Skip to main content

The U.S. Department of Defense (DoD)’s rollout of CMMC (Cybersecurity Maturity Model Certification) has been reshaping the landscape for defense contractors and suppliers. This framework, now in the final stages of rulemaking before being included in DoD contracts, mandates rigorous cybersecurity controls to protect sensitive data, namely Controlled Unclassified Information (CUI) across the supply chain.

Not complying with the model, which has tiered requirements ranging from Level 1 (basic cyber hygiene) to Level 3 (expert security based on advanced National Institute of Standards and Technology, or NIST, protocols), sends a clear message: don’t comply, and your company may lose its eligibility for certain DoD contracts. Or worse, if you had attested to compliance, there could be negative legal ramifications and loss of contracts.

Lockheed Martin, one of the biggest defense contractors in the US, recently published an article on its website that emphasized the importance of cybersecurity readiness for defense contractors handling sensitive information. There was no mistaking the message: this mandate is coming, and contractors and suppliers must be aware of it and take the necessary steps to be compliant.

Yet, many companies are still dragging their feet. One reason is cost and complexity. Upgrading cybersecurity controls to meet NIST SP 800-171 (Level 2) or NIST SP 800-172 (Level 3) standards can be costly, not only in terms of technological investments but also in hiring skilled cybersecurity staff.

According to this Forbes article, small and medium-sized businesses may be hit the hardest, forcing some to question whether the investment is justified versus the size of their contracts. We, at IntelliGRC, have seen this firsthand.

Then there’s the timing of when this framework goes into effect. The final step before CMMC becomes a requirement is the publication of the 48 CFR rule. It is estimated that it will be finalized anytime between now and October 2025. The program was unveiled around 2020 with a major update in 2021. Unfortunately, many companies are still in a wait-and-see mindset, hoping that some requirements may be softened or delayed again.

There may also be a false sense of security. Some contractors believe their existing cybersecurity measures are “good enough.” Because initial phases still permit self-assessments (for Level 1 and even some Level 2 under certain conditions), companies may underestimate their vulnerabilities and obligations. This lack of urgency can foster complacency, with executives assuming they’ll have ample time to catch up before strict assessments truly impact their contracts. In reality, the requirements from NIST 800-171 and CMMC are estimated to take upwards of 12 to 18 months to implement successfully. It should be noted that putting CMMC compliance on the back burner isn’t just a future regulatory risk. As cyber threats become increasingly sophisticated, even a temporary security gap can expose intellectual property, research and development, and national security data, causing significant harm.

While the reasons companies are slow to adapt may be justified, the consequences for noncompliance grow stark, and the window for hesitancy is pretty much closed. That’s why companies must be proactive in investing in cybersecurity compliance. They need to shift from viewing it as a cost burden to a strategic path for standing out in the crowd.

IntelliGRC collaborates with organizations to support their efforts in achieving these compliance requirements. We’ve seen the Defense Industrial Base evolve and have witnessed the successes of several contractor companies in their CMMC assessments. One thing we’re passionate about is helping businesses of all shapes and sizes that are starting down this path towards implementing CMMC figure out what to do and how to get started. If your company is looking to get on board and start meeting these requirements, we’d love to hear from you and see how we can help you achieve your compliance goals. You can always reach out to us on LinkedIn or contact us through our Contact Us page on our website.