As cyberattacks against defense contractors continue to rise, the need for a consistent and enforceable framework to protect Controlled Unclassified Information (CUI) has become critical to strengthening the defense supply chain. In response, global research and advisory firm Info-Tech Research Group has released a new resource titled Achieve CMMC Compliance Effectively, providing practical insights for organizations aiming to meet Cybersecurity Maturity Model Certification (CMMC) standards.
Although CMMC was introduced to address these security concerns, many contractors still face hurdles in reaching compliance. Common challenges include outdated IT systems, insufficient in-house expertise, evolving regulatory requirements, and significant costs associated with implementing security controls.
Cyber Technology Insights : GuidePoint Security Reports Surge in Ransomware Groups as Attack Surface Widens
Info-Tech’s blueprint offers a clear explanation of the three main CMMC compliance levels, enabling defense contractors to align their cybersecurity measures with Department of Defense (DoD) requirements based on the sensitivity of the data they handle.
The firm’s research emphasizes that CMMC compliance is mandatory for all prime contractors and subcontractors engaging with the DoD. The framework protects both Federal Contract Information (FCI) and CUI, which are often shared with multiple suppliers and service providers. However, integration issues, data flow complexities, and shifting compliance expectations continue to impede progress for many organizations.
“Failing to meet the required assessment or certification levels can result in losing eligibility to compete for DoD contracts,” said Safayat Moahamad, Research Director at Info-Tech Research Group. “Beyond compliance, companies that proactively invest in cybersecurity build resilience and gain a competitive edge by proving their ability to protect sensitive defense information.”
The blueprint outlines four key CMMC levels and their requirements:
Level 1: Foundational (Self-Assessed)
For organizations managing FCI, requiring the implementation of 15 basic security controls and annual self-attestation. Conditional certifications are not allowed at this level.
Level 2: Advanced (Self-Assessed)
Applicable to contractors handling CUI, requiring 110 security controls from NIST SP 800-171. Organizations must achieve a minimum 80% score, address remediation items within 180 days, and complete annual affirmations with a full reassessment every three years.
Cyber Technology Insights : NINJIO and SafeStack Partner to Integrate Developer Training into Human Risk Management Platform
Level 2: Advanced (Third-Party Assessed)
Similar to the self-assessed Level 2 but requires evaluation by an accredited third-party assessment organization (C3PAO). Certain contracts will mandate this third-party verification based on DoD solicitation terms.
Level 3: Expert (Government Assessed)
Intended for contractors supporting critical defense operations, requiring prior Level 2 C3PAO certification plus assessment of an additional 24 controls from NIST SP 800-172 by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Info-Tech’s research emphasizes that Organizations Seeking Certification (OSCs) and Organizations Seeking Assessment (OSAs) should proactively determine their target compliance level to align their security posture with current and future contract demands.
“Organizations that tackle CMMC compliance proactively can move beyond simply fulfilling requirements,” added Moahamad. “Effective cybersecurity compliance not only ensures eligibility but also positions companies as trusted partners within the defense sector.”
Cyber Technology Insights : Adaptiva Adds Autonomous Patching for Red Hat Enterprise Linux
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: prnewswire
