As the movement toward the full adoption of CMMC 2.0 continues in 2025, it is useful to review the current state of compliance readiness. The importance of adequate preparation and understanding of the CMMC compliance process cannot be overstated for your small business working with Department of Defense (DoD) clients.
Need for CMMC 2.0
Government cybersecurity experts emphasize that competing and adversarial countries and bad actors are aggressively targeting intellectual property and sensitive information in the Defense Industrial Base (DIB) sector. These efforts are designed to disrupt military operations and the DoD supply chain, which includes thousands of companies of all sizes.
The Cybersecurity Maturity Model Certification (CMMC) is a compliance mechanism developed to meet cybersecurity challenges. It is designed to protect unclassified information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is used and stored on DIB systems and networks.
CUI is unclassified information that requires safeguarding or dissemination controls for lawful government purposes. Examples of CUI include Personally Identifiable Information (PII), Protected Health Information (PHI), international trade data, contractor sensitive information, and Unclassified Controlled Technical Information (UCTI). UCTI is sensitive but unclassified military information, including operational plans, development of military technology, and surveillance methods.
CMMC provides a mechanism to measure and assess an organization’s cyber hygiene and ensure that their risk management policies and procedures are aligned with industry standards outlined in the NIST SP 800-171 rev2 and NIST SP 800-172 frameworks.
CMMC 2.0 Maturity Levels
There are three maturity levels in CMMC 2.0.
-Organizations that deal with Federal Contract Information (FCI) are required to comply with CMMC Level 1, which involves basic cyber hygiene and is considered foundational. This level requires a CMMC self-assessment for compliance.
– Organizations with any form of Controlled Technical Information (CUI) must be CMMC level 2 compliant, which is considered advanced. To meet compliance at this level requires a demanding assessment by a CMMC Third-Party Assessor Organization (C3PAO) every three years. Level 2 is the most common level that small to mid-sized contractors in the defense industry will look to achieve.
-Any companies managing CUI for high-priority DoD programs are required to be CMMC Level 3 compliant, which is considered Expert. This maturity level requires a comprehensive assessment from government officials at the Defense Industrial Base Cybersecurity Assessment Center (DIBAC) every three years. Companies at this advanced compliance level typically need to protect critically sensitive CUI when developing advanced defense systems.
– A key component of CMMC 2.0 is that the prime contractor needs to ensure that all subcontractors and third parties on a contract meet their required CMMC maturity levels.
Current State of CMMC 2.0
Although companies involved in the DIB are increasingly aware of CMMC requirements, a recent survey reveals a surprising lack of compliance readiness. These survey results are concerning as CMMC was first established in 2020, and Title 32 of the Code of Federal Regulations (CFR) implementing CMMC 2.0 is now in effect.
A recent Redspin survey of government contractors found these problematic results:
-42% of companies feel moderately prepared with their CMMC compliance efforts.
-16% of companies feel slightly prepared or not prepared at all in their CMMC compliance efforts.
-13% of companies haven’t taken any preparatory action to meet CMMC compliance requirements.
-35% of companies don’t know how much they have spent or have invested little to nothing on CMMC preparation.
-The majority of respondents indicated that cost is a major concern in their CMMC compliance preparation. They also reported a lack of understanding on what their CMMC compliance costs and an estimated timeframe would be.
There were some positive results from the survey:
-75% of respondents said they have or are in the process of establishing a required System Security Plan (SSP) for CMMC.
-More than 50% reported they are working with an external service provider (ESP) to help obtain CMMC certification.
Greater urgency required for companies wanting to work on DoD contracts
The DoD’s 2025 budget is $850 billion, which represents a massive opportunity for your small business. If your organization wants to take advantage of this opportunity, you need to understand CMMC compliance requirements and what it will take to get certification.
As a result, your small business should be working to improve your cybersecurity level with a focus on good cyber hygiene and comprehensive risk management policies and procedures.
It is important to note that here are a limited number of CMMC Third-Party Assessor Organizations (C3PAO), which will result in extended delays to get CMMC assessments completed. With the combination of stricter compliance requirements, a demanding timeline, and a small pool of C3PAOs, we advise your company to make your CMMC compliance efforts a top priority.
Get assistance from a CMMC expert
The most useful advice we can offer on CMMC compliance is to get assistance from an expert in IT security compliance and cybersecurity, like Network Depot. These experienced professionals will guide and accompany you every step of the way during the complicated compliance process and prepare your organization to meet all cybersecurity challenges.
Network Depot has been a registered provider organization (RPO) since CMMC was introduced, recognized by the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB). As an RPO, Network Depot is authorized to provide valuable guidance to clients who are looking to achieve CMMC certification. Network Depot will provide a comprehensive assessment of your current IT security environment and assist your organization in implementing remediation steps to fully prepare you for a CMMC 2.0 assessment.
With Network Depot as your trusted compliance partner, you will get valuable support meeting the requirements for CMMC certification. After achieving this important IT security compliance credential, your company’s IT will be secure, and you will be able to work effectively on DoD contracts.