CMMC Compliance: An Overview for Your Business
- Todd Heinz, HBS Governance Risk and Compliance Practice Manager
- Read Time: 4 mins
In this article...
- What CMMC is and why it applies to more businesses than you might think
- How CMMC 2.0 changes compliance
- Why even subcontractors need to prioritize compliance
- Key CMMC 2.0 deadlines
- Practical first steps to start your compliance journey
If your company supplies a product or service that eventually supports the Department of Defense—even if you never deal with the DoD directly—CMMC compliance affects you.
You’re part of the defense supply chain. Sooner or later, the cybersecurity rules will apply.
Whether you make a component, process data, or just help keep operations running, the prime contractor who brought you in needs to show that every link in their supply chain is secure. That includes you.
Here’s what CMMC is, what it means for your business, and what you should do to prepare.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a standardized framework developed by the DoD to protect sensitive information. It sets the baseline for how defense contractors—direct and indirect—secure systems that handle government data.
If you store, send, access, or work with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you’ll need to meet CMMC requirements.
What’s Considered FCI vs. CUI?
FCI is information provided by or generated for the government under contract but not intended for public release.
CUI is sensitive data the government wants to protect, such as technical drawings or contract performance details.
If you're not sure what your systems handle, a readiness assessment can help clarify.
There’s no getting around it. If you want to keep or win work from a prime, you’ll need to be CMMC certified.
What Changed with CMMC 2.0?
CMMC 2.0 simplifies the original model, reducing five levels to three. It also aligns more closely with existing federal standards like NIST 800-171.
Level 1: Foundational
- Applies to businesses handling FCI
- Follows 15 basic cybersecurity practices
- Requires annual self-assessment
Level 2: Advanced
- Applies to businesses handling CUI
- Requires full alignment with 110 practices from NIST 800-171
- Self-assessments are allowed only for non-prioritized acquisitions at Level 2. If you’re bidding on a prioritized acquisition, you’ll need a certified third-party assessment from a Certified Third-Party Assessor Organization (C3PAO).
Level 3: Expert
- Reserved for contractors supporting critical DoD programs
- Adds enhanced security controls from NIST 800-172
- Requires government-led assessment
Most small to mid-sized businesses will fall into Level 1 or Level 2.
Why CMMC Compliance Matters—Even If You’re a Subcontractor
Prime contractors are being held responsible for the security of their entire supply chain. That includes every third-party vendor and every downstream provider.
If you’re not compliant, you’re a risk to them. And that puts your relationship—and future business—at risk too.
Compliance isn’t just about following guidelines. It’s about protecting your position in the supply chain.
Key CMMC 2.0 Dates to Know
CMMC 2.0 is rolling out in phases, but momentum is building fast.
- Now – CMMC assessments are currently being conducted for certification. Primes are asking their subcontractors to get CMMC certified.
- Second Half of 2025 – CMMC language is expected to begin appearing in DoD contracts.
- 2026 – Certification expected to be required across most new defense contracts*
*CMMC 2.0 is still technically in the rulemaking phase and not yet finalized. The DoD has stated that no contracts will include CMMC requirements until rulemaking is complete.
The time to act is now. By the time it becomes a requirement, your prime will already be looking for proof that you’re on the path.
The Path to CMMC Compliance
Compliance is a structured process. Here are the main CMMC steps to certification:
- Scoping
Identify which parts of your business handle FCI or CUI. These systems are considered “in scope” and must meet CMMC requirements. - Readiness Assessment
Compare your current security practices against the controls required for your CMMC level. This helps identify gaps early. - Remediation
Address the gaps. That could mean tightening access controls, implementing multifactor authentication (MFA), or strengthening endpoint detection and response (EDR). It could also mean creating new policies or procedures. - Documentation
Prepare your System Security Plan (SSP) and, if needed, a Plan of Action and Milestones (POA&M). These are required for audits and show how you’re managing your cybersecurity.
IMPORTANT: Documentation is your biggest hurdle. You must be able to articulate how each control is implemented to meet the objectives of the control.
- Assessment
- Level 1: Submit a self-assessment each year
- Level 2: Either self-assess or schedule a third-party assessment with a C3PAO
- Level 3: Undergo an official government assessment
- Certification and Monitoring
A C3PAO certification is valid for three years. But compliance isn’t a one-time project. You’ll need to submit a self-assessment during the second and third years of your certified period.
What You Should Do Now
You don’t need to overhaul your business overnight, but you do need to take the first step.
Start here:
- Figure out which level you need. If you're not sure, your prime contractor can help clarify.
- Assess your cybersecurity practices. Begin with the basics—access control, secure passwords, system updates.
- Document what you're already doing. Policies and logs don't just go a long way, they are vital. Most organizations fail compliance from a lack of documentation and the ability to demonstrate governance over what they do.
- Find a trusted partner. Compliance is easier when you're not doing it alone.
of all CMMC certification failures are organizations that do NOT have a CMMC partner.
The CMMC Bottom Line
CMMC certification is quickly becoming the price of admission for working in the defense space.
You don’t need to be a cybersecurity expert, but you do need a plan.
At HBS, we help businesses like yours get compliant, stay secure, and avoid surprises when that contract renewal comes around. If you’re unsure where to begin or what level applies to you, we’re here to help.
Let’s make sure your business stays in the game.
Related Content
Risk Assessment: Likelihood and Impact
Assess risk effectively with the risk assessment likelihood and impact matrix. This decision-making matrix assesses risk based on the likelihood and impact of threats in your organization.
CMMC
Secure your future DoD contracts with HBS’s CMMC certification guidance. Our experienced professionals help you navigate through CMMC requirements efficiently.
10 Questions with a CMMC Registered Practitioner
Learn how changes in CMMC 2.0 affect you in this conversation with a CMMC Registered Practitioner.
