What should DoD contractors do to meet CMMC requirements?

With the release of the Cybersecurity Maturity Model Certification (CMMC), major changes are coming to the Department of Defense (DoD) supply chain this year for both contractors and subcontractors.

On November 2021, the DoD announced “CMMC 2.0,” requirements designed to achieve the primary goals of the internal review:

  • Safeguard sensitive information to enable and protect the warfighter

  • Dynamically enhance DIB cybersecurity to meet evolving threats

  • Ensure accountability while minimizing barriers to compliance with DoD requirements

  • Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience

  • Maintain public trust through high professional and ethical standards


The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is designed to protect sensitive unclassified information that is shared by the Department of Defense with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

CMMC requires that all DoD contractors and subcontractors implement practices and controls to safeguard controlled unclassified information (CUI) and federal contract information (FCI). CMMC will also require that DoD contractors and subcontractors undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO).

CMMC will be required for all DoD contractors (prime and subs) and should be considered a “license to do business with DoD.” Potential implications of noncompliance could include the following:

  • Revenue loss

  • Reputational damages through adverse performance reviews

  • Supply chain disruption

  • Proposal exclusion

What can you be doing right now?

In preparation for CMMC, organizations across the defense industrial base are taking a serious look at their controls surrounding NIST 800-171 and beginning to understand the differences between NIST 800-171 and CMMC. Some specific areas of focus for DoD contractors include the following:

Define your CUI boundary – In order to understand what level of CMMC you might need, start by understanding your CUI boundary and the types of information that are passing through your environment.

Revisit your system security plan (SSP) – In previous versions of the DFARS clause, DoD contractors were required to develop and maintain an SSP. Now is good time to review and update your SSP, because this will be an integral part of your CMMC assessment.

Revisit your POA&M – If you’ve performed a self-assessment, you should have developed POA&M that outlines gaps and your plan to close those gaps. Before going into your CMMC assessment, you should strive to close out outstanding gaps, and a good first step will be to review and update your POA&M.

How CSCG can help?

CSCG takes a business-focused, broad approach that supports cost savings, productivity, and risk reduction goals. We encourage DoD contractors to take a proactive and sustainable approach to achieving the CMMC requirements on an ongoing basis.

Readiness Services – CSCG can assist DoD contractors with achieving CMMC compliance by assessing existing processes and controls against the CMMC framework to identify if deficiencies exist.

Certification Services – CSCG has partnered with a C3PAO and expects to be credentialed during the summer of 2020. Stay tuned for updates on this service