Losing the Silent War: The Urgent Need for CMMC Compliance

The Problem: America is losing a silent war – the Cyber War 

Many Americans don’t realize this, but our country is fighting a silent war, and we are losing. Badly. 

This war doesn't particularly lend itself to advancing domestic political agendas, and it doesn’t make for good headlines. Most Americans are perfectly content to pretend it isn’t happening. The stereotypical head-in-the-sand approach works just fine on this issue for most people, until it’s too late. The war we’re losing is a cyber war, and at stake are some of our most valuable assets, our country’s Intellectual Property.  

In Short: 

• America's Defense Industrial Base (DIB) is being targeted with Intellectual Property theft. 
• The Cybersecurity Maturity Model Certification (CMMC) Program was created to protect our DIB and by extension the Department of War, during this Cyber War. 
• CMMC’s phased rollout began in October 2025. 
• Many prime contractors expect CMMC Level 2 compliance from their subs, even before CMMC requirements appear on all contracts. 
• It takes the average company 12-18 months from start to CMMC certification when done the right way. 
• It's imperative that every company in the DIB start their CMMC compliance journey now to ensure future contracts, maintain relationships with Primes, and build a company that is prepared for a cyber-secure future. 

Every day, foreign adversaries launch malicious attacks against the very fabric of our business and information technology infrastructure. The goal is to obtain sensitive data regarding the very things that make America the world’s foremost superpower: the advanced technologies within our industrial and defense systems. 

With Intellectual Property and sensitive data acquisition being the goal of the attacks, it should come as no surprise that the largest target is the U.S. Department of War (DoW) and its supply chain, also called the DIB. Therefore, it is now more important than ever for DIB contractors to protect sensitive data and their Intellectual Property.  

In this article, we will discuss the current state of cybersecurity in the DIB, provide a DoW cybersecurity regulatory refresher, and outline steps for organizations to become compliant with ever-increasing government cybersecurity regulations.   

The Target: The U.S. Defense Industrial Base (DIB)

As tensions between the United States and foreign adversaries continue to rise, malicious actors have become increasingly adept at stealing data from American companies. In fact, the estimate cited in 32 CFR Part 170 put the annual losses due to cyber theft at over $600 billion.   

China has closed the technological gap with the United States in advanced weapon systems over the last 20 years. Much of this has happened via IP theft. According to the Australian Strategic Policy Institute, China now leads the United States in 37 of 44 critical technologies such as Optics, Advanced RF, Cybersecurity, Post Quantum Cryptography, Photonics, Robotics, and Drones. 

In the words of former NSA Director General Keith Alexander, the sad state of our nation’s cybersecurity and the subsequent IP theft resulting from it is “the greatest wealth transfer in human history.” 

It’s time we fight back against this malignant assault on our country. 

It’s time to take our heads out of the sand and take the necessary actions to build sustainable security measures that protect our children, their children, and the children of many generations of Americans to come.  

The Solution: Fighting Back With CMMC 

To combat this war on American cyber gaps, cybersecurity experts at CISA (Cybersecurity and Infrastructure Security Agency) and the White House have issued multiple advisories, warning companies about their need for vigilant cybersecurity practices. 

These warnings stress the importance of protecting Controlled Unclassified Information (CUI), which is defined by DoW regulations as information that requires protection against unauthorized disclosure in order to:   

1. Protect national security interests  
2. Safeguard private or proprietary information  
3. Maintain privacy and/or   
4. Prevent embarrassment or legal liability

To accomplish the goals of protecting CUI and preventing malicious actors from gaining access to sensitive data, the DoW released a cybersecurity assessment program known as the Cybersecurity Maturity Model Certification (CMMC) to check contractor compliance against the NIST SP 800-171 standard, which has been required since 2017. 

What is CMMC (Cybersecurity Maturity Model Certification)? 

CMMC is a program by which the Department of War verifies contractor compliance with required cybersecurity measures when managing and storing CUI (Controlled Unclassified Information). 

