Key Considerations for Small Businesses and CMMC 2.0

The DoD outlined the CMMC 2.0 program with a final ruling on Dec. 16, 2024, and defined its goals to:

• Safeguard sensitive information
• Enforce DIB cybersecurity standards to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Perpetuate a collaborative culture of cybersecurity and cyber resilience, and
• Maintain public trust through high professional and ethical standards

• Level 1 focuses on the protection of FCI and consists of 15 basic safeguarding requirements. It requires an annual self-assessment and affirmation.
• Level 2 focuses on the protection of CUI and incorporates 110 security requirements. It requires a Certified Third-Party Assessor Organization (C3PAO) assessment every three years for contractors with data that is critical to national security, or a self-assessment every three years for those with data that is not critical to national security, and an annual affirmation.
• Level 3 focuses on the protection of CUI and applies to companies that handle CUI for DoD programs with the highest priority. It requires a government-led Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment every three years and an annual affirmation.

These new CMMC requirements will be implemented in phases, with March 1, 2028 set as the final deadline that all contracts must meet the new standards. Prime contractors are leading the way in proactively making CMMC changes, so a good relationship between your business and your prime contractor can help provide a better timeline of when exactly CMMC requirements will appear in your contract.

However, considering it takes most businesses 12 to 18 months to meet the new CMMC requirements, it is wise to start preparing now, especially since smaller contractors may not have the resources or funds available to quickly ramp up security.

Here are some other key areas businesses may struggle with regarding CMMC:

Understanding the various controls required to safeguard sensitive data. CMMC has 14 domains, or “controls”, related to cybersecurity, each with their own various requirements and clauses. Some of these controls include access controls, awareness and training, identification and authentication, maintenance, media protection and physical protection. Given the wide range of controls and technicalities within each area, meeting each requirement can quickly seem overwhelming.

Defining the “boundaries” that are subject to CMMC compliance requirements. For example, one boundary would be the components of an IT environment that are involved in the processing, storage or transmission of sensitive data. Knowing where a boundary should start and end can be difficult.  

Finding the resources needed to navigate the time-consuming rules of CMMC. Many businesses lack robust IT teams or cybersecurity experts that can focus on decoding the many requirements set forth by CMMC. Not only are some of the technical measures difficult to understand, but they may also require technological upgrades and changes to meet compliance. Organizations that do not have a good working knowledge of the ins and outs of their IT environment and data will struggle to pinpoint what technology is impacted and must be upgraded.

Small businesses seeking to achieve CMMC standards can greatly benefit from working with a trusted third-party consultant who has deep expertise in CMMC and cybersecurity. A consultant can help you meet the control requirements, help define your boundaries and navigate complex IT environments, greatly accelerating the time spent decoding CMMC and becoming compliant.