Forward by Kenneth W. Bible, P.E.
In 2021-22, while serving as the Chief Information Security Office (CISO) for the Department of Homeland Security, my team and I launched an initiative in concert with DHS procurement officials to improve the cybersecurity of America’s industrial base using the contracting power of the Department … one of the Secretary’s Strategic Infrastructure Transformation initiatives. This took the form of developing a means to routinely assess the cybersecurity posture maturity of every contract in the Department with the NIST cybersecurity standards implemented through the existing Homeland Security Acquisition Regulations (HSAR), and to use the results to both inform a new evaluation factor for new contracts, and for the government to “grade” the cybersecurity maturity of existing contracts to inform contractor performance ratings in CPARS. We implemented this Cyber Hygiene Assessment (CHA) Program Department-wide over the course of a mere two years, due in large part to the creativity of our partners in the procurement legal function in avoiding a new rule-making process.
In parallel, the Department of War continued a journey of more than a dozen years to set in place the elements of the Cybersecurity Maturity Model Certification (CMMC) program—justifiably born out of frustration with persistent exfiltration of sensitive program data from defense projects and programs. CMMC essentially sought to “inspect what you expect” in terms of sound cybersecurity practices by the defense industrial base (DIB).
Neither effort changed the fundamental requirements for complying with NIST cybersecurity controls and practices when handling Controlled Unclassified Information (CUI). Rather, both efforts sought to change the way we require industry to see cybersecurity … not as a voluntary compliance exercise, but as table stakes for doing business with the government.
Author Ben Shotzberger expands on these thoughts in his article on the formal launch of CMMC for the DIB next month. Ben was kind enough to speak with me about the implications for the broader civilian executive agencies, which gave me the opportunity to share some lessons learned in launching the DHS CHA program: implications for small and medium-sized businesses, missions depending upon non-traditional industry partners (particularly abroad). And perhaps how the two approaches complement one another, particularly for strengthening CMMC’s currently self-assessed levels with a government-determined assessment.
It is said that a destination is never a place, but a new way of seeing things. Now, at the end of Cybersecurity Awareness Month, it’s a wholly appropriate time to visit how far we’ve come with our efforts. And to gauge if we are succeeding in changing views of cybersecurity in industry from being a place … a checkbox view of a point in time … and into a culture.
********
As we close cybersecurity awareness month, we should be turning our heads to the future. In this case, the immediate horizon. In a September 10, 2025, publication to the Federal Register, the Department of War (DOW; formerly Defense) announced that as of November 10, 2025, all new contracts must include Cybersecurity Maturity Model Certification (CMMC) requirements. In short, no certification = no award. In this two-part series, we dive a bit into what CMMC is, the history behind its evolution, and its applicability through the entirety of the national security community. Part 2 will address cost estimates, recommendations, requirements breakdown, and a look into internal activities that can be taken to prepare an organization as well as resources available should outside help be desired. CMMC is here, implementation is ongoing, and it’s a phrase (or at least the theory of cyber hygiene and a culture of security) that needs to be at the center of any corporate discussion on growing business with the United States government.
Full CMMC implementation is scheduled to be a phased rollout over the next four years. So, while this is very much a now concern for those companies who have a DOW portfolio of business, any company with a national security contract focus – be that with the Departments of State, Homeland Security, Justice or the Intelligence Community agencies – would do well to take this as an omen that CMMC implementation across the government is possibly on the horizon. Note especially that this requirement will flow down to subcontractors and subcontracts; all vendors will need to pay attention to how CMMC impacts their pipelines.
There are steps that can be taken to prepare for CMMC. Some are low- or no-cost internal measures of shoring up documentation and establishing processes/procedures. Others will require significant financial investment on the part of a firm moving towards obtaining and maintaining certification at Level 2 or higher. There are external consultants and vendors who offer assistance in preparing for and maintaining CMMC certification across all levels.
KC Fairchild, the Chief Risk Officer for Digital Cloak, expands, “A strong security culture is of utmost importance to any organization. Today’s threat actors are relentless in both their escalating frequency and sophistication of attacks. Building, cultivating, and maintaining a culture of security within your organization turns your employees into the first and strongest line of defense against threats and improves your organization’s overall resilience and reputation. Having a strong culture of security in your organization helps you keep up with the mounting threats and vulnerabilities facing the networks and systems you use to store, manage, and transmit CUI and FCI data. While some may see CMMC as a checklist to complete and then file until the next assessment comes due, one of the most critical components of CMMC resides in the continuous monitoring aspect of the model. The building blocks of continuous monitoring are general information security, identifying threats and vulnerabilities, and then mitigating these threats and vulnerabilities through a robust risk management framework. Your FSO should be working hand-in-hand with your IT department to deliver security awareness around all new threats and vulnerabilities to your staff. Your FSO and IT department should also be keeping abreast of the evolving tactics, techniques, and procedures used by threat actors. At the end of the day, you want to be compliant not only because you must, but because it’s the right thing to do for your business and for national security.”
Digital Cloak, LLC is a technical solutions provider currently partnered with and providing support across DoD, within DHS, and to commercial organizations. They develop custom solutions in the areas of network and infrastructure design, systems engineering, cybersecurity, and mission assurance with a focus on minimizing risk and maximizing security.
