basic readiness check,” says Keatron Evans, principal security researcher at Cengage Group’s Infosec Institute, a provider of CMMC certification courses. “They can then guide you through the process, give you pointers on what you need to do to get yourself ready and what they will look for when they come to do their assessment. They’re very good at giving out that information.” 

Cyber AB, which is the organization that oversees the CMMC program, maintains a website listing every practitioner and organization registered to provide consulting advice. Interested companies can navigate to

While costly, taking on the help of an outside firm ensures the security program is thorough. As for the total cost, that can vary. “Cost of compliance depends on an organization’s existing level of cybersecurity maturity, the complexity of their environment, and the sensitivity of the data they hold,” says Weber. He says this is particularly the case for companies that have so-called “export-controlled data,” which no foreign nationals are allowed to access. Only Microsoft employees based in the U.S. are allowed to troubleshoot that environment. 

Part of the expense can be mitigated by outsourcing compliance to an infrastructure provider offering both consulting services and a pre-built comprehensive technical solution in the form of a secure data enclave that satisfies CMMC requirements. This infrastructure provider will secure the data the DoD needs protected, says Neil Jones, director of cybersecurity evangelism at Egnyte, a content security and governance platform. “The pro here is the solution can be less expensive; the con is that companies have a little less autonomy than if they did the projects on their own.”

Levels of Security
Whatever its solution path, a company’s first step is to determine in which compliance level of cyber maturity it belongs. Ranked from low to high in terms of required security protocols, here are the three levels specified by the CMMC:
Level 1 (Foundational) 
Organizations in this group must protect Federal Contract Information – a term which refers to non-public data contained in documents provided by the government for the development of a product or service. This level requires the lowest degree of security protocols since contract details are of less sensitivity.
Level 2 (Advanced) 
These organizations must protect data that fall into the category of Controlled Unclassified Information. That term refers to sensitive government-owned data describing the products or services under contract. Most spring manufacturers are likely to fall into Level 2, since details about specific types of springs produced in support of a DoD contract will likely be considered CUI.
Level 3. (Expert)
Organizations assigned the highest level of security sensitivity will likely be providing pure intellectual property such as software programs, the loss of which could cause significant damage to the DoD.

First Steps
In determining its level of security, the business must start by analyzing how much FCI and CUI it possesses. “FCI is fairly easy to determine, since it is clear which federal contracts are in effect,” says Jones. “CUI can be more difficult to identify.” Here’s where a practiced consultant will be of help.

After determining a company’s maturity level, the next step is to define the scope of the CMMC compliance project. This begins with an analysis of the security protocols in the organization’s current technical environment. The company can then design and carry out a program to bring those protocols into CMMC compliance.

There’s another dimension to the CMMC picture: staff training. “Decisions need to be made about who can interact with FCI and CUI data, and when and how they can do so,” says Jones. “Access must be restricted based on a business need to know. Does the CEO, for example, really need day-to-day access? Finally, those employees designated to put hands on the data must also be trained on the correct procedures.”

“Everyone dealing with CUI will have to be aware of the enhanced protection requirements for that data. Everyone will be impacted by these solutions, whether that’s implementing multifactor authentication, or stricter access requirements,” says Weber. “They’re going to have to have procedures and policies in place for who can access data, who can read data and have control over that data.”

Once procedures have been put into place, the company normally undertakes a thorough self-assessment. Do all processes comply with CMMC standards? And if not, is there a plan in place to bring the operations into compliance in a  reasonable time? That process can be outlined in a document called a Plan of Action and Milestones. 

“The DoD will assess whether that POA&M is acceptable,” says Jones.

Faced with a formidable project, some manufacturers will need to marshal all available forces to bring their projects to completion. “The sooner you jump on it, the better off you’re going to be,” says Evans. “The biggest mistake companies can make is not taking CMMC compliance seriously, and waiting until the deadline arrives to get a handle on things.”

Getting to a state of CMMC compliance is not a one-and done affair, adds Jones. “Organizations must continuously safeguard their CUI and improve their data security processes to make sure only the right people have access to their protected information.”

Getting to the finish of a company-wide project with sufficient managerial and budgetary line on CMMC compliance is an all-hands on-deck affair. The entire company must get aboard the CMMC bandwagon. “Executive buy-in is critical,” says Jones. “If  a company tries to do CMMC compliance as a one-off IT initiative rather than support, it is doomed to failure.”

Know the CMMC Lingo

The path to compliance with CMMC is strewn with acronyms. Here are the ones you need to know:
CMMC 2.0. Cybersecurity Maturity Model Certification. Assurance that an organization has instituted the required cybersecurity practices and hardware to protect government data. Version 2.0 is the latest iteration of the mandated protocols.
CUI. Controlled Unclassified Information. Data created or possessed by the government, or another entity, related to products or services contracted to the DoD by a vendor.
C3PAO. Third-Party Assessor Organization. An organization certified to conduct an on-site investigation to determine that a vendor has become compliant with the requirements of CMMC.
DIB. The Defense Industrial Base. The compendium of data controlled by the Department of Defense. This includes information about contracted products and services.
FCI. Federal Contract Information. Non-public data that is part of a contract to develop a product or service for the government.
POA&M. Plan of Action and Milestones. A roadmap for bringing a non-compliant vendor into compliance with the requirements of CMMC, which is subject to approval by the DoD.
Companies may obtain more information about the CMMC program at the Department of Defense website:

How Complete is Your CMMC Program?

How close is your company to full compliance with CMMC? Find out by scoring 10 points for every “yes” answer to the following questions. Total your score and check your rating at the bottom of the sidebar.

Is your CMMC compliance program a company-wide effort rather than a specialized IT initiative?

Have you analyzed the security protocols currently in place in your company?

Have you designed a realistic plan to achieve compliance?

If you do not have a sufficient level of internal expertise, have you obtained help from a consulting firm experienced in CMMC?

If you have acquired the services of an outside consultant, have you designated internal personnel to coordinate 
their efforts?

Have you analyzed the amount of FCI and CUI data your company possesses?

Have you determined in which of the three compliance cybersecurity levels your company belongs?

Have you created a list of people who will need to have access to FCI and CUI data?

Have you trained individuals on how to access protected data in a secure manner that conforms to CMMC?

If you have completed your compliance program, have you conducted a thorough self-assessment in preparation for a visit by an assessor from an authorized CMMC accreditation body? 
What’s your score? 

80 or more: Congratulations. You have gone a long way toward achieving the level of security required to sell to the DoD. 

Between 60 and 80: It’s time to light a fire under your CMMC compliance program. 

Below 60: Your business is at risk. Take action on the suggestions in this article.

[Photo Caption:]
Sixteen Air Force KC-46A Pegasus’ and five KC-135 Stratotankers line up for an elephant walk at McConnell Air Force Base, Kan. (Photo courtesy U.S. Department of Defense)