Introduction
CMMC has been actively driven by the Department of Defense (DoD) since 2019. Its roots go back farther than that, to the November 2010 Executive Order 13556 mandating a government-wide standard for managing Controlled Unclassified Information (CUI) across agencies and introduced the very designation of CUI itself. Prior to this order, CUI was not a formal part of the federal information classification lexicon. With cyber threats having dramatically escalated since then, it is only right and completely necessary that organizations storing, processing and transmitting DoD-related CUI have appropriate cybersecurity procedures in place to share and protect sensitive government data.
Under DFARS 7020, all DoD contractors and subcontractors have been required since 2020 to upload a self-assessed NIST 800-171 score into the DoD Supplier Performance Risk System (SPRS). CMMC is the mechanism by which the DoD will now validate that those self-attestations are accurate prior to awarding of a won contract. In other words, CMMC ensures that what companies have claimed about their cyber posture is true—and that national security isn’t based on the not-always-reliable honor system.
This reality requires DIB companies to take a hard look at their business model, run a cost-benefit analysis, and make a deliberate decision about whether or not they want to be in this market space. If the answer is yes, then they must accept that CMMC is a DIB cost of doing business.
Addressing Business Practicalities
Even with the years-long time window, resistance to CMMC from many members of the defense industrial base (DIB) persists; at Redspin, we regularly see companies not implementing the necessary measures which have been required since Dec. 2017. This is often attributed to the implementation costs of NIST and DFARS which smaller DIB companies may find challenging; especially if the implementation has not been addressed yet. The implementation cost, which has to occur in short order now, along with a lack of knowledge and expertise needed to prepare for certification has placed those DIB companies that have been on the fence at a disadvantage.
But compliance is simply no longer optional. The Secretary of Defense and the Pentagon recently issued memos clarifying that the DoD is prioritizing cybersecurity, and highlighting NIST 800-171 and CMMC as the confirmed approach to securing the DIB community. Solicitations in SAM.gov have already started mentioning CMMC and one solicitation specifically identifies that the requirement is expected to be in effect starting with the new fiscal year (FY):
Once final, USACE solicitations will specify the level certification required for performance under the contract. Direct all questions relating to the CMMC requirement for any action issued by the USACE to the Contracting Officer and Contract Specialist included on the SAM.gov publication announcement. (Source: U.S. Army Corps of Engineers, Special Notice)
Streamlining Your Compliance Journey
Options exist to help organizations ease the journey. For instance, they may choose to skill up internal staff through the various CMMC-related training courses that are available. However, if a company does not have its own technical security staff, they could engage a CMMC External Service Provider (ESP) to manage security for them. This saves headcount costs not just for creating compliant infrastructure but also maintaining it for the required CMMC re-certification three years, and annual attestations down the road. Those without on-staff IT can also use cloud-based services to shift their CUI environment to the cloud, thus narrowing their CMMC scope.
While there are expenses for both engaging an ESP and using cloud services, DIB companies should do a long-run comparison with the cost of hiring, maintaining and upgrading IT devices over time, and overall scalability.
The workplace has evolved significantly since CMMC was first introduced in 2019, especially in the wake of COVID. Many organizations now operate in hybrid or fully remote environments, meaning employees are no longer consistently protected by traditional internal network defense strategies. In response, Virtual Desktop Infrastructure (VDI) solutions have become more widely adopted, offering a way to centralize security controls, maintain compliance, and enforce governance, regardless of an employee’s location or the device they use to access sensitive information.
Time to Get Serious
Recently, Katie Arrington, the DoD’s Acting Chief Information Officer and the architect of CMMC, publicly delivered some ’tough love,’ calling on DIB companies to stop making negative public comments about having to comply with CMMC. She noted that such comments reveal non-compliance to prospective government customers while setting these companies up as targets for bad actors. And she included, “It’s your business. You’ve got to take ownership of it.” That means now.
As of this writing, the final CMMC 48 CFR rule is under review by the Office of Management and Budget (OMB), the expected final step before publication in the Federal Register and formal integration into the CMMC Federal Acquisition Regulation (FAR). While many anticipate an effective date of October 1, 2025, or sometime in Q4 of 2025 this cannot be confirmed until the 48 CFR rule is published as final. What is clear is that once in effect, CMMC will be phased into contracts over time, with full enforcement expected by October 1, 2027—meaning that contractors requiring certification must be certified by then to accept newly awarded contracts and maintain existing contracts.
At Redspin, we understand that CMMC validation is still fairly new for many companies (even though implementation requirements have been in place for 8 years). Especially in smaller organizations, managing compliance can feel confusing or even at times overwhelming for those busy with many other responsibilities, and focusing on what they are contracted to do. Fortunately, there is a CMMC ecosystem to help, but there is no time to lose. ESPs are already very busy, and getting ready for the certification process takes time. Waiting until the last possible minute is never a good idea. Just look to last Spring’s long lines outside of Motor Vehicle Departments as prospective air travelers queued for their REAL ID before the TSA’s May 7 deadline. It’s not fun, and certainly not guaranteed that you’ll make it.
Working with the DoD is a long game, with contracts lasting years and working relationships lasting as long as decades. While there are costs of doing that business, careful planning will make the investment manageable; it will pay off in the long run. It’s time for DIB members to step up and do the right thing for their own companies and for national security.
How Redspin Helps
We’ve helped many organizations prepare for CMMC, and we’re one of the first authorized C3PAOs.
Whether you need a readiness assessment, help fixing gaps, or support during your assessment, our team can guide you through the process with zero guesswork.
Don’t wait until the RFP drops, start proving your compliance with certification now.
Book a meeting to get CMMC certified with Redspin: