Back to Posts Latest Cybersecurity Updates and Preparation Steps for Defense Suppliers

Latest Cybersecurity Updates and Preparation Steps for Defense Suppliers

July 14, 2025

Cybersecurity remains a critical concern for the Department of Defense (DoD) and its entire supply chain. The Cybersecurity Maturity Model Certification (CMMC) program represents the DoD's comprehensive approach to protecting sensitive information across the Defense Industrial Base (DIB).

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a unified security standard and certification program designed to protect controlled unclassified information (CUI) and federal contract information (FCI) across the defense supply chain. It was created in response to rapidly increasing cybersecurity threats targeting defense contractors and their supply chains.

Watch the CMMC compliance webinar STACK Cybersecurity presented in concert with the National Cybersecurity Alliance and our client, Taylor Turning.

Latest CMMC Updates

Final Rule Now Published

The CMMC Program Final Rule (32 CFR Part 170) was published in the Federal Register on Oct. 15, 2024, and became effective on Dec. 16, 2024. This marks a significant milestone after years of development and refinement. The rule officially establishes the CMMC Program and defines the requirements for contractors who manage sensitive defense information.

Implementation Timeline

The implementation of CMMC will follow a phased approach:

  • Dec. 16, 2024: The CMMC Program Final Rule (32 CFR Part 170) became effective.
  • Q1-Q3 2025: Expected publication and effectiveness of the DFARS rule (48 CFR) that will allow CMMC requirements to be included in DoD contracts.
  • 2025-2028: Phased implementation over three years, with CMMC requirements gradually appearing in DoD contracts.
  • 2028: Full implementation expected, with CMMC requirements included in all applicable DoD contracts.

Big Updates in CMMC 2.0

CMMC 2.0 represents a streamlined approach compared to the original version:

1. Simplified Level Structure: Reduced from five levels to three:

  • Level 1 (Foundational): For contractors handling only FCI
  • Level 2 (Advanced): For contractors handling CUI
  • Level 3 (Expert): For contractors handling highly sensitive CUI

2. Assessment Options:

  • Level 1: Self-assessment with annual affirmation
  • Level 2: Either self-assessment (for select contracts) or third-party assessment by a C3PAO
  • Level 3: Government-led assessment

3. Alignment with Existing Standards: CMMC 2.0 Level 2 aligns directly with NIST SP 800-171, making it more accessible for contractors already working toward compliance with existing regulations.

4. Plan of Action and Milestones (POA&M): Limited allowance for POA&Ms, giving contractors flexibility to address certain deficiencies within a 180-day timeframe after contract award.

What DoD Suppliers Must Do Now

1. Determine Your Required CMMC Level

The first step is understanding which CMMC level applies to your organization:

  • If you handle only Federal Contract Information (FCI), you'll likely need Level 1.
  • If you handle Controlled Unclassified Information (CUI), you'll need Level 2.
  • If you handle highly sensitive CUI, you might need Level 3.

Review your existing and anticipated contracts to identify which level of certification you'll need. Prime contractors should also communicate with subcontractors about their expected CMMC requirements.

2. Conduct a Gap Assessment

Perform a comprehensive gap analysis to evaluate your current cybersecurity posture against the applicable CMMC level requirements:

  • For Level 1: Assess compliance with the 17 basic cybersecurity controls from FAR 52.204-21.
  • For Level 2: Evaluate your implementation of all 110 security requirements from NIST SP 800-171.
  • For Level 3: Assess compliance with both Level 2 requirements and the additional 24 controls from NIST SP 800-172.

This assessment will help you identify areas that need improvement and prioritize your remediation efforts.

3. Develop and Implement a Remediation Plan

Based on your gap assessment:

  • Address high-priority controls first, especially those that would be ineligible for a POA&M.
  • Allocate sufficient resources (budget, personnel, time) for implementation.
  • Consider the average implementation timeframe of 6-12 months for a typical organization to achieve Level 2 compliance.
  • Document all security practices, policies, and procedures thoroughly.

4. Consider CMMC Scoping

Proper scoping can significantly reduce the complexity and cost of compliance:

  • Identify and document your organization's CUI/FCI flow.
  • Consider implementing network segmentation to isolate systems that process, store, or transmit CUI/FCI.
  • Explore CMMC enclave strategies that could limit the scope of your assessment.

Pro Tip: Implementing proper network segmentation can significantly reduce your CMMC assessment scope, potentially saving time and money while simplifying your compliance journey.

5. Prepare for Assessment

Depending on your required CMMC level:

  • For Level 1 or select Level 2 contracts: Prepare for self-assessment and annual affirmation by a senior company official.
  • For most Level 2 contracts: Begin researching Certified Third-Party Assessment Organizations (C3PAOs) and understand the assessment process.
  • For all levels: Document your System Security Plan (SSP) thoroughly, as this will be a critical component of your assessment.

6. Monitor Prime Contractor Requirements

Even before CMMC appears in your contracts, be aware that:

  • Many prime contractors are already requiring CMMC readiness from their subcontractors.
  • Some are implementing scoring systems with specific SPRS Score thresholds.
  • Early compliance can provide a competitive advantage in the defense supply chain.

7. Stay Informed and Educated

The CMMC landscape continues to evolve:

  • Monitor updates from the DoD and the CMMC Accreditation Body.
  • Consider engaging with Registered Provider Organizations (RPOs) for guidance.
  • Participate in industry groups and forums focused on CMMC implementation.
  • Invest in training for key personnel responsible for cybersecurity and compliance.

Why Start Now?

There are several compelling reasons not to delay your CMMC preparation:

  1. Long Implementation Timeframe: Achieving compliance typically takes 6-12 months for mid-sized organizations.
  2. Assessor Bottleneck: As implementation deadlines approach, demand for C3PAOs will increase, potentially creating delays.
  3. Competitive Advantage: Early certification can differentiate your organization in the defense marketplace.
  4. Existing Requirements: For contractors handling CUI, the security requirements in NIST SP 800-171 are already mandatory under DFARS clause 252.204-7012.
  5. Prime Contractor Pressure: Many prime contractors are already requiring CMMC compliance from their subcontractors ahead of DoD mandates.

Did you know? Even before CMMC officially appears in contracts, many organizations are finding that early compliance gives them a competitive edge in the defense marketplace. Don't wait until the last minute – start your CMMC journey today.

How STACK Cybersecurity Can Help

As a Registered Provider Organization (RPO) with SOC 2 Type 2 certification, STACK Cybersecurity is uniquely positioned to help defense contractors navigate the CMMC certification process. Our team of experienced cybersecurity professionals can manage your CMMC projects end to end, from initial assessment to final certification.

Our comprehensive CMMC services include:

  • CMMC readiness assessments and gap analysis
  • Development of customized remediation plans
  • Implementation of required security controls
  • Documentation preparation and policy development
  • Pre-assessment testing and validation
  • Ongoing compliance maintenance and support

With our deep understanding of both CMMC requirements and the defense industry, we can help streamline your path to compliance while minimizing disruption to your operations.

Significant Shift for Defense Contractors

The CMMC program represents a significant shift in how the DoD approaches cybersecurity across its supply chain. While full implementation will be phased over the next three years, the time to prepare is now. By taking proactive steps toward compliance, defense contractors and suppliers can not only meet future requirements but also strengthen their overall security posture and maintain their competitive position in the defense marketplace.

Remember that CMMC is not just about checking boxes for compliance—it's about implementing meaningful security measures that protect sensitive defense information and strengthen national security. The investment you make now will pay dividends both in terms of contract eligibility and enhanced cybersecurity resilience.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Learn More