Published in News

US DoD CMMC 2.0 finalized

by on02 January 2025
US DoD CMMC 2.0 finalized


Multiple levels

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 has finally arrived right before the end of 2024, and while it promises to bolster cybersecurity across the American defense supply chain, it’s also raising eyebrows among small and mid-sized businesses owners.

For these companies, which make up a significant portion of the defense industrial base, the new requirements could mean both opportunities and challenges in equal measure.

At its core, CMMC was created with the goal of protecting sensitive data, Controlled Unclassified Information (CUI), and Federal Contract Information (FCI), from growing cyber threats. US companies looking to be awarded DoD contracts or work with DoD contractors will need to meet one of three levels of compliance:

Level 1: The entry point for small businesses handling FCI. This requires basic protections and self-assessments.
Level 2: For those dealing with more sensitive CUI, this level mandates third-party assessments alongside some self-assessments.
Level 3: The highest level, reserved for critical data, is beyond the scope of most small businesses.

For small or midsize businesses, which often operate with limited budgets and smaller teams, the path to compliance could be a stretch. While the DoD has made Level 1 relatively straightforward with self-assessments, many small firms are still scrambling to understand what is required to achieve compliance.

One of the growing concerns for small businesses is the cost of compliance. The Pentagon has estimated that 8,350 medium and large entities will need Level 2 third-party assessments, but smaller contractors who fall under this category could struggle to afford the associated expenses. The added costs of compliance tools, training, and potential audits are expected to hit businesses hard over the course of the next three years.

Many businesses are worried that these new requirements could push them out of the defense industry altogether, leaving lucrative DoD contracts to larger, more resourceful companies. Despite the hurdles, CMMC could present opportunities for small businesses to up their cybersecurity game. Firms that achieve compliance will be better positioned to compete for contracts and could use their certification as a selling point for other non-DoD clients.

The rollout of the final specifications regarding CMMC is a wake-up call for small businesses and manufacturers. The cybersecurity landscape is evolving from becoming a "best practice" mindset to written requirements being laid out to continue doing business with governments. For those who can weather the storm, the future could hold new opportunities. As cybersecurity becomes a core part of day to day business, companies that embrace these changes will find themselves better equipped to handle the challenges of tomorrow.

 

Last modified on 06 January 2025
Rate this item
(0 votes)
Tagged under
More in this category: « Apple joins Google against the DOJ Wi-Fi 7 Set to Dominate in 2025 »
back to top

Most popular

Latest comments

Read more about: