Achieve CMMC Compliance Effectively

Take a structured approach to Cybersecurity Maturity Model Certification.

Analyst perspective

Strengthen cyber resilience, enhance competitive advantage, and ensure contract readiness.

The Cybersecurity Maturity Model Certification (CMMC) represents a strategic shift in how the defense industrial base manages cybersecurity risks. The rise in cyberthreats targeting defense contractors has made it clear that a standardized, enforceable framework is necessary to protect controlled unclassified information and ensure the resilience of the supply chain.

For defense contractors, noncompliance is not an option. Failure to obtain the required CMMC certification jeopardizes contract eligibility. More importantly, organizations that proactively invest in cybersecurity readiness gain a competitive advantage by strengthening their ability to bid on Department of Defense contracts and demonstrating trustworthiness in handling sensitive defense data.

The path to CMMC compliance requires a proactive, risk-based approach that integrates security into daily operations. Those who start early will gain a competitive edge in the defense sector. CMMC should not be viewed as a regulatory burden but rather as an opportunity to strengthen cybersecurity resilience and build trust. Organizations that treat CMMC as a core business function will be better positioned to secure defense contracts.

Safayat Moahamad

Research Director
Security and Privacy
Info-Tech Research Group

Executive summary

Info-Tech Insight

Instead of securing the whole house, just lock the vault. Isolate CMMC-regulated information in a controlled environment to Achieve compliance faster, reduce costs, and minimize risk without overhauling the entire IT ecosystem.

Your challenge

This research is designed to help organizations who are facing these challenges:

• Understanding and interpreting evolving CMMC requirements
• Accurately defining CMMC scope and asset inventory
• Resource constraints, such as budget, personnel, and expertise
• Navigating the third-party assessment process
• Managing supply chain compliance
• Maintaining continuous compliance and annual affirmations

"DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.”

– Pentagon qtd. in DefenseScoop, 2024.

80%

80% of respondents stated they experienced a loss from a cyber incident.

4%

Only 4% of respondents believe their company is completely ready for CMMC certification.

60%

More than 60% of respondents find it very difficult to achieve and maintain CMMC compliance.

Source: Merrill Research, 2024.

Common Obstacles

These barriers are challenging for many organizations:

• Lack of executive buy-in and organizational alignment
• Unclear roles and responsibilities for CMMC implementation
• Vendor and external service provider (ESP) dependencies
• Legacy IT systems and technical debt
• Complicated and time-consuming assessment preparation
• Unclear path for organizations moving from Level 2 to Level 3

“We continuously have our data taken by advanced persistent threats. We have contractors that get targeted by malicious actors trying to extort money.”

– Stacy Bostjanick, chief of defense industrial base cybersecurity, qtd. in “DOD Simplifies Process for Defense Contractors,” US Department of Defense, 2024.

40%

Less than 40% are actively working on SSPs, POAMs, required controls, and ongoing compliance plans.

50%

Over 50% highlighted significant cost impacts due to ongoing changes and necessary tools.

40%

Approximately 40% rated DFARS reporting an 8 out of 10 or higher in terms of difficulty.

Source: Merrill Research, 2024.

Cybersecurity Maturity Model Certification

The CMMC is a mandatory compliance requirement for the US Department of Defense (DoD) contractors and subcontractors. The framework is aimed to ensure protection of federal contract information (FCI) and controlled unclassified information (CUI).

The defense industrial base (DIB) experiences frequent and complex cyberattacks. The CMMC mandates that companies managing sensitive DoD information adopt increasingly sophisticated cybersecurity measures.

Through CMMC assessments, the DoD ensures compliance with these standards. Consequently, DoD contractors and subcontractors must meet a designated CMMC level to be eligible for contract awards.

1 As specified by the DoD solicitation
2 Accredited 3rd Party = Certified Third-Party Assessor Organization (C3PAO)

Info-Tech Insight

Defining the right CMMC assessment scope is critical. Strategically enclave your architecture and the boundary of certification to balance requirements with security, efficiency, and cost considerations.

