<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> CMMC Is Taking Effect: What DoD Contractors Can Expect in 2025

CMMC Is Taking Effect: What DoD Contractors Can Expect in 2025

TABLE OF CONTENTS

    See Virtru In Action

    { content.featured_image.alt }}

    It’s been a long, winding road to CMMC implementation, but we are finally here. In the first webinar of our CMMC Compass series, Virtru’s Andrew Lynch sat down with Joe Devine, president of cybersecurity assessment firm Axiotrop, to discuss what comes next for the defense industrial base (DIB). 

     

    With the publication of CMMC Title 32 in October 2024, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program has been finalized, marking a significant milestone for defense contractors. As organizations prepare for CMMC to take effect as part of DoD contracts — and as Prime Contractors begin to require CMMC readiness of their own supply chain partners — here's what we know so far about the upcoming requirements, timelines, and assessment process.

    CMMC: Key Milestone Dates for 2024-2025

    • December 16, 2024: Title 32 becomes effective, officially establishing the CMMC program
    • H1 2025: Expected publication of Title 48, which will allow the inclusion of CMMC requirements in DoD contracts
    • 2025-2028: Phased implementation approach over 3 years:
      • First 6 months: Initial rollout begins
      • Year 1: Self-assessments permitted, selective Level 2 third-party assessments begin
      • Year 2: All contracts should have Level 2 implementation
      • Year 3: Level 3 implementation complete

    Which CMMC Level Do I Need?

    The DoD outlines the 3 CMMC levels based on the sensitivity of information handled as part of any given defense contract. "Most of our audience is going to be Level 1 or Level 2," explained Devine. "There's a small, small number of companies that will be Level 3." He gave an overview of the three levels and what they mean for contractors:

    1. CMMC Level 1: Basic cyber hygiene (15 controls)
      • For contractors handling Federal Contract Information (FCI) only
      • Self-attestation permitted
      • Covers basic information like purchase orders, part numbers, and pricing
    1. CMMC Level 2: Advanced cyber hygiene (110 controls)
    1. CMMC Level 3: Expert cyber hygiene (134 controls)
      • Adds 24 controls from NIST 172 for advanced, persistent threats
      • For contractors handling the most critical CUI for national security

    CMMC Assessment Process: What to Expect

    One of the most common audience questions was related to the third-party assessment process, most notably: How much does CMMC assessment cost? 

    As you would expect, Devine says that the cost can vary depending on the size of the organization; its physical locations; how data is managed and shared; and the CMMC level they seek to attain: "I haven't had a quote for any size organization below $50,000. Assessments typically range from $50,000 to $80,000+ depending on organization size.” 

    CMMC Assessment Timeline and Process

    The assessment process may look different depending on which CMMC C3PAO vendor you choose. Speaking from his personal experience at Axiotrop (which is tracking toward C3PAO status), Devine said that once your organization has made it through the queue, the assessment itself will likely span roughly four weeks and may include:

    1. Pre-assessment phase: Evaluating readiness for the assessment and establishing roles and responsibilities. 
    2. Virtual assessment 
    3. On-site facility visits (if applicable)
    4. Report compilation and review

     

    Understanding SPRS Scores 

    Devine highlighted the role of SPRS Scores (named for the Supplier Performance Risk System), which are based on NIST SP 800-171

    “Those 110 controls have a value of 1 point, 3 points, or 5 points, depending on how important they are to securing CUI. And when you build up all those points, it's a 313-point range. That range is perfect at 110, and it actually goes all the way down [below zero] to -203.”

    "If you fail your C3PAO assessment and you don't have a score of 88, then you have failed," warns Devine. However, there is some flexibility: Organizations that achieve a score of 88 or higher and only miss certain one-point controls may qualify for a Plan of Action and Milestones (POAM) with 180 days to address deficiencies.

    CUI Enclaves Can Be Effective

    For organizations where defense contracts represent a small portion of their business, Devine offers guidance: "If you have CUI, you have CUI. You need to protect it. What you can do is, you can limit the scope... If you're a 100-person organization and 90% of your business is coming from other places — the commercial world for instance — you can build an enclave solution instead of an enterprise solution." This scoping of CUI can help reduce complexity and cost for an organization going through the CMMC assessment process. 

    Prime Contractor CMMC Requirements

    Even before Title 48 implementation takes effect in early 2025, many Prime Contractors are already requiring CMMC readiness. As Devine explains, "Primes can officially start requiring their supply chain to go get that certification... The Primes don't want to lose their business. They want to be able to continue to provide their military systems to the DoD."