In order to achieve CMMC Level 2 certification, a business must undergo an evaluation by a CMMC 3rd-Party Assessment Organization (C3PAO). This review assesses the company's compliance with NIST SP 800-171 requirements, after which they will receive their certification status from the governing body, the Cyber Accreditation Body (Cyber AB). To remain compliant, companies must update their certificates every three years. 

What Does CMMC Require?  

As stated, CMMC is an assessment methodology for implementing NIST SP 800-171 standards. It establishes three levels of requirements that must be met and verified by a C3PAO.  

Level 1 requires a company to satisfy 17 basic security practices out of a list of 110 total security controls and then self-assess to assure the government they are met.   

Level 2 requires all 110 security controls, comprised of 320 Assessment Objectives) to be satisfied. Level 2 self-assessment is sometimes possible, but, more typically, you’ll need a full-fledged CMMC Level 2 certification assessed by a CMMC Third-Party Assessor Organization (C3PAO). 

The 110 controls of CMMC Level 2 are broken up into the follow 14 families:  

1. Access Control (AC)  
2. Audit and Accountability (AU)  
3. Awareness and Training (AT)  
4. Configuration Management (CM)  
5. Identification and Authentication (IA)  
6. Incident Response (IR)  
7. Maintenance (MA)  
8. Media Protection (MP)  
9. Personnel Security (PS)  
10. Physical Protection (PE)  
11. Risk Assessment (RA)  
12. Security Assessment (CA)  
13. System and Communications Protection (SC)  
14. System and Information Integrity (SI)  

Level 3 requires a company to have a CMMC Level 2 certification, then implement 24 enhanced measures from NIST SP 800-172. After implementation is complete, the company will schedule a second assessment, this time by an organization within the DoW called Defense Industrial Base Cybersecurity Assessment Center or DIBCAC.  

These standards are essential for companies hoping to secure contracts from DoW agencies since failure to meet them can result in fines and other penalties.   

The bottom line is complying with CMMC standards demonstrates:  

• An organization’s commitment to protecting Valuable Corporate Data Assets (such as CUI, ITAR, etc.) from potential cyber threats 

• Protection of our country’s valuable intellectual property from being stolen and replicated  

• A willingness to stand up and fight in one of the most important international conflicts of our generation and future generations 

 Considering all the above, CMMC compliance, while it may seem frustrating and resource-intensive, is the key to sustainable growth for future-minded DoW contractors and the future of our great nation.   

Assessment and Attestations: How Compliance Is Checked  

As security expectations rise, so too do the methods by which those standards are upheld. To uphold the CMMC standard, there are a few mechanisms in place.  

First is the Supplier Performance Risk System (SPRS), initially launched in 2013. As of the 2020 publication of DFARS 7019, SPRS began requiring cyber reporting acting as a tool for contractors to identify suppliers that have not met the DoW's cyber security standards. SPRS requires companies to complete basic assessments, and it outlines access requirements and flow down procedures for subcontractors involved in contracts with federal agencies.  

When do I need CMMC?  

The CMMC final rule became enforceable as of November 10, 2025. The full (when ALL contracts handling CUI will be require CMMC Level 2 Certification) rollout will be complete in November 2028, but government program managers and contracting officers already require CMMC level 2 certifications in many cases.  Prime contractors securing their supply chains in advance already require CMMC third-party certifications to join teams for contracts expected in the next year.  

CMMC levels 2 and 3 will require 3rd-party attestation to the submitted SPRS score, so contractors will need to schedule an assessment with a certified third-party assessment organization (C3PAO). In the case of a level 3 certification, after the Level 2 C3PAO assessment, the organization will need to meet enriched requirements and pass an additional assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government entity. These assessments take an additional untold amount of time due to the limited number of assessors and the growing number of organizations seeking compliance (OSC). 

The kicker is that being prepared for a CMMC assessment could take anywhere from 12-18 months for most companies in the Defense Industrial Base. Add to that the time it will undoubtedly take to schedule an assessment, which is growing along with increased demand, and you’re looking at quite a long timeline. So, the clock is ticking.  

Overall, companies hoping to secure contracts from DoW agencies will have to meet these standards through either voluntary or mandatory compliance processes. Companies must understand the importance of meeting these stringent requirements and take steps now in order to remain competitive and protect their data from being compromised.  

