Skip to main content
Insights/Blog

Navigating CMMC Requirements: The New Reality of DoD Cybersecurity Compliance

Let’s be honest, ‘government compliance’ isn’t exactly the most exciting dinner conversation. However, for organizations in the defense supply chain, it’s a critical factor. The Cybersecurity Maturity Model Certification (CMMC) is no longer a vague future requirement – it’s a present reality.

The CMMC final rule was published on October 15, 2024, with an effective date of December 16, 2024. This means that companies should be actively working towards CMMC compliance, as the regulations are now enforceable. (We’ll delve deeper into the specifics of enforcement and timelines later in this guide.)

Navigating the landscape of CMMC requirements can feel like wading through a minefield of outdated information. A quick Google search often yields results that are years old, leaving organizations confused and potentially non-compliant. This guide cuts through the noise, providing you with the latest CMMC updates and insights you need to stay ahead of the curve.

What is CMMC?

CMMC is a critical framework developed by the Department of Defense (DoD) to enhance the security of the Defense Industrial Base (DIB). It establishes a standardized set of cybersecurity requirements that contractors and subcontractors must meet to protect Controlled Unclassified Information (CUI). CUI is sensitive information, relating to DoD projects, that does not meet the standards for full classification but still needs to be protected. It is a uniform marking system which replaced a variety of agency-specific markings. See this page for a full registry of what qualifies as CUI.

CMMC further standardizes the system of CUI protection by replacing the previous self-attestation model with a more rigorous system of third-party assessments and certifications, ensuring greater accountability and consistency across the DIB. To understand how we arrived at this point, let’s explore the evolution of CMMC.

Looking for an abbreviated overview? Check out this Executive Summary article by our CEO, Brad Hettenhausen.

The Evolution of CMMC Requirements

While cybersecurity requirements have long existed within the Defense Industrial Base (DIB), primarily through Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and related clauses, the implementation and verification of these requirements have evolved significantly. This clause mandated compliance with NIST Special Publication 800-171 Revision 2 for organizations handling Controlled Unclassified Information (CUI). While DFARS 7012 represented a significant step forward, the reliance on self-attestation led to inconsistent implementation and presented challenges in verifying actual compliance.

CMMC addresses these shortcomings by building upon the foundation of DFARS 7012 and NIST SP 800-171 Revision 2. It introduces a more structured and verifiable approach, incorporating the existing requirements and adding a crucial layer of independent, third-party assessments and certifications. This framework is being rolled out incrementally culminating in an unannounced date when all new DoD contracts will require CMMC certification as a condition of award, making it a mandatory prerequisite for bidding on and winning government contracts.

CMMC Levels and Assessment

CMMC consists of three levels of assessment:

  • Level 1 (Foundational): This level focuses on basic cyber hygiene and encompasses 17 security controls derived from DFARS clause 252.204-7012. These controls represent fundamental cybersecurity best practices that most organizations can readily implement. Examples include using antivirus software, regularly patching systems, and having strong passwords. It’s important to note that while Level 1 compliance is a good starting point, it is no longer sufficient for organizations seeking to bid on DoD contracts requiring CMMC. 
  • Level 2 (Advanced): This is the crucial level for most DoD contractors. It requires full compliance with NIST SP 800-171 Revision 2, which covers 110 security controls. Key control families include Access Control, Incident Response, and System and Communications Protection. Level 2 requires a third-party assessment conducted by a Certified Third-Party Assessor Organization (C3PAO), replacing the previous self-assessment model. 
  • Level 3 (Expert): This is the most stringent level, based on both NIST SP 800-171 Revision 2 and NIST SP 800-172. It involves protecting CUI related to critical programs and includes all 110 controls from NIST SP 800-171 Rev. 2 plus additional, more stringent controls from NIST SP 800-172. These additional controls focus on enhanced threat detection and mitigation capabilities. Only a select few organizations handling the most sensitive CUI will be required to achieve Level 3. Most DoD contractors will pursue Level 2 compliance. 

Current SPRS Reporting Requirements

Updated March 18, 2025

The DoD has expanded the reporting capabilities within the Supplier Performance Risk System (SPRS). Previously, organizations were limited to reporting their CMMC Level 1 self-assessment. Now, contractors can also submit their Level 2 self-assessment scores directly to SPRS.

