It is estimated that over 300,000 organizations within the DoD’s Defense Industrial Base (DIB) will be impacted by the new requirements under CMMC 2.0 in Q1 2025 with significant expansion to follow. Failure to meet compliance requirements in time will result in supply and demand chain disruption. As it can take 6 to 18 months to bring an organization into compliance, leaders need to be considering CMMC compliance now to prevent disruption in the future.
Will CMMC Compliance impact you?
Organizations that are direct or indirect recipients of government funds (flow down in the supply chain) as part of, or in support of, federal contracts are considered part of the DIB and will need to comply with Cybersecurity Maturity Model Certification (CMMC). This includes organizations such as:
Subcontractors: Companies providing goods or services to prime contractors, even if they don’t directly interact with the government. e.g. A manufacturer of specialized bolts for a prime defense contractor.
Cloud Service Providers (CSPs): CSPs hosting, processing, or storing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). e.g. A SaaS company managing project management tools used by government contractors.
Logistics and Transportation Companies: Firms managing supply chain or transportation services tied to federal contracts. e.g. A logistics company shipping components for defense projects.
External IT Service Providers (ESPs/MSPs): IT firms offering infrastructure, support, or cybersecurity services for federal contractors. e.g. An MSP providing endpoint security to government subcontractors.
Professional Services Firms: Organizations offering legal, consulting, or financial services that involve handling sensitive contract-related information. e.g. An accounting firm performing audits for a federal contractor.
Component or Parts Manufacturers and Distributors: Companies making components or distributing them for products sold to federal contractors, even if the products themselves are not government-facing. e.g. A supplier of circuit boards for equipment used in federal projects.
Educational Institutions and research centers: Universities or research labs working on federally funded research (HHS or NSF) that may involve CUI. e.g. A university developing technologies under a DoD grant.
Staffing and Recruitment Agencies: Organizations providing personnel or specialized skills for government contract projects. e.g. An agency recruiting engineers for a contractor building military technology.
Critical infrastructure: Organizations providing electrical grid, telecommunications networks, and energy distribution infrastructure, which are considered critical to national security.
What types of organizations are likely to be impacted by CMMC compliance in the future?
CMMC is expected to follow the same pattern as other federal regulation and eventually impact any organization interacting with the U.S. General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) which will greatly expand the impact of CMMC compliance.
Other standards (such as NIST 800-53) that have followed this pattern have eventually become industry standards in the United States and abroad.
What is CMMC Compliance?
The Department of Defense (DoD) released 32 CFR 170 in October 2024 establishing the Cybersecurity Maturity Model Certification (CMMC) Program which defines a set of good security practices and is designed to protect non-public government information. This information falls into two classifications:
Federal Contract Information (FCI) is information about contracts between the DoD and organizations in it’s supply chain. FCI is defined as: “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a productor service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Examples:
Contractor Data: Information related to the development, maintenance, or performance of a government contract, such as pricing, performance metrics, or any proprietary processes used under a contract.
Procurement Information: Details about the bidding process or contract awards, such as technical proposals or specific contractual terms provided by contractors.
Delivery Schedules: Information that involves the specific timelines or schedules for the delivery of goods or services under a government contract.
Government-Furnished Property Information: Data about materials or property that the government provides to contractors for use in performing the contract.
Controlled Unclassified Information (CUI) is information that is sensitive due to laws, executive orders, or other regulations but is not at the level to become Classified National Security Information (CNSI). CUI is defined as: “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified”.
Examples:
Personally Identifiable Information (PII): Information like social security numbers, home addresses, or birthdates that could identify individuals. This is protected to prevent identity theft and privacy violations.
Financial Information: Sensitive data, such as government payment data, that could reveal details about funding, contracting, or spending.
Health Information: Data such as medical records related to military personnel or civilians under government programs, which is governed by the Health Insurance Portability and Accountability Act (HIPAA).
Export-Controlled Information: Data related to technologies or goods subject to export controls under laws such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).
Sensitive Security Information (SSI): Information related to transportation or other sectors where unauthorized access could harm national security or public safety.
What does this mean for your organization?
Failure to meet CMMC Compliance requirements will lead to exclusion from the federal supply chain as the program is rolled out and becomes a mandatory part of contracts starting in early 2025.
Depending on the data your organization handles, one of three levels of CMMC Compliance will apply to you:
What does it take to achieve and maintain CMMC compliance?
Your organization must perform an assessment that:
Identifies type of data that your organization handles (receives, processes, stores, or transmits). Is any of that data FCI or CUI as defined above?
Scopes your data boundary (impacted systems, people, and facilities) based on appropriate DoD guidelines as defined in the CMMC Assessment Scoping Guides: Level 1 and Level 2.
Based on the gap analysis, determine if a CMMC Enclave is the most efficient option for your organization. A CMMC Enclave is a separate, isolated environment that contains sensitive information and is CMMC compliant and means you do not have to assure the entire organization meets CMMC requirements.
The output of the assessment should generate a list of practices that your organization should implement or improve against the appropriate CMMC requirements.
NOTE: there is no single product/solution that can be purchased to solve this problem for you. Do not make purchasing decisions until you have completed a gap analysis.
Following the assessment your organization will need to plan, implement, and then operate the identified practices as capabilities in such a way that you have evidence for auditors and 3rd parties that shows your compliance with the CMMC controls.
“This sounds like a lot, where to I start?!”
Workpact has partnered with FarWell to offer an affordable and comprehensive assessment that will tell where you stand, and what to do next.
This technology agnostic assessment will:
Identify FCI and CUI in your organization and the plan to handle that data (FCI & CUI blueprint)
Define which level of CMMC applies to your organization
Produce gap analysis and recommendations for alignment with CMMC requirements (controls)
Facilitate the Enclave decision for your organization
Following the assessment, Workpact & FarWell can provide as much or as little assistance as your organization needs in Planning, Implementing, and Operating your programs in alignment with CMMC requirements.
Additionally, we find that a system such as ServiceNow greatly simplifies ongoing CMMC compliance and the burden on your organization to operate a mature data security program. ServiceNow supports critical capabilities such as:
%201_1.jpg)