    Some Prime contractors are implementing scoring systems with specific SPRS Score thresholds such as Green (110), Amber (70+), and Red (< 70, which may restrict new contract awards).


    Lynch noted, "I commend all these organizations in the DIB for for going through this. It's important for our nation's security, but I know it's not easy. On a regular basis here at Virtru, I talk to organizations working towards CMMC weekly, and, it's complex. There's been a lot of uncertainty and and and questions that they didn't know the answers to until recently. But it sounds like a takeaway is, that, often, organizations think they are further along than they actually are, And these large Primes already are essentially saying, 'We need to see that you're gonna be ready for it.'"

    Devine agrees that Primes are already expecting readiness from their subcontractors: "I think it's prudent that [Primes] are working with the supply chains to ensure that, you know, the tier ones, the tier twos, all the way down are [ready]."

    Encryption Is Vital to CMMC Compliance 

    Devine notes that one of the most critical, yet commonly failed controls, is encryption. "Of all the things that we do... of all those 110 controls, the most important thing is trying to make the data not obtainable," states Devine. "If all those other things fail and our adversary gets access to our data, we at least want it to be encrypted so they can't use it... That, surprisingly, is the number-one unmet control."

    Lynch notes that this is why many defense contractors look to Virtru for data encryption and access control solutions. Virtru integrates with Google Workspace and the Microsoft 365 ecosystem to enable secure email and file sharing to support compliance with CMMC. Lynch references the Virtru Shared Responsibility Matrix, which highlights 27 CMMC practice IDs across five domains, where Virtru supports compliance through encryption, access control, and CUI protection.  

    FedRAMP Authorization Is Far Better Than Equivalency


    When selecting vendors for CMMC compliance, particularly cloud service providers, FedRAMP Moderate authorization is important in terms of your liability. While providers can claim to be "FedRAMP Moderate equivalent," Devine explains why this distinction matters:

    "If you have picked somebody that's FedRAMP moderate equivalent, then you're on the hook as the organization using that company... you are on the hook to kind of validate and verify that they've met all those requirements and they continue to meet them and that they continue to perform the due diligence that they're supposed to do in order to maintain that equivalency."

    This creates additional work and risk for organizations seeking certification. As Devine notes, "That's a mountain of work, and there's no way you can do that work, really. You have to kind of trust, and that means the person at that company has to hit everything perfectly."

    Conversely, using FedRAMP Moderate authorized vendors simplifies the compliance assessment process, because those solutions are already vetted: "If I'm going to use a tool that has gone through that [FedRAMP authorization] process, I don't have to worry about it."

    To verify a vendor's FedRAMP status, Devine advises: "If somebody's saying that they're FedRAMP approved, FedRAMP Moderate approved, then they will be listed in the FedRAMP Marketplace. If they're not there, then I would ask more questions."

    CMMC Tools Must Be Easy to Use


    As a FedRAMP Moderate authorized data security provider, Virtru helps organizations support CMMC encryption requirements for CUI protection while enabling crucial collaboration workflows to take place. With Virtru, defense contractors of all kinds can encrypt and share sensitive information while maintaining control of that data at all times. 

    Here's what Virtru brings to the table for CMMC:

    Devine said it well: "You have to protect the CUI, but then you also have to make it amenable to good business workflows." This is where Virtru shines, and why organizations across the DIB use Virtru to support their CMMC compliance efforts. 

    CMMC Next Steps for Defense Contractors

    1. Determine your required CMMC level based on the type of information you handle
    2. Begin implementing required controls and document these efforts for future assessments
    3. Consider engaging with a Registered Provider Organization (RPO) for guidance, if needed
    4. Implement security tools and processes required for your CMMC level, including encryption solutions
    5. Schedule your assessment when the time is right, knowing that C3PAO availability may be limited with the onset of CMMC implementation

    With limited C3PAO availability and growing pressure from Prime Contractors, organizations should begin preparations now, rather than waiting for Title 48 implementation. Early preparation and the right tools will be key to maintaining your competitive advantage in the defense industrial base, especially if you are entrusted with protecting sensitive CUI.

    Want to see how Virtru can be an easy win for your CMMC strategy? Contact our team today. We'd love the chance to talk with you. 

    Editorial Team

    Editorial Team

    The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.

    View more posts by Editorial Team

    See Virtru In Action