Here’s a breakdown of the reporting options:

  • Level 1 Self-Assessment: This remains a simplified assessment, requiring organizations to answer two key questions:
    • How many employees in the organization does the self-assessment apply to?
    • Are you compliant with FAR 52.204-21 (which encompasses the 17 basic security controls)?
  • Level 2 Self-Assessment: This is a more detailed assessment that requires organizations to enter the compliance status for each of the NIST SP 800-171 Rev 2 controls.
    • For each control, you must indicate whether it is “Met,” “Not Met,” or “N/A.”
    • Once completed, the system automatically calculates your overall score.
  • Conditional Self-Assessment: SPRS also allows for a conditional self-assessment, which is valid for 180 days. This option is likely intended for organizations with Plans of Action and Milestones (POAMs) in place, allowing them to demonstrate progress toward full compliance.

Key Considerations:

  • While the ability to report Level 2 self-assessments is now available, it’s crucial to remember that this is still a self-assessment. It does not replace the requirement for a formal, third-party CMMC Level 2 assessment by a Certified Third-Party Assessor Organization (C3PAO) when that becomes a requirement for your contracts.
  • It is also important to remember that these self-assessments are being done in the SPRS system, which requires a PIEE account.
  • Your organization must have a CAGE code, or Unique Entity ID, from sam.gov to use the SPRS system.

Organizations should utilize these expanded reporting capabilities to accurately reflect their current cybersecurity posture within SPRS. This update underscores the DoD’s ongoing efforts to enhance supply chain security and the importance of proactive CMMC preparation.

The Strategic Advantage of a CMMC Readiness Partner

Navigating the complexities of Level 2 CMMC compliance can be a daunting task. While the ultimate goal is to achieve certification through a Certified Third-Party Assessor Organization (C3PAO), the journey to that point requires meticulous preparation. This is where a strategic readiness partner, like GadellNet, proves invaluable.

Cybersecurity professionals presenting on CMMC Requirements

Why Choose a Readiness Partner?

  • Expert Guidance from CMMC RPs: Strategic Consulting teams should consist of highly-skilled CMMC Registered Practitioners (RPs). These experts provide an initial, in-depth review of your current NIST SP 800-171 Rev 2 control implementation. This isn’t just a checklist exercise; it’s a tailored walkthrough of your environment, designed to identify potential gaps and create a customized readiness engagement. 
  • Comprehensive Readiness Engagement: Your Roadmap to CMMC Success:  
    • A Readiness Engagement should be designed to provide you with a clear and actionable roadmap to CMMC Level 2 compliance. This isn’t a superficial review; it should be a deep-dive analysis of your existing cybersecurity posture against the 110 controls of NIST SP 800-171 Rev 2. 
    • During this engagement, a CMMC RPs will:  
      • Conduct detailed interviews with key personnel. 
      • Review existing documentation and policies. 
      • Perform a thorough assessment of your technical environment. 
      • Identify and document any gaps in your current implementation. 
      • Provide expert assistance in developing and writing the required cybersecurity policies, tailored to your organization’s unique needs. 
      • Offer specific and actionable recommendations for technical changes and business practice adjustments to ensure full compliance. 
      • Develop a tailored Plan of Action and Milestones (POAMs) to guide your remediation efforts. 
      • Create a foundational System Security Plan (SSP) to be worked on during the engagement. 
    • The outcome of this engagement is a comprehensive report that provides a clear understanding of your current readiness level and a step-by-step plan to achieve full compliance. This proactive approach allows you to address potential issues early, minimizing the risk of costly delays and ensuring a smoother path to CMMC certification. 
    • This is not a one-and-done type of meeting; an RP will work closely with the client during the entire readiness engagement. 
  • Cost-Effective Preparation: Engaging a readiness partner early can significantly reduce the risk of costly setbacks during a formal C3PAO assessment. By identifying and addressing vulnerabilities upfront, you avoid potential delays and expenses associated with failed audits. 
  • Streamlined Mock Audits: Once your organization has addressed the identified gaps, a partner will facilitate a thorough mock audit. This detailed assessment, conducted with mock auditors, provides a realistic preview of the C3PAO experience. Upon completion, you should have:  
    • Complete evidence documentation for each CMMC Level 2 control. 
    • Comprehensive Plans of Action and Milestones (POAMs) for any remaining remediation. 
    • A fully developed System Security Plan (SSP). 
  • Clear Path to Certification: Following the mock audit, you’ll have a clear understanding of your readiness. You’ll either be fully prepared to schedule your C3PAO assessment or have a concise list of final adjustments to make. 
  • Mitigating Risk and Maximizing Efficiency: A strong partner will help you avoid the pitfalls of premature C3PAO assessments, saving you time, money, and the potential loss of contract opportunities due to missed deadlines. 
  • Tailored Engagements: Ever organization is unique and your readiness engagements should be tailored to your specific needs, ensuring you receive the most effective and efficient support. 

