Earlier this month, the Department of Defense (DoD) published the new ruling of the Cybersecurity Maturity Model Certification (CMMC), which goes into effect on December 16th. 

As we near the end of 2024, all companies working with the Department of Defense (DoD) - from large defense contractors to small subcontractors - will need to start working towards compliance with the latest version of the Cybersecurity Maturity Model Certification (CMMC). This certification is critical for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on Defense Industrial Base (DIB) networks.

CMMC compliance impacts a diverse set of organizations within the DoD supply chain, including defense contractors, manufacturers, aerospace technology providers, and logistics firms. Service providers, educational and research institutions, construction and engineering firms, and healthcare providers handling defense data are all required to meet CMMC standards to secure sensitive information and maintain eligibility for DoD contracts.

Without compliance, manufacturers and other organizations risk missing out on valuable opportunities, while also facing the reputational and financial risks associated with potential data breaches. This makes CMMC not only a regulatory requirement but a competitive necessity for maintaining a strong standing in the defense industry supply chain and securing lucrative contracts.

The evolution of CMMC

CMMC was first published by the DoD in 2020 as part of an effort to strengthen cybersecurity across the DIB. With cyber threats on the rise, especially those targeting sensitive information shared within defense contracts, the DoD recognized the need for a standardized, enforceable framework to protect FCI and CUI. 

When CMMC was first released, it introduced a five-level certification system, with each level building on the previous one to address increasingly sophisticated cybersecurity threats. While this structure aimed to provide flexibility, the five-tier system was seen as unnecessarily complex, especially for smaller contractors that lacked the resources to scale up to higher levels.

Recognizing the challenges with CMMC 1.0, the DoD plans to introduce CMMC 2.0 in response to industry feedback. The new version simplifies the framework by consolidating the five levels into three tiers, each aligned with existing cybersecurity standards, such as NIST SP 800-171, which many organizations were already following.

These new requirements will be implemented over a three-year period using a four-phase implementation plan for certain DoD contractors. 

Here’s the anticipated timeline for CMMC 2.0:

• December 16, 2024: Rule becomes effective. 
• March/April 2025: CMMC Level 2 third-party assessments (conducted by Certified Third-Party Assessor Organizations or C3PAOs) can begin once the 32 CFR rule becomes effective.
• Q2 of 2025: The DoD will start incorporating CMMC 2.0 requirements into contracts through a phased approach after the 48 CFR rule is finalized.
  
  

Key Changes in CMMC 2.0

The most significant change in CMMC 2.0 is the consolidation of compliance levels:

• Level 1 is aimed at companies handling basic defense-related information and requires foundational cybersecurity practices.
• Level 2 focuses on protecting CUI and aligns with the well-established NIST SP 800-171 standards, making it easier for organizations already following these guidelines.
• Level 3 is for organizations with higher security needs, requiring more advanced measures to mitigate sophisticated threats.

Another notable change is that many companies will now be able to self-assess for Level 1, significantly reducing costs. 

However, for companies handling CUI, third-party assessments conducted by a Certified Third-Party Assessor Organization (C3PAO) will be mandatory.

How to Start Planning for CMMC Compliance in 2025

To ensure you’re ready for CMMC, companies should start preparing early. Here’s a step-by-step guide to help:

1. Conduct a gap analysis: Compare your current security measures to the requirements of CMMC. If you’re already compliant with NIST SP 800-171, you’re ahead of the game.
2. Develop a remediation plan: Identify any missing controls or processes and create a plan to address these gaps.
3. Document everything: Ensure that you have detailed records of your cybersecurity practices, such as System Security Plans (SSPs) and Incident Response Plans.
4. Employee training: Make sure your workforce is aware of their cybersecurity responsibilities, as human error is one of the leading causes of data breaches.

How manufacturers can leverage Strike Graph to prepare for CMMC Compliance

For manufacturers working with the Department of Defense (DoD), CMMC compliance is essential not only to secure sensitive information but to remain competitive in defense contracting. Given the complexities of managing compliance across multiple manufacturing sites, particularly with standards like NIST SP 800-171 at the core of CMMC, traditional methods like spreadsheets often fall short. 

That’s where Strike Graph’s enterprise content management system comes in (launching later this year), which is designed specifically for large enterprise organizations, including manufacturing organizations, that need a scalable, efficient way to meet CMMC and other security frameworks across all locations.

Strike Graph’s automation and customizable controls simplify these tasks, helping manufacturers streamline workflows and align compliance programs with NIST SP 800-171 and CMMC standards. The new enterprise content management system offers centralized evidence collection, ensuring consistent visibility and control over compliance at all manufacturing sites. 

Supported by Strike Graph’s expert guidance, this comprehensive platform streamlines both regulatory compliance and continuous monitoring, enabling manufacturers to scale compliance efforts securely and efficiently.

By partnering with Strike Graph, you can save time, reduce the administrative burden across your organization, and focus on what you do best: delivering essential products to the defense industry.

Get started today by scheduling time to discuss your organization’s needs with one of our security experts.

Conclusion

CMMC 2.0 compliance is not just about cybersecurity—it’s about staying competitive in the defense contracting space. With a phased rollout starting in mid-2025, organizations must act now to ensure they are ready to meet these new requirements. 

By partnering with Strike Graph, you can save time, reduce the administrative burden, and focus on what you do best: providing critical products and services to the defense industry.

Get started today by scheduling time to discuss your organization’s needs with one of our security experts.