As we near the end of 2024, all companies working with the Department of Defense (DoD) - from large defense contractors to small subcontractors - will need to start working towards compliance with the latest version of the Cybersecurity Maturity Model Certification (CMMC). This certification is critical for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on Defense Industrial Base (DIB) networks.

CMMC compliance affects a wide range of industries and organizations within the DoD supply chain, including: 

• Defense Contractors and Subcontractors
• Manufacturers supplying the DoD
• Aerospace and Defense Technology Providers
• Logistics and Supply Chain Providers for defense-related operations
• Service Providers to the DoD (consulting, IT services, engineering, etc.)
• Educational Institutions and Research Organizations working on defense-funded projects
• Construction and Engineering Firms involved in military infrastructure projects
• Healthcare Providers serving the DoD or handling military health data
• Telecommunications and IT Infrastructure Providers for defense
  
  

In today’s interconnected world, the stakes are higher than ever when it comes to protecting sensitive defense information.

Without compliance, manufacturers and other organizations risk missing out on valuable opportunities, while also facing the reputational and financial risks associated with potential data breaches. This makes CMMC not only a regulatory requirement but a competitive necessity for maintaining a strong standing in the defense industry supply chain and securing lucrative contracts.

What Is CMMC and why does it matter?

CMMC was first introduced by the DoD in 2020 as part of an effort to strengthen cybersecurity across the DIB. With cyber threats on the rise, especially those targeting sensitive information shared within defense contracts, the DoD recognized the need for a standardized, enforceable framework to protect FCI and CUI. 

When CMMC 1.0 was first released, it introduced a five-level certification system, with each level building on the previous one to address increasingly sophisticated cybersecurity threats. While this structure aimed to provide flexibility, the five-tier system was seen as unnecessarily complex, especially for smaller contractors that lacked the resources to scale up to higher levels.

Recognizing the challenges with CMMC 1.0, the DoD plans to introduce CMMC 2.0 in response to industry feedback. The new version simplifies the framework by consolidating the five levels into three tiers, each aligned with existing cybersecurity standards, such as NIST SP 800-171, which many organizations were already followed.

Here’s the anticipated timeline for CMMC 2.0:

• December 16, 2024: Rule becomes effective. 
• March/April 2025: CMMC Level 2 third-party assessments (conducted by Certified Third-Party Assessor Organizations or C3PAOs) can begin once the 32 CFR rule becomes effective.
• Q2 of 2025: The DoD will start incorporating CMMC 2.0 requirements into contracts through a phased approach after the 48 CFR rule is finalized.
  
  

Key Changes in CMMC 2.0

The most significant change in CMMC 2.0 is the consolidation of compliance levels:

• Level 1 is aimed at companies handling basic defense-related information and requires foundational cybersecurity practices.
• Level 2 focuses on protecting CUI and aligns with the well-established NIST SP 800-171 standards, making it easier for organizations already following these guidelines.
• Level 3 is for organizations with higher security needs, requiring more advanced measures to mitigate sophisticated threats.

Another notable change is that many companies will now be able to self-assess for Level 1, significantly reducing costs. 

However, for companies handling CUI, third-party assessments conducted by a Certified Third-Party Assessor Organization (C3PAO) will be mandatory.

How to Start Planning for CMMC Compliance in 2025

To ensure you’re ready for CMMC, companies should start preparing early. Here’s a step-by-step guide to help:

1. Conduct a gap analysis: Compare your current security measures to the requirements of CMMC. If you’re already compliant with NIST SP 800-171, you’re ahead of the game.
2. Develop a remediation plan: Identify any missing controls or processes and create a plan to address these gaps.
3. Document everything: Ensure that you have detailed records of your cybersecurity practices, such as System Security Plans (SSPs) and Incident Response Plans.
4. Employee training: Make sure your workforce is aware of their cybersecurity responsibilities, as human error is one of the leading causes of data breaches.
   
   

How Strike Graph can help

Preparing for CMMC compliance can be a daunting task, but Strike Graph streamlines CMMC compliance by automating workflows that minimize manual effort. A key feature of Strike Graph is its ability to create custom controls tailored to specific CMMC requirements. This flexibility enables organizations to develop compliance programs that align with their unique operations. 

The platform simplifies evidence collection and organization, making it easy to manage documentation for CMMC and any other framework your company might need. 

Continuous monitoring keeps organizations informed of changes in regulatory requirements, allowing them to stay compliant over time. With Strike Graph, businesses are well-equipped to navigate emerging compliance trends and maintain a competitive edge in a rapidly evolving landscape.

In addition, the Strike Graph team offers access to compliance professionals who guide customers throughout the compliance journey. This expert support reduces errors and ensures alignment with CMMC standards from the start. 

Conclusion

CMMC 2.0 compliance is not just about cybersecurity—it’s about staying competitive in the defense contracting space. With a phased rollout starting in mid-2025, organizations must act now to ensure they are ready to meet these new requirements. 

By partnering with Strike Graph, you can save time, reduce the administrative burden, and focus on what you do best: providing critical products and services to the defense industry.

Get started today by scheduling time to discuss your organization’s needs with one of our security experts.