If not started already, it may be advisable to begin planning *now,* as the path to certification – and even to Level 1 self-assessment – will require significant effort on your part, and Level 2 third-party assessing organizations are already reporting that they are booking out for 4-6 months from time of contact. This will neither be something you are able to tackle overnight nor in a single fiscal quarter. Do not wait until an RFP that you intend to pursue releases and discover that you cannot meet a compliance factor in having your CMMC certification or self-attestation. This is not just a check-the-box exercise; this is a call-to-action to put proactive security at the forefront of corporate culture.
What is CMMC?
The Cybersecurity Maturity Model Certification is a comprehensive framework developed by the U.S. Department of Defense (DOD, changed to the Department of War on September 5, 2025) to standardize and strengthen cybersecurity practices across the Defense Industrial Base (DIB). Its primary goal is to ensure that contractors and subcontractors handling sensitive government information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), implement appropriate security measures to protect against evolving cyber threats. If this sounds familiar, it’s because CMMC can also be thought of as an evolution of cybersecurity control efforts that have been in place for decades.
Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website, and NARA CUI registry website (links below).
CMMC at DoD is set to replace the previous system of self-attestation under DFARS 252.204-7012 and DFARS 252.204-7020. Previously, contractors were required to implement NIST SP 800-171 controls but could simply attest to their compliance without independent verification. DFARS Provision 252.204-7019 requires self-assessment and posting of score into SPRS. CMMC introduces mandatory third-party assessments (for most contracts) and formal certification, ensuring a higher and more consistent standard of cybersecurity across all DOW contractors.
CMMC aims to strengthen national security by addressing the persistent threat of cyberattacks targeting the defense supply chain. The framework standardizes cybersecurity practices across all contractors, ensuring a consistent and reliable approach to risk management. CMMC certification will now be a prerequisite for bidding on or participating in DOW contracts, making compliance essential.
Note: Title 48 CFR tells us the PMO for a given contract will determine the CMMC requirements and that determination will be based on the data handled. A requirement will show up as a provision in DFARS 252.204-7025, determining eligibility to WIN (not bid). DFARS 252.204-7021 will be the contract clause seen at the time of award. Provisions = during solicitation. Clause = contract.
The model can help organizations strengthen their overall cybersecurity posture and align with federal regulations. Whether CMMC in practice proves to be the panacea for cybersecurity concerns remains to be seen, but regardless of its success or failure as a practice, the principles behind it are worthwhile across the federal and private sectors.
Levels of Certification – Mapping Cybersecurity Requirements to Information Sensitivity
CMMC 2.0, the current version, streamlines the original five-level model into three distinct certification levels, each reflecting the sensitivity of the information an organization handles and the corresponding rigor of cybersecurity required.
Level 1: Foundational
This level focuses on the basic safeguarding of FCI. Organizations must implement 15 fundamental security requirements, as specified in FAR clause 52.204-21. These requirements are designed to provide a baseline of protection for information that is not intended for public release. Level 1 certification typically involves an annual self-assessment and affirmation of compliance.
Level 2: Advanced
Level 2 is designed for organizations that handle CUI. It requires compliance with all 110 security requirements outlined in NIST SP 800-171 Revision 2. The goal at this level is to provide broad protection for CUI against a wide range of cyber threats. Depending on the contract, organizations may need to undergo either a self-assessment or a third-party assessment every three years, along with annual affirmation of compliance.
Level 3: Expert
The now-highest level, Level 3, is intended for organizations managing the most sensitive CUI, particularly where there is a risk from advanced persistent threats (APTs), such as nation-state actors. Level 3 incorporates a subset of requirements from NIST SP 800-172, which are more stringent and tailored to counter sophisticated cyber threats. Assessment at this level is conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years, with annual affirmation of compliance.
Understanding the requirements and sensitivity levels associated with your current or future contracts is vital for determining the overall level of effort that will be required to prepare for, obtain and maintain CMMC certification.
Timeline of CMMC and history:
CMMC traces its origins to President Obama’s Executive Order 13556 in November 2010, which established the concept of Controlled Unclassified Information (CUI) and set the stage for future cybersecurity requirements in the defense sector. By 2017, defense contractors were required to comply with NIST SP 800-171, a set of 110 security controls for protecting CUI, but compliance was largely based on self-attestation.
In 2019, the Department of Defense (DOD) announced the development of CMMC to address the limitations of self-attestation and strengthen accountability through third-party assessments. CMMC 1.0 was finalized in January 2020, introducing a five-level maturity model and began appearing in DOD requests for information and proposals by mid-2020. The DFARS interim rule, which authorized CMMC’s inclusion in contracts, became effective in November 2020, marking the start of a planned five-year phase-in period.
However, CMMC 1.0 faced criticism for being too complex and burdensome, especially for small and mid-sized organizations. The DOD initiated an internal review in March, 2021 leading to the announcement of CMMC 2.0 in November, 2021. This new version streamlined the model from five levels to three — Foundational, Advanced, and Expert — and reintroduced some self-assessment options for lower-risk contracts.
