How Does CMMC 2.0 Affect Your Small Business?

Small and mid-sized business leaders sometimes view federal mandates such as CMMC 2.0 as overreach and a nuance. It seems counterintuitive that sophisticated hackers funded by rival nations would invest time and energy into penetrating companies that perform sometimes marginal work in the military supply chain. In other words, don’t Russian and Chinese hackers have bigger fish to fry?

Truth be told, your business likely stores or transmits bits of Controlled Unclassified Information (CUI) these advanced persistent threats consider a piece in the larger national security puzzle. Once a foreign adversary gathers enough CUI from a military supply chain organization — like your small or mid-sized business — they employ it to launch major cyberattacks against the federal government.

In 2016, a Chinese National pleaded guilty to conspiring to hack a U.S. defense contractor’s system and “steal military technical data, including data relating to the C-17 strategic transport aircraft and certain fighter jets produced for the U.S. military,” according to the U.S. Department of Justice.

From 2019 through 2020, hackers reportedly funded by the Russian government exploited a software company loosely connected to the military-industrial base. Known as the SolarWinds hack, malware was slipped into software updates, tainting thousands of databases, including the U.S Treasury Department. The SolarWinds hack was orchestrated by using an intern’s login credentials. That strategy highlights the way foreign enemies will target small and mid-sized businesses connected to the military-industrial base and work their way to those bigger fish.

What is the CMMC 2.0 Update?

The Cybersecurity Maturity Model Certification, aka CMMC, brings together wide-reaching measures under one umbrella and mandates businesses involved in military activities to comply. Before the initial CMMC was conceived, companies met different standards and not everyone followed them consistently. This undermined national security and prompted the Department of Defense to re-imagine a robust security policy.

The original CMMC 1.0 policy was streamlined to reduce the number of cyber hygiene levels from five to three. Business leaders are now tasked with identifying which of the following three tiers apply to their organization and implementing the appropriate controls.

• Level 1: A small business that handles Federal Contract Information must meet 17 basic controls outlined in NIST 800-171. This information is typically not considered highly sensitive. The CMMC 2.0 update generally allows small and mid-sized businesses to conduct in-house assessments and submit the results to the Supplier Performance Risk System annually.

• Level 2: Considered “advanced” cyber hygiene, small and mid-sized companies that store or transmit CUI are tasked with meeting 110 NIST controls. The DoD mandate for Level 2 businesses has proven confusing to company administrators. Some outfits can self-test while others require an assessment from a Third Party Assessment Organization (C3PAO) every three years.

• Level 3: Reserved largely for direct military contractors, all 110 NIST controls come into play, as well as other to-be-determined measures. A C3PAO assessment is mandated.

The vast majority of small and, to some degree, mid-sized organizations will likely fall into the Level 2 or 3 standards. Understanding whether you require an accredited C3PAO or another cybersecurity expert is an important decision. Failing to properly comply with CMMC 2.0 could sideline your business from lucrative DoD contracts.

How Does CMMC 2.0 Benefit Small Businesses?

Entrepreneurs and other decision-makers must consider capital expenditures such as cybersecurity on an ongoing basis. As the CMMC 2.0 rollout nears, many will need to enlist the support of a cybersecurity firm with expertise in this niche area. That typically means partnering with an accredited C3PAO. Weighing the return on investment for CMMC compliance is something that requires thoughtful consideration.

It’s not uncommon for industry leaders to think in terms of a one-to-one correlation. You will invest X portion of your budget into managed IT and cybersecurity. The CMMC component involves a set dollar amount. Using straightforward math, CFOs may look at whether continuing to work in the military-industrial base is profitable.

The short answer is usually: Yes. The DoD has a massive discretionary budget that topped $722 billion in the Fiscal Year 2022, an increase of $17 billion over the previous year. These contracts pay top-dollar and continue to grow. Staying in the military-industrial base and peripheral supply chains calls for CMMC compliance. It’s also worthwhile to look at CMMC compliance through another lens.

Some modestly-sized business owners shrug off investing in cybersecurity measures because they don’t think hackers will target them. That mindset has resulted in small and mid-sized businesses ranking among the most vulnerable in terms of deficient cybersecurity. The following statistics demonstrate cybercriminals have noticed.

• More than 60 percent of small and mid-sized businesses suffer cyberattacks each year.

• Companies with fewer than 500 employees sustained an average loss of about $3 million.

• Nearly half of companies with less than 50 employees have no cybersecurity budget.

• More than half of business owners paid ransomware hackers to release their network.

• A quarter of small and mid-sized outfits that are hacked lose clients and customers.

• Upwards of 60 percent of organizations that get hacked fold within 6 months.

Because multi-million-dollar hacks garner splashy headlines, the average business owner remains unaware they are a primary target. Garden variety hackers, sitting in a café halfway around the world, troll the internet looking for easy marks. When a small or mid-sized organization is not well defended, it becomes low-hanging fruit. And cyber thieves are more than happy to steal credit card numbers, raid bank accounts, or sell your personal identity information on the dark web.

Although CMMC compliance is not necessarily designed to protect the integrity of small and mid-sized companies from financial and personal identity threats, it serves as a proactive deterrent. With CMMC protocols in place, your organization possesses determined cybersecurity. Hackers are unwilling to exhaust themselves trying to breach your system. They’ll move on to easy targets that failed to invest in themselves.

