For companies still treating the Cybersecurity Maturity Model Certification (CMMC) as an IT-only concern, the risks are growing. Developed by the U.S. Department of Defense (DoD), CMMC is a comprehensive cyber risk management model that measures an organization’s capabilities and is required for companies that are part of the DoD’s supply chain. With this in mind, the department has already begun enforcing stricter compliance measures, and businesses in the supply chain that fail audits or provide inaccurate self-assessments could face damaging contract suspensions.
Achieving CMMC compliance is not simply a one-time project — it’s an ongoing process that requires continuous monitoring, periodic audits, and a commitment to high levels of security across the board. The phrase ‘as strong as the weakest link’ definitely applies here, as any possible vulnerabilities can be exploited by hostile actors, potentially leaving entire DoD supply chains exposed.
Tightening Regulations
Any company department handling covered defense information, whether marked in DoD contracts, task orders, delivery orders, or collected by the contractor during the performance of the contract, must adjust its behavior and processes accordingly. These requirements are set out in DFARS Clause 252.205-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, and affect all individuals, teams and companies handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
As well as making the implementation of the National Institute of Standards and Technology Special Publication 800-171, ‘Protecting Controlled Information in Nonfederal Information Systems and Organizations’ (NIST SP 800-171) mandatory for contractors, DFARS clause 252.205-7012 looks further afield into the supply chain.
Specifically, if the contractor intends to use an external cloud service provider to store, process or transmit any covered defense information in performance of the contract, further safety measures must be taken. These include ensuring the cloud service provider meets security requirements provided by the Government for the Federal Risk and Authorization Management Program (FedRAMP).
Alongside this, the cloud service provider must also adhere to cyber incident reporting, malicious software and media preservation and protection standards set out in DFARS Clause 252.205-7012. This extends to providing access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment.
Security and Self-Certification
Though the DFARS clause sets out that contractors should implement NIST SP 800-171 by no later than December 31st, 2017, supply chain organizations were given a runway to 2020 to establish the systems and protocols needed. Crucially, these companies were also required to self-attest for the CMMC scoring system, specifically through a Supplier Performance Risk Score (SPRS) assessing cybersecurity posture and risk management practices in 14 domains.
On a score ranging from +110 to -203, spanning ‘highly secure’ to ‘significant concern’, several hundred companies reviewed their processes and gave themselves a perfect score. However, when the DoD performed spot checks on these companies during the Biden Administration, their marks differed wildly, with some scores as low as -130.
Bridging Knowledge Gaps
Established by Executive Order 13556, and implemented by 32 CFR part 170, the CUI Program is now being implemented across executive branch agencies and departments. On October 15, 2024, 32 CFR 170 was published and codified in the Federal Register. Subsequently, the rule became effective on December 16, 2024. The rule outlines the requirements for the CMMC program, which aims to improve the cybersecurity posture of defense contractors. With the change of leadership in the executive branch, 48 CFR has been amended on March 28, 2025, to reflect the administration’s willingness to enforce compliance with the CMMC program.
Specifically, Title 48 of the Code of Federal Regulations (CFR) encompasses the Federal Acquisition Regulations System (FAR), which outlines the rules and regulations governing how the federal government acquires goods and services. Despite the progress that these updates represent, there remains uncertainty in the supply chain and what responsibilities contractors must adopt and how quickly they must implement them. This actual or perceived confusion creates an ongoing issue. Namely, with such a contrast over what constitutes acceptable practice between contractors and their responsibilities, it is clear a knowledge gap exists between the supply chain and the DoD.
Organizations that felt they were prepared from as early as 2017 may now find themselves falling into CMMC non-compliance. For companies dependent on federal contracts, this unexpected exposure and lack of assurance could have pronounced financial and reputational repercussions.
The need to overhaul existing cybersecurity practices comes at a challenging time for small and medium-sized enterprise businesses, as many lack the resources to deploy extensive teams to handle the necessary work required to enforce compliance. Skill shortages might therefore be another issue companies face in the rush to return to CMMC compliance, as IT security professionals may not be able to recruit personnel with the required competences.
