What Small Business Contractors Need to Know About CMMC

The mandatory implementation of cybersecurity regulations is quickly approaching for contractors in the defense industrial base.

As the Pentagon rolls out the second version of Cybersecurity Maturity Model Certification, aka CMMC 2.0 changes, interim rules are expected to go online. As a result, companies can anticipate seeing CMMC 2.0 language appear in the U.S. Department of Defense (DoD) and other lucrative contracts brokered by the federal government. The first interim rules are set for March 2023, meaning CMMC 2.0 mandates will likely appear in agreements come July 2023.

The idea that CMMC 2.0 rules won’t impact deals until July may not create a sense of urgency. But the time it takes to conduct a comprehensive cybersecurity analysis of systems, employee practices, and the way sensitive data is stored and transmitted could take months. Moreover, given the impact the following changes could have on contractors, business leaders could get sidelined if they procrastinate.


1: More Stringent Policies and Procedures

Organizations will be tasked with meeting the NIST 800-171 requirements assigned to each of the three cyber hygiene levels. The forthcoming mandate does away with some process requirements at the lowest level but insists an enterprise “define” upwards of 49 of 110 controls. A cursory look at the three levels shows this could prove a Herculean task for organizations.


  • Level 1: Cyber hygiene at this level involves the protection of Federal Contract 

Information (FCI) not intended for public disclosure. Although considered “basic” cyber hygiene, military supply chain businesses must address how FCI is handled and stored.

  • Level 2: Companies will be required to document the processes used by staff members. It involves achieving cyber hygiene concerning 14 domains and 110 controls.
  • Level 3: A contractor’s cybersecurity posture must be so rigorous it can repel the advanced persistent threats presented by enemy nations. Companies must have a regular third-party assessment and maintain a determined posture.

Industry leaders must often prove they achieved the necessary cyber hygiene level to bid on DoD and other federal contracts. Before the federal government crafted the CMMC 2.0 policy, they primarily took a contractor’s word they complied. That all ends now.


2: Plan of Action and Milestones & Waivers

The number of waivers granted is expected to be slimmed down considerably, and a tight policy has reportedly been established. A minimum score for each control must be satisfied, and no waivers will be allowed for the highest weighted controls (i.e., those worth five points).

Cybersecurity experts and national security insiders are hailing this as a win for America’s digital defense. Contractors who previously relied on stop-gap waivers would be well-served to contact a CMMC Third Party Assessment Organization (C3PAO), conduct the necessary due diligence, and harden their defenses.


3: Changes to Self-Assessments

One of the changes from CMMC 1.0 to 2.0 involves what appears to be flexible self-assessments, at least at first blush. The approaching mandate indicates outfits that fall under Level 1 may conduct their assessment and file a score online.

Initially, some Level 2 organizations were going to have a self-assessment option, while others needed to work with a C3PAO, depending on the nature of the FCI or Controlled Unclassified Information (CUI). However, recent reports indicate Level 2 companies will all be mandated to undergo a third-party assessment. As a result, an estimated 80,000 contractors and subcontractors handle FCI and CUI required to meet Level 2 standards. The same holds for contractors within the Level 3 framework.


4: Senior Officials Tasked with Annual Affirmations

One of the top-tier issues CMMC 2.0 seeks to address is accountability. The DoD once fined or suspended companies after determining they failed to meet federal cybersecurity guidelines. Unfortunately, many of the penalties came after a hacker had already absconded sensitive FCI or CUI.


According to a filing in the Federal Register, the newly-conceived cybersecurity regulations allow “annual self-assessment with an annual affirmation by DIB company leadership” in some cases. This means that faulty self-assessments and failure to maintain a Level 1-3 posture may result in the company and senior management personnel suffering consequences. Given the wide-reaching things that could go awry during internal audits, industry leaders would be well-served to onboard a C3PAO.


5: Preparation Timeline Shortened

Early expectations around the CMMC 2.0 rulemaking process were that it would take 9-24 months. Now, contractors and subcontractors have until July before mandates appear in agreements. Industry leaders should start implementing NIST 800-171 controls before the year’s end. When the first quarter of 2023 kicks off, the 300,000 organizations in the defense industrial base will likely overwhelm the availability of C3PAOs, creating a bottleneck.


How to Prepare for CMMC 2.0 Appearing in Contracts

The best preparation strategy may involve scheduling a gap assessment. This cybersecurity analysis deeply delves into systems, best practices, programs, and how FCI and CUI are stored and transmitted. Business leaders receive a report showing network strengths and vulnerabilities. Accompanying recommendations highlight ways to close security gaps and meet the CMMC 2.0 mandate.