Scoping: Identifying in- & out-of-scope assets

OSAs must identify and categorize their information systems based on the level of certification sought and whether they process FCI or CUI, including systems or services provided by external service providers (ESPs). Within these information systems, for Level 2 and Level 3, the assets should be further broken down into asset categories.

CMMC level selection

An organization seeking assessment (OSA) will choose the desired CMMC level it aims to achieve and implement the compliance program. However, a DoD solicitation will indicate the minimum CMMC status necessary to qualify for an award. One of four CMMC statuses will be specified:

1. LEVEL 1 Self-Assessment

   To protect FCI handled during contract fulfillment. The OSA must fully comply with the 15 security requirements outlined in FAR clause 52.204-21, with no exceptions permitted.

2. LEVEL 2 Self-Assessment

   To protect CUI handled during contract fulfillment. The OSA must adhere to the 110 Level 2 security requirements based on NIST SP 800-171 R2.

3. LEVEL 2 C3PAO Assessment

   C3PAO Assessment differs from Level 2 Self-Assessment in that compliance is verified by an accredited 3rd Party. OSAs can find C3PAOs on the CMMC Accreditation Body (AB) Marketplace.

4. LEVEL 3 DIBCAC Assessment

   Involves an assessment conducted by the DIBCAC on 24 additional control requirements from NIST SP 800-172. This is done in addition to a LEVEL 2 C3PAO Assessment.

For Level 3, an OSA must firstAchieve the Level 2 C3PAO certification. Afterward, the OSA should request a Level 3 certification assessment by emailing the Defense Contract Management Agency (DCMA)’s DIB Cybersecurity Assessment Center (DIBCAC).

Subcontractor relationships

1. Flow-Down Requirements: Prime contractors must ensure that subcontractors, including MSPs, MSSPs, CSPs and ESPs, comply with the applicable CMMC level. Subcontractors at all tiers are subject to these requirements. The DoD does not track subcontractor certification progress but expects contractors to manage it.
2. Prime Contractor Responsibility: Prime contractors are responsible for ensuring compliance and determining the correct CMMC level based on the prime contract's requirements.
3. Subcontractor Compliance: Subcontractors must submit their own assessments and certifications. Any cloud service providers (CSPs) used by the contractor to handle CUI must meet Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline or the equivalent requirements.
4. DoD Expectations: The DoD expects compliance with CMMC levels for all contractors handling CUI and FCI. Contractors are encouraged to only share necessary CUI with subcontractors and work to minimize unnecessary burden.
5. CMMC Level 2 Certification: The minimum level for subcontractors in contracts requiring CUI processing is Level 2. CMMC assessments are required as part of pre-award requirements, and contractors should verify subcontractor compliance.

Annual affirmations

OSAs and organizations seeking certification (OSCs) must complete assessments and affirmations to achieve and maintain CMMC compliance. The process differs based on the CMMC level, involving self-assessments, third-party certifications, or government-led evaluations.

1. LEVEL 1 Self-Assessment

   • Must meet all 15 Level 1 controls
   • Conditional status not allowed
   • Annual affirmation in Supplier Performance Risk System (SPRS)

2. LEVEL 2 Self-Assessment

   • Must meet all 110 NIST SP 800-171 R2 controls
   • 80% minimum score required for conditional status
   • Plan of action & milestones (POA&M) closed in 180 days
   • Reassessed every three years
   • Annual affirmation in SPRS

3. LEVEL 2 C3PAO Assessment

   • Must meet all 110 NIST SP 800-171 R2 controls
   • 80% minimum score required for conditional status
   • POA&M closed in 180 days then reassessed by C3PAO
   • Reassessed every three years
   • Annual affirmation in SPRS

4. LEVEL 3 DIBCAC Assessment

   • Must meet 24 NIST SP 800-172 controls (in addition to Level 2)
   • 80% minimum score required for conditional status
   • POA&M closed in 180 days then reassessed by DIBCAC
   • Reassessed every three years
   • Annual affirmation in SPRS

A POA&M is a management tool used to identify, prioritize, and track the progress of corrective actions needed to address security deficiencies.