Leveraging Supply Chain Expertise
Yet where the supply chain has presented obstacles, it can also be part of the solution. The complexity of compliance requirements, combined with this knowledge gap, means it is advised that SMEs leverage third-party expertise to evaluate their CMMC maturity and recommend where current protocols need adjusting.
Given the urgency of this task, IT stakeholders at affected companies should carry out a thorough vetting process of any potential partner before any assessment to provide the best possible assurance. Firstly, they should ensure that any engaged experts are certified CMMC Registered Practitioners (RPs) at minimum and preferably CMMC Certified Professionals (CCP’s) & CMMC Certified Assessors (CCA’s) with accreditation from the Cyber-AB. This will ensure that any ensuing CMMC preparations fully align with official CMMC assessments carried out by Certified Third-Party Assessment Organizations (C3PAOs).
Clarifying a Roadm ap
From this foundation, a gap analysis is key, with the practitioner identifying where the company is currently doing well based on the maturity level they are seeking to achieve. Interviews, documentation reviews and searches for other evidence should be expected as part of this process.
At this point, the expert agency should be able to consolidate all findings into a single gap analysis and practical compliance roadmap report that can be reviewed by executive leadership and operational team members. This should include recommendations on practice improvements and remediation activities in a format consistent with a Plan of Action and Milestone (PoA&M) set to track progress.
The ability to clearly and effectively put together a plan of action is pivotal to overall assurance and the specific implementation of CMMC-compliant protocols. Such clarity cannot be overestimated – it is the bedrock from which best practice is built and rolled out across company departments, from IT and beyond.
Ensuring Ongoing Support
Beyond this planning stage, well-rationalized project management should be a priority to further bolster company-wide assurance and accuracy. Considering the importance of CMMC compliance for contractors working with the DoD, the ability to consult with third-party expertise can help teams identify the most effective remediation measures to meet requirements. Furthermore, access to such resources can help establish high-quality reporting and progress updates to senior management and executive stakeholders.
A full-scope CMMC pre-assessment directly reflecting the C3PAO’s approach and techniques is another critical step in the compliance process, as this will provide IT security professionals and senior management with comprehensive reporting on any potential deficiencies and how they can be addressed. By adopting this end-to-end process from gap analysis to audit preparation, organizations can be assured that they are well positioned to achieve the high SPRS required for CMMC compliance.
Achieving and maintaining CMMC compliance is a multifaceted and ongoing endeavor that requires a comprehensive approach. By leveraging third-party expertise to conduct thorough gap analyses and implement well-structured, stage-by-stage action plans, companies can best ensure they meet the stringent requirements set forth by the DoD.
Continuous monitoring, periodic audits, and effective project management are essential to maintaining high levels of cybersecurity and protecting sensitive information. Ultimately, a proactive and informed approach to CMMC compliance will safeguard not only the integrity of the supply chain but also the reputation and operational stability of the companies involved.
Click this link to find out more about LRQA’s CMMC Compliance Services
About the Author
Brian Rhodes is a highly accomplished cybersecurity professional with extensive experience in Governance, Risk, and Compliance (GRC). He currently serving as the Head of CMMC, Americas, at LRQA, Inc., Brian leads strategic initiatives to help organizations achieve compliance with the Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171. A Certified CMMC Professional (CCP), Brian is dedicated to advancing cybersecurity resilience across the defense industrial base.
As a recognized industry thought leader, Brian conducts monthly educational webinars to inform and engage the broader CMMC ecosystem while training and mentoring LRQA staff on compliance best practices. Before joining LRQA, Brian held a leadership position at iFORTRISS, Inc., specializing in business development within the GRC sector.
Prior to iFORTRISS, Brian served as an Enterprise Solutions Executive at Comcast Business, Inc. In this role, they managed nationwide accounts within Fortune 100 companies, delivering innovative solutions across retail, healthcare, technology, and hospitality sectors. Earlier in their career, Brian spent several years at Apple, Inc., leading and training in the Higher Education space.
With a career marked by exceptional performance and a deep commitment to cybersecurity, Brian continues to drive meaningful impact in the GRC space. Their expertise in CMMC, regulatory compliance, and cybersecurity strategy makes them a sought-after leader and advisor in the industry. Passionate about knowledge sharing and professional growth, Brian remains dedicated to empowering organizations to strengthen their cybersecurity posture and achieve compliance excellence.