The formal rulemaking process for CMMC 2.0 began in 2023, involving extensive community feedback and regulatory review. The final rule for CMMC was published on October 15, 2024, and became effective on December 16, 2024. Preparation for audits and assessments under the new framework started in early 2025. True CMMC requirements are permitted to begin appearing in new DOW contracts beginning November 10, 2025.
A major highlight in the timeline was the shift from self-attestation to mandatory third-party certification for most contractors, as well as the reduction in complexity from five to three levels. Another significant change was the decision that managed service providers (MSPs) are no longer required to achieve Level 2 compliance, though they must still be validated by third-party assessors if in scope.
Timeline for Implementation:
The full implementation schedule and rollout is phased over four years:
- Phase 1: Begins November 10, 2025. New contracts may include Level 1 or Level 2 self-assessment CMMC requirements as a condition of award.
- Phase 2: Begins November 10, 2026. Contracts will require Level 2 C3PAO (third-party certified) assessments for applicable solicitations.
- Phase 3: Begins November 10, 2027. Level 2 certification is required to exercise contract option periods, and Level 3 requirements are introduced for new awards.
- Phase 4 (Full Implementation): Begins November 10, 2028. All CMMC program requirements (Levels 1, 2, and 3) will apply to every eligible contract and solicitation, including option periods.
The phased implementation allows contractors time to adjust and comply with CMMC cybersecurity requirements. Compliance will become mandatory for all contractors and subcontractors seeking new DOW contracts starting in late 2025. CMMC evolved from a response to persistent cybersecurity threats and the inadequacy of self-attestation, through several iterations and delays, to a streamlined and enforceable framework that will be fully implemented in DOW contracts by November 2028.
CMMC Beyond the War Department
For most national security and Department of Homeland Security (DHS) contracts, the required CMMC level will typically be Level 2 or Level 3, depending on the sensitivity of the information involved.
CMMC Level 2 should be expected for contracts where the contractor will process, store, or transmit Controlled Unclassified Information (CUI). This includes MOST contracts issued by DHS and other national security-focused agencies. This level involves implementing all 110 security controls from NIST SP 800-171 and may require either a self-assessment or a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), depending on the risk profile and specific contract requirements.
CMMC Level 3 is reserved for contracts involving the most sensitive national security information, where advanced persistent threats (APTs) are a concern. Level 3 requires meeting all Level 2 requirements plus additional controls from NIST SP 800-172, and assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). It is anticipated that many key national security contracts may need to include Level 3 requirements.
The exact CMMC level required for a contract is specified by the program office or requiring activity based on the type and sensitivity of information handled. For contracts that only involve Federal Contract Information (FCI), Level 1 may be sufficient, but most national security and DHS contracts involve CUI and, therefore, fall under Level 2 or, for the highest sensitivity, Level 3. Constant communication remains the key to a good business model. Outreach to program offices, contracting office staff, acquisition and procurement staff, small-business offices, and (as available) Office of Small and Disadvantaged Business Utilization (OSDBU) programs can help you stay informed of what the CMMC horizon looks like for your agency and program.
Any business pursuing national security or DHS contracts should plan for the possibility to need at least CMMC Level 2 certification, possibly Level 3 for contracts involving highly sensitive information, if CMMC ends up being carried over from DOW to other federal civilian and national security agencies. Beyond Level 1 self-assessment and attestation, companies will need to engage with third-party assessor organizations (C3PAOs) for Level 2, and who will conduct a full audit and inspection to determine CMMC compliance before Level 2 certification will be granted.
This can all sound pretty daunting, and it is. As with all things though, through proper planning, ongoing awareness and oversight, and activity prioritization, compliance can readily be achieved not just to the benefit of your position in contracting, but to the benefit of your organizational security culture as a whole.
Within the homeland and national security space, CMMC is not something to be ignored – but currently also not befitting of a “sky-is-falling” attitude. As the DOW roll-out for November 10th approaches, we’ll explore in Part 2 more about the nuances of CMMC, how companies can reasonably prepare for implementation, hear from CMMC professionals and a C3PAO, discuss resources available, and the details of what it takes to proactively approach both CMMC and a company culture of security awareness.
Cybersecurity should be a conversation happening in every company. Security awareness should be a key component of any organizational culture. This is not a C-level issue, or one to leave only to the concern of those CISO and Risk Officer types. It impacts every employee and every level of an organization.
Stay tuned for Part 2, “Achieving CMMC Compliance,” coming next week.
Important References
Department of War CMMC Resources & Documentation available at: https://dodcio.defense.gov/cmmc/Resources-Documentation/
Department of War CMMC Accreditation Guide available at: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf
The CMMC Accreditation Body (Cyber AB) website: https://cyberab.org/
National Institute of Standards and Technology (NIST) Resources:
NIST SP 800-171 Rev. 2: Protecting CUI in Nonfederal System
NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information
NIST SP 800-172A: Assessing Enhanced Security Requirements for Controlled Unclassified Information
NARA CUI Registry: https://www.archives.gov/cui
DoD CUI Registry: https://www.dodcui.mil/
