CMMC employs both self-assessments and third-party evaluations based on sensitivity:
- Level 1: Basic FCI protection under CMMC Level 1 relies on self-assessment.
- Level 2: General CUI protection at Level 2 can involve either self-assessment or third-party certification.
- Level 3: Enhanced Level 3 safeguards for advanced threats require Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) evaluations.
Additionally, the rule introduces Plans of Action and Milestones (POA&Ms), permitting conditional certification for up to 180 days to address specific gaps. CMMC levels are tailored to varying cybersecurity needs. Level 1 requires basic protections, evaluated as “MET” or “NOT MET.” Level 2 involves intermediate controls scored on a scale of -203 to 110, with a passing score of 88. Level 3 mandates achieving Level 2’s maximum score and incorporates additional controls for advanced threats. POA&Ms allow temporary certification while addressing deficiencies but must be resolved within 180 days.
The program requires annual affirmations of compliance, strengthening accountability and deterring misrepresentation of cybersecurity practices. Contractors must monitor and report incidents, with noncompliance jeopardizing contract eligibility. Implementation phases begin December 2024 with Certified Third-Party Assessment Organization (C3PAO) evaluations and expand in 2025 to integrate requirements into DoD contracts. Contractors will need appropriate CMMC certifications based on whether they process, store, or transmit FCI or CUI.
CMMC safeguards critical information while reducing barriers for small and medium-sized businesses. However, compliance remains a challenge. A recent report found only 4% of defense contractors fully prepared, with the average Supplier Performance Risk System (SPRS) score at -12, far below the required 110. Only 15% had implemented patch management solutions, while multi-factor authentication (MFA) and endpoint detection response (EDR) adoption stood at 21% and 27%, respectively. Despite this, 75% of respondents claimed compliance through self-assessment.
CMMC also adjusts its approach for foreign and small businesses. Foreign firms face identical requirements, reflecting the global scope of defense contracts. External service providers, such as managed service providers (MSPs), are exempt from Level 2 certification unless they handle contractor data. This revision aims to reduce costs and expand compliance options.
CMMC can present significant challenges for small and medium-sized businesses in the defense industrial base or seeking to . While many vendors self-certify compliance, actual implementation often reveals gaps. Smaller contractors frequently lack the resources for full-time cybersecurity management and instead rely on third-party security firms to achieve compliance and verify protocols. For instance, security-as-a-service providers have been employed to help businesses meet requirements when prototyping systems.
The DoD is committed to fostering compliance among small businesses, which comprise a significant share of the defense industrial base. To support these entities, draft legislation, such as the Small Business Cybersecurity Act of 2024, proposes tax credits of up to $50,000 for firms with fewer than 50 employees to defray CMMC costs. While the legislation’s future remains uncertain, the DoD has endorsed incentives to ease compliance burdens.
CMMC requirements, particularly for CUI, range from basic Level 1 protections to more complex Level 2 standards. Level 1 compliance remains straightforward, but Level 2 demands significant investment, especially for firms handling sensitive data or working within Special Access Programs (SAPs). Though intended to strengthen national security, these requirements can unintentionally create barriers to entry for smaller manufacturers.
Critics argue that small businesses may struggle to bear the estimated $100,000 required for CMMC Level 2 certification. Nevertheless, the DoD emphasizes that foreign adversaries increasingly target small businesses, underscoring the importance of compliance. Contractors must act promptly to meet these requirements, as many primes are likely to mandate CMMC compliance from subcontractors earlier than official deadlines.
Challenges also arise in appeals and implementation logistics. Disagreements over C3PAO assessments are limited to internal appeals within the Accreditation Body, with no recourse to the DoD. Furthermore, mergers or system changes can trigger reassessments, and companies with CUI must prioritize compliance to avoid being at a competitive disadvantage.
Ensuring the resilience of the broader defense industrial base requires recognizing contributions beyond prime contractors. Small businesses play a crucial role in supplying essential items such as batteries and other critical components. A focus on identifying dual-use manufacturing capabilities—factories that produce both defense and commercial goods—would help prioritize essential infrastructure while maintaining a competitive supply chain.
Balancing cybersecurity rules with practical support is essential to preserving the participation of smaller firms. Streamlining compliance processes and encouraging targeted solutions could help ensure that businesses of all sizes can continue contributing to defense production without being overwhelmed by the cost and complexity of cybersecurity requirements.
The DoD remains committed to enhancing cybersecurity while maintaining accessibility. By fostering collaboration and introducing tools like POA&Ms, the DoD seeks to balance robust protections with reduced barriers for smaller firms. However, as CMMC becomes a condition for contract awards in 2025, contractors must accelerate their efforts to achieve compliance and avoid being sidelined in an increasingly competitive defense landscape.