CMMC Compliance: Key Updates and What It Means

Last updated: January 24th, 2025

The Cybersecurity Maturity Model Certification (CMMC) framework has evolved significantly over the past few years, and with its growing importance, it’s crucial for businesses, particularly contractors to the Department of Defense (DoD), to stay informed. The CMMC was created to ensure that DoD contractors meet specific cybersecurity standards to protect Controlled Unclassified Information (CUI) and other sensitive government data. Below, we dive into the key aspects of CMMC compliance, why it's becoming more essential than ever, and what businesses need to know as the landscape continues to change.

Table of contents

What is CMMC?

CMMC is a cybersecurity certification framework designed by the U.S. Department of Defense (DoD) to enforce a set of security practices for contractors handling sensitive DoD data. It is built on NIST SP 800-171, a publication by the National Institute of Standards and Technology (NIST) that outlines a series of cybersecurity requirements for federal contractors.

While NIST 800-171 sets guidelines for protecting federal government data, it does not mandate enforceable compliance. CMMC fills this gap by introducing a system of graded cybersecurity maturity levels—Level 1, Level 2, and Level 3—each with specific security controls that contractors must follow.

Key Levels of CMMC

Level 1:
Level 1 pertains to contractors handling Federal Contract Information (FCI). This includes basic cybersecurity practices, such as regular password changes and other fundamental security controls to protect the integrity of non-sensitive data in federal contracts. It is the least stringent level and serves as a baseline for contractors in lower-risk areas, such as companies providing general supplies.

Level 2:
Level 2 applies to contractors that work with CUI—data deemed sensitive by the federal government. These contractors must meet all the Level 1 requirements, in addition to an expanded set of cybersecurity practices. The DoD specifies which contracts require compliance with Level 2, and contractors must be vigilant about identifying CUI within the data they handle.

Level 3:
Level 3 represents the highest level of cybersecurity maturity. Contractors at this level must comply with all the controls in Level 1 and Level 2 and add additional practices to protect highly sensitive data. Level 3 compliance is particularly relevant for contractors that are handling data critical to national security, such as arms manufacturers or defense contractors. Ongoing audits are also part of this level to ensure continuous adherence to cybersecurity standards.

The Evolution of CMMC and its Relationship to NIST

While CMMC is not a standalone security standard, it derives much of its structure from the NIST SP 800-171 and NIST SP 800-53 standards. NIST 800-171 provides a framework for managing the security of CUI, and it lists 110 cybersecurity practices. These practices are mandatory for federal contractors, but unlike CMMC, NIST 800-171 does not require an audit or certification—compliance is based on self-attestation.

In contrast, CMMC is designed to hold contractors accountable through independent third-party audits. Partial compliance or inaccurate self-attestations can result in legal liability or loss of contracts. Additionally, CMMC adapts as the NIST standards evolve. For instance, updates to NIST 800-171, such as Revision 3, add new requirements that CMMC must also integrate, ensuring it stays aligned with the latest cybersecurity best practices.

The Impact on Contractors and Subcontractors

CMMC affects a vast number of contractors and subcontractors within the DoD ecosystem. With the DoD’s annual spending surpassing $400 billion in outsourced contracts, compliance with CMMC will affect hundreds of thousands of businesses. Contractors that fail to comply may lose out on lucrative government contracts, potentially affecting their bottom line and future growth.

Additionally, businesses not directly contracting with the DoD, such as Managed Service Providers (MSPs), must understand CMMC's implications. Many MSPs find themselves indirectly impacted because they often serve as service providers for companies within regulated sectors. Staying up-to-date on the latest revisions to CMMC ensures MSPs can remain competitive in the federal market by offering compliance support to their clients.

The Challenges of Compliance

CMMC compliance isn't just a checkbox exercise—it's a multi-year process that requires substantial planning, resources, and external support from service providers. Contractors must implement security practices, document their efforts, and, at higher levels, undergo audits to verify compliance.

Enforcement mechanisms are strict. For example, there is a mandatory timeline for incident reporting within 72 hours, which has proven challenging for businesses dealing with conflicting regulatory requirements across different regions. Regulatory contradictions—such as differing privacy laws and law enforcement needs—complicate these reporting standards, and businesses often adopt the most restrictive standard available to mitigate compliance risks.

CMMC and Federal Spending

To give context to CMMC's scale, consider the enormous amount of federal spending involved. The DoD accounts for more than half of the total $400 billion spent annually on federal contracts (U.S. Government Accountability Office, 2023). CMMC’s widespread reach means that companies across a range of industries will need to conform to these cybersecurity standards if they wish to secure government contracts.

Certification Readiness: The Time to Prepare is Now

As we are starting 2025, businesses must start taking steps to ensure their readiness for self-assessments and eventual audits. The CMMC framework requires contractors to proactively identify their level of risk, collect data, and close any gaps in their current cybersecurity practices. Certification is no longer optional—it’s a requirement to do business with the DoD. The question is not “if” but “when” companies will need to meet these standards.

For MSPs and other service providers, understanding CMMC and its relationship to existing frameworks like NIST 800-53 and CIS controls is key. While NIST’s controls can be too complex for many, frameworks like CIS provide an accessible and adaptable starting point for most organizations. By focusing on cybersecurity as an ongoing program and not just as a compliance effort, service providers can better support their clients and position themselves for success in an increasingly regulated market.

Protecting Critical Data and Defense Systems

CMMC has become a cornerstone of cybersecurity within the U.S. Department of Defense’s contractor ecosystem. It’s a dynamic framework that adapts alongside evolving standards like NIST 800-171, pushing contractors to enhance their security posture and become more accountable for protecting sensitive information. As the timeline for mandatory certifications draws closer, the urgency for businesses to understand and implement CMMC requirements has never been greater.