Sedulous Consulting Services is an Approved C3PAO Candidate firm. Our dedicated team members can comprehensively conduct a gap assessment and overcome any CMMC 2.0 challenges contractors and subcontractors face. To schedule a gap assessment, contact Sedulous Consulting Services today


What Small Business Contractors Need to Know About CMMC

More than 300,000 businesses in the military-industrial base need to implement the Pentagon’s latest cybersecurity policy. The Cybersecurity Maturity Model Certification (CMMC 2.0) does not discriminate between small, mid-sized, and large corporations. The U.S. Department of Defense (DoD) announced it would publish an interim CMMC 2.0 rule in March, with small business contractors seeing it in their agreements soon after. Small business owners may view the federal government’s mandate as overkill. But Robert Metzger, who reportedly inspired CMMC with the startling “Deliver Uncompromised” report, recently explained why small business contractors need to adopt the measure and understand the CMMC Requirements. 

“We know that adversaries will seek the so-called low-hanging fruit and mount attacks against less well-defended companies. The problem is that for smaller businesses, (NIST Special Publication 800-171) can be daunting, intimidating, frustrating, confusing and expensive,” Metzger reportedly said at the Washington Technology CMMC Summit. “But we cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically.”

With the mandate fast approaching, small businesses would be well-served to take proactive steps in preparation for CMMC 2.0, such as scheduling a cybersecurity gap assessment. A managed IT firm with CMMC 2.0 expertise can provide scalable support. These are things small business contractors need to know about the mandate and why they would be wise to act with a sense of urgency.

How Do CMMC 2.0 Levels Apply to Small Businesses?

There are reportedly more than 300,000 organizations that benefit from lucrative DoD contracts. The bulk of these companies provides materials and services in support of direct military defense contractors that design and build equipment and technologies.

The enemies of Democracy finance some of the world’s most notorious hackers to breach systems at every level. Even the most determined advanced persistent threats understand few cybersecurity gaps persist among corporations that handle top-secret information. That’s why they target small and mid-sized outfits — “low-hanging fruit,” as Metzger stated — in hopes of uncovering scraps of information that expose the greater national security picture. These are the types of digital information they are trying to steal.

  • FCI: Federal Contract Information is not intended for public disclosure. Although not necessarily a danger itself, FCI can be used as a piece of the national security puzzle. It may provide clues for rogue nations to discover significant policies and initiatives.
  • CUI: Controlled Unclassified Information is created by the government. It may have been linked to the DoD, making it essential to protect. Stolen CUI can be used to learn military activities and potentially place the men and women who serve in harm’s way.

Of the three CMMC 2.0 levels, small businesses must comply based on the type of FCI or CUI the operation stores and transmits. A small technology company with five employees may need to meet the expert cyber hygiene requirements of Level 3. By that same token, a small business of 100 employees could fall under the basic cyber hygiene of Level 1. Business professionals who are unsure about the requirements are advised to contact an accredited CMMC Third Party Assessment Organization (C3PAO) to conduct an audit.

What are CMMC 2.0 Benefits for Small Businesses?

Even when a government mandate is well-intentioned, there’s a tendency to view it as just another expense or, well, a hassle. This holds particularly true of small business leaders who consider their seemingly peripheral contributions inconsequential.

We know that advanced persistent threats do target companies on the outskirts of the military supply chain to infiltrate federal agencies. The SolarWinds software breach of 2020 proved skilled hackers could penetrate thousands of organizations in this fashion, including the U.S Treasury Department. But to hit a little closer to home, small businesses may want to consider CMMC 2.0 as a way to harden their posture for the following reasons.

  • Forty-six percent of all breaches affect businesses with fewer than 1,000 employees.
  • More than 60 percent of small and mid-sized businesses were targeted in 2021.
  • Upwards of 82 percent of ransomware attacks were leveled against small and mid-sized companies in 2021.
  • More than one-third of ransomware victims employed fewer than 100 people.
  • Small business employees experience social engineering attacks 350 percent more than big corporations.

Verizon’s 2021 Data Breach Investigations Report indicated that even garden variety hackers are targeting small businesses at an increased rate of 61 percent. Symantec’s 2016 Internet Security Threat Report indicated that the number was only 34 percent in 2014 and 18 percent in 2011. It’s easy to see which way the cyberattack trend is heading.

Should your operation get plucked like the “low-hanging fruit,” small business losses typically range from $120,000 o $1.24 million. Needless to say, an organization compromised by hackers will likely lose profitable DoD contract work. And the reputational damage drives companies into bankruptcy.

“The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business,” Metzger reportedly said. “Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors.”

The good news is that CMMC 2.0 delivers the hardened defense small businesses need to deter low-level hackers and advanced persistent threats alike.

How to Get Started with CMMC 2.0

The first step toward robust cybersecurity calls for a gap assessment. An accredited C3PAO reviews best practices and internal cybersecurity policies and thoroughly vets the small business network for vulnerabilities. Once the data has been analyzed, company leaders receive a report highlighting weaknesses and offering solutions. Not only will you possess a roadmap to CMMC 2.0 compliance, but you can stop being an easy target.

Sedulous Consulting Services is an Approved C3PAO Candidate firm. We perform gap assessments and can help you harden your cybersecurity posture. Contact Sedulous Consulting Services today.