CMMC Considerations for Small Businesses in the DIB  

Small businesses seeking to become CMMC compliant should take special considerations into account when attempting to meet the requirements.   

Firstly, it is important for them to understand their exposure level to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data, as this will help guide them in choosing the appropriate CMMC level for their business.   

For example, a small business with 1-5 employees handling FCI but not CUI may want to start at CMMC Level 1 with no DFARS 7012 requirement, as this is relatively easy to meet compared to higher levels of compliance. On the other hand, companies that handle CUI and FCI should be aware that achieving CMMC Level 2 or higher will require significant investment in people, process and technology.   

Small businesses should ensure they do not sign a contract including the relevant DFARS clauses unless they plan on meeting the requirements. (If you have a contract with the relevant DFARS clauses and you need help, speak with one of our experts.) 

Prime Contractor Expectations 

Another essential factor to consider is prime contractor expectations. Large primes including Boeing, Lockheed Martin, HII, and Leidos expect their subcontractors to be CMMC certified as early as Fall 2025.  

“This is swimming upstream with our capture team and business development because it is really important that they understand they just can’t pick the best solution or best partner here because I’m getting my best margin return or have a product or capacity to deal with it. 

Now, they also have to bring forward this sort of representation of compliance, that’s what the government is asking us to do as primes.”  

Even when CMMC is not a hard requirement for a given contract, primes see certification as a competitive edge. Companies like these have every reason to choose subcontractors who have CMMC certifications over those who do not, not only to prepare for CMMC requirements as they continue to roll out, but also to secure their supply chains by using vendors with a proven track record of security.  

Understanding DFARS Clauses 

To meet CMMC standards, it's important to understand which contract clauses you – as a government contractor handling sensitive data – are required to adhere to.  

DFARS 7012 was published in 2015, followed by DFARS 7019 and 7020 in 2020. These require that contractors who handle Controlled Unclassified Information (CUI) implement cybersecurity standards and practices based on NIST 800-171.  

This regulation mandated that contractors provide a System Security Plan (SSP) that outlines processes and procedures for secure information handling, a Plan of Action and Milestones (POA&M) to address any deficiencies in the SSP, and a Risk Assessment Plan to document any threats to the system and the impact the threats could have if not mitigated. This plan must include any countermeasures implemented to mitigate the threats.  

These three DFARS clauses serve as the foundation for protecting CUI for government contractors. And all contractors are required to flow down these requirements to their supply chain for compliance with the CMMC program.  

If you do have a contract including a DFARS clause, FedRAMP Moderate/High cloud services can provide cost effective capabilities and should be taken into consideration when making decisions about how best to comply with CMMC standards.   

It’s also important that any Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) used meets or exceeds their chosen CMMC level and complies with DFARS 252.204-7012, 7019, 7020 and 7021.   

Note: DFARS 7021 requires DoD contractors to maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level; this will be required for the duration of the contract. Suppliers must insert DFARS 7021 language into their subcontract agreements and documentation.  

Finally, small businesses should research state DFARS / CMMC grant programs as well as SBIRs that offer funding allowances for attaining certification and contact their local Procurement Technical Assistance Center (PTAC) or Manufacturing Extension Partnership (MEP) for assistance if needed.   

By taking all these factors into account and planning accordingly, small businesses can ensure they meet all necessary standards in a timely manner to remain competitive.  

Steps to CMMC Compliance  

The urgent need for companies to become CMMC compliant is clear, but what are the steps businesses should take?  

Here are seven steps for companies to follow in order to become CMMC compliant.  

1. Identify the appropriate CMMC level  
2. Identify assets for CMMC  
3. Choose a technical design for your CMMC compliance: All-In vs Enclave  
4. Consider Microsoft Government for your CMMC compliance  
5. Find a Managed Service Provider (MSP) / Managed Security Service Provider (MSSP)  
6. Prepare for a third party CMMC assessment  
7. Complete a CMMC assessment  

For assistance in becoming CMMC compliant, reach out to experts at Summit 7.