The Future of CMMC: When Do I Need to Be CMMC Compliant

While the CMMC Program Rule has been finalized and published, the process of incorporating CMMC requirements into all applicable DoD contracts is still underway. Here’s a breakdown of the key elements and what they mean for organizations seeking DoD contracts:

  • CMMC Assessments Have Begun Q1 2025:
    • Organizations can now pursue CMMC assessments and certifications. This allows companies to get certified in preparation for future contract requirements.
  • Phased Implementation:
    • The DoD is planning a phased rollout of CMMC. This approach will likely begin with certain contracts requiring Level 2 certifications, with Level 3 requirements to follow.
  • DFARS Clause Revision:
    • The crucial factor determining when CMMC becomes a mandatory contract requirement is the revision of the relevant DFARS clause (likely 252.204-7021 or a similar clause). This revised clause will specify the exact timeline and which contracts will require CMMC certification.
  • DFARS Clause Publication and Waiting Period:
    • Once the revised DFARS clause is finalized, it will be published in the Federal Register. There will be a mandatory 60-day waiting period after publication before the CMMC requirements can be incorporated into DoD contracts. Organizations should closely monitor the Federal Register for updates on this clause.

Navigating Uncertainty: Regulatory Freeze and Preparation

There are discussions that a temporary regulatory freeze could impact the CMMC implementation timeline. While regulatory freezes can introduce uncertainty, many experts in the CMMC field believe that the program’s underlying importance to national security makes it less likely to be significantly impacted. They point to the bipartisan support for cybersecurity initiatives and the existing contractual obligations for many defense contractors as reasons to expect the program to continue, even if there might be some adjustments to the timeline. While the overall CMMC program has been established with the publication of the programmatic rule, the specific DFARS clauses that will formally incorporate CMMC into government contracts may still be under development and could be subject to review under a regulatory freeze. This means that the precise timing for CMMC becoming a mandatory requirement in all DoD solicitations could be affected.

This potential extended timeline, while offering a bit of breathing room, shouldn’t be mistaken for a reason to delay preparation. CMMC compliance is a complex undertaking, and even a gradual rollout means organizations need to begin the process now. A potential regulatory pause, while uncertain in its impact, could actually be a benefit for those who start early. It provides a buffer to thoroughly address any gaps, refine their security posture, and ensure they’re fully prepared when the requirements become firm. Don’t wait – proactive preparation is key to a smooth and successful CMMC journey.

GadellNet’s CMMC Commitment

At GadellNet, we believe in leading by example. That’s why we are actively pursuing CMMC Level 2 certification, despite recent modifications to the requirements that suggest MSPs may not be explicitly mandated to do so. We understand the inherent risks of managing client environments that handle Controlled Unclassified Information (CUI). Our team often has access to sensitive data during our daily operations, and we believe it’s our responsibility to ensure that our security posture aligns with the highest standards. By achieving CMMC Level 2, we demonstrate our unwavering commitment to protecting our clients’ data and contributing to a more secure Defense Industrial Base. We believe it’s critical to have an MSP (and toolsets) that is also compliant because the odds of us accidentally seeing CUI data when managing a client’s environment are high. We are dedicated to being a trusted partner, not a potential security liability.

Don’t risk your DoD contracts. Partner with GadellNet to ensure a smooth, efficient, and successful CMMC Level 2 certification process.

CMMC Requirements Responsibility Matrix

If you need to provide a summary of CMMC to your team, check out this Executive Summary article.  Ready to have a conversation with our experts?  Contact us today to discuss how we can support CMMC

To stay fully informed on CMMC developments, it’s essential to monitor official government sources. Here’s a list of key websites to follow:

  • SAM.gov (System for Award Management):https://sam.gov/content/home
    • This is the primary resource for government contracting updates, including regulatory changes. You’ll also need SAM.gov to obtain your CAGE code/Unique Entity ID.
  • Department of Defense (DoD) News:https://www.defense.gov/News/
    • The DoD publishes press releases and news articles on its official website, providing valuable insights into defense-related policies.
  • Federal Register:https://www.federalregister.gov/
    • This is where federal agencies publish their official rules and regulations, including the CMMC Program Rule and any future DFARS clause revisions.
  • The White House Briefing Room:https://www.whitehouse.gov/briefing-room/
    • This is the primary source for presidential press releases and official statements.

Cybersecurity, Strategic Consulting
Scroll To Top