In the U.S. government’s quest to secure the nation’s supply chain amid ongoing shortages and rising security concerns, the Defense Department announced amendments to its existing Cybersecurity Maturity Model Certification scheme. Announced in November 2021, CMMC 2.0 makes crucial changes to the maturity model’s structure to make certification more accessible and defenses more effective for contractors in the Defense Industrial Base. These changes include a complete restructuring of CMMC’s maturity levels by eliminating two of the original five ratings, improved assessment protocols that reduce costs for contractors, and the introduction of a more flexible path to certification through Plans of Action & Milestones (POA&Ms).
While small and mid-size contractors might find it tempting to take a wait-and-see approach to adjusting their internal protocols, acting sooner rather than later can yield benefits to DIB contractors of all sizes and in all sectors.
Early investments in CMMC 2.0 protocols can help DoD contractors and suppliers:
Keep their seat at the table.
The big players in defense contracting started adhering to CMMC 2.0’s new model almost overnight. After all, they have the resources to adjust on a dime — and with that comes the ability to shape certain aspects of the market. These defense contractors understand that
DoD suppliers not in compliance with CMMC 2.0 come 2026 will not be able to continue their awarded contracts.
To safeguard their contracts, these companies are already becoming hesitant to work with smaller suppliers that do not meet the new guidelines, fearing that they may not be certified once the DoD begins enforcing its new rules. The big players, like the DoD and other government agencies, have a lot to lose and, as such, prefer to work with organizations that are already meeting guidelines. After all, there is no guarantee that a company not now in compliance will get there in time.
Avoid being the weakest link.
Being quick to implement requirements shows a company’s commitment to securing its data and operational environments and those of their partners. Going above and beyond to meet expectations before it’s required can help build trust with key stakeholders, so a company isn’t viewed as the weakest link when it matters most.
Safeguard their assets.
In addition to safeguarding contracts, complying with security protocols can help protect the businesses’ assets. Experts can argue all day about whether CMMC 2.0 goes far enough to adequately protect data (and potentially infrastructure) from cyberattacks. However, we can all agree that doing something is better than doing nothing.
The fact is that maturing cybersecurity programs is a good thing for businesses, period. Better security means more protection for assets and information. After all, the financial repercussions of a cyberattack are often far more significant than the cost of implementing better security practices. Many smaller contractors don’t have the resources to take on those costs and stay afloat.
Keep time on their side.
Implementing security protocols is often time-consuming and costly. Depending on a company’s size, its functions, and the extent of the necessary upgrades, it may need years before it can meet requirements. A company may need to find experts in security in their sector and work with them at length to ensure that every control is implemented correctly and within the appropriate time frame.
Beginning the process early will help DIB contractors make the right decisions, guided by their unique needs, and meet the DoD’s deadline for CMMC 2.0 compliance in 2026.
Prepare to pivot.
Perhaps the most significant benefit to contractors that take action early to comply with CMMC 2.0 is the opportunity to more fully prepare for the next phase of cyber security best practices. Those that invest in CMMC 2.0 compliance early and thoughtfully will be better positioned to pivot as the industry’s requirements change. As technology and equipment get more advanced — and cyber attackers do the same — the DoD will inevitably revisit the CMMC to roll out a newer version. And, when it does, there is no guarantee it will give businesses another five years to catch up.
With the above in mind, defense contractors must begin taking meaningful steps toward CMMC 2.0 compliance to continue to compete. Those that do not act will risk their future projects, and the security of the supply chain at large. By taking action they will prove their commitment to securing the country’s future from cyber attackers and other disruptions. After all, taking the initiative to lead the charge toward a more secure industrial sector could mean the difference between getting the proverbial worm or going hungry.
Dominic Townsend is president of ABS Quality Evaluations, Inc.