Contact Sedulous Consulting Services For CMMC 2.0 Compliance

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous Consulting Services.


What is CMMC? What Defense Contractors Must Know.

In an effort to protect national security, the federal government moved to bring military contractors and businesses in the supply chain under a single cybersecurity standard. Known as the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) merged the best protocols to further this goal.


The DoD had repeatedly attempted to minimize the risks posed by nation states and advanced persistent threats. In 2016, the DoD put forward the Defense Federal Acquisition Regulation Supplement. This litany of cybersecurity measures was designed to prompt direct military contractors and small businesses to adopt defensive postures and protect Controlled Unclassified Information, also known as CUI. The mandate involved compliance with the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171. However, too many organizations failed to comply and hackers routinely pilfered off valuable CUI.


As threat actors continued to penetrate networks within the military-industrial base, it was apparent that self-assessments failed and a single standard was critical. In 2019, CMMC 1.0 was launched during the Trump Administration which called for third-party CMMC assessments within a five-tier system. The rollout stalled as the Biden Administration sought changes. Now, CMMC 2.0 is coming into view and small and mid-sized businesses that generate profits from DoD contracts or the military supply chain are tasked with preparing.

What Does CMMC 2.0 Involve?

The newly-minted CMMC 2.0 reduces the number of cyber hygiene tiers from five to three. Each level calls for businesses to demonstrate compliance based on the level of CUI they store or transmit that matches the appropriate CMMC 2.0 tier. These include the following.

• Level 1 (Foundational): Companies that manage Federal Contract Information must bring their cybersecurity defenses in line with 17 basic protocols outlined in NIST 800-171. This information is not necessarily considered sensitive to national security. Under CMMC 2.0, small and mid-sized businesses will be allowed to conduct an in-house assessment and submit the findings to the Supplier Performance Risk System (SPRS) for review on an annual basis. Failure to submit the data or meet Level 1 CMMC compliance could sideline an organization.

• Level 2 (Advanced): Operations that manage CUI must bring their cyber hygiene into compliance with the first 17 NIST practices as well as 93 others. Although complicated and quite rigorous, the DoD plans to allow some businesses to conduct in-house assessments and submit their findings to the SPRS annually. Other companies that house or transmit more sensitive CUI will be required to undergo a CMMC assessment conducted by a Third Party Assessment Organization (C3PAO) every three years.

• Level 3 (Expert): Military contractors and organizations tasked with protecting highly sensitive CUI must meet the rigorous standards of Level 3. This entails complying with 110 NIST 800-171 controls. Additional measures are expected to be issued by the DoD and independent assessment will be mandated.

Small and mid-sized businesses are the most likely to experience challenges navigating the CMMC 2.0 expectations. Understanding the difference between CMMC Level 2 and 3 can prove complicated. Even if business professionals recognize they require Level 2 cyber hygiene, resolving the question of in-house or a Third Party Assessment Organization (3PAOs) assessment has significant ramifications.

Does Your Business Need To Comply with CMMC 2.0?

It’s essential businesses that derive benefits from the military supply chain take appropriate measures as soon as possible to harden their network defenses. Although the final CMMC 2.0 guidelines are still in the works, an expectation exists that contractors meet NIST 800-171 standards and conduct assessments. That means working with an experienced cybersecurity firm to ensure your operation does not suffer a breach by a foreign threat actor.

Depending on the type of CUI your operation stores and transmits, a NIST 800-171 Basic Assessment and score reporting may currently be necessary. The penalty for failing to meet these national security mandates typically includes high fines and suspension from bidding or working on military contracts. So, the short answer is: Yes. Your business needs to remain in compliance with DoD standards while the final CMMC 2.0 regulations are being completed.

How To Prepare for CMMC 2.0

A timeline published by the DoD indicates its rulemaking could conclude as soon as August 22 or at least by November 2023. When the CMMC 2.0 mandate drops, businesses should anticipate companies rushing to enlist the help of cybersecurity experts and Third Party Assessment Organizations. Getting caught in a bottleneck could impede our ability to bid on lucrative DoD contracts or participate as a subcontractor.

The critical point is that waiting could cost your business time and money. But by enlisting the help of a cybersecurity firm now, the following proactive measures can be taken to ensure you meet the CMMC 2.0 requirements.

  • Assess Information Security: Have a third-party conduct a thorough review of your cybersecurity practices. Identifying security weaknesses now allows you time to close them and meet the standards.
  • Identify Your CMMC Level: Understanding the sometimes subtle differences between CUI and sensitive CUI requires in-depth knowledge. Consider having a detailed analysis conducted that identifies precisely the CUI you store or transmit and the requirements under CMMC 2.0.
  • Implement Pen Testing: Penetration testing involves an outside entity probing your network for vulnerabilities. The process mirror that of a sophisticated hacker or advanced persistent threat working for a rival nation. Once an ethical hacker has completed the process, business leaders receive a detailed report. This serves as a roadmap to close cybersecurity gaps and harden your defenses.

It’s important to work with a reputable Third Party Assessment Organization that also communicates effectively. The CMMC 2.0 regulations can be highly technical and complicated. Business leaders outside the managed IT and cybersecurity sector needs a liaison who takes that burden off their shoulders. For additional information on how to prepare for CMMC 2.0 – read this previous article.

Contact Sedulous Consulting Services For CMMC 2.0 Planning

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with businesses of all sizes to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous.