The reality check for defense contractors is sobering: only 4% of DoD contractors are ready for CMMC certification. While the Department of Defense has set 2025 for this requirement to be phased across all contracts, there’s still confusion on what it means to be compliant. 

This has left contractors buried in documentation, with little understanding of how to meet requirements and their deadlines. Your business runs on DoD contracts, but CMMC compliance might seem insurmountable.  

The good news?  

You don’t have to become a cybersecurity expert overnight. You need practical solutions that are possible with your budget and timeline.  So keep reading.  

Understanding CMMC 2.0: What Changed and Why It Matters 

The CMMC program saw a large number of updates in 2024. On August 15, 2024, the DoD released an updated proposed rule that finally clarified many questions contractors had just had to guess on. As of December 2024, CMMC requirements were not yet live for all contracts, with DoD phasing in requirements over time, with high-priority contracts starting in FY25. 

The basic structure stays the same: 

• Level 1 (Basic): This is a set of basic cyber hygiene controls to help protect Federal Contract Information (FCI). You will need to perform a self-assessment on compliance with the 15 required ‘practices’ annually. If your contract does not involve anything but general information for a government agency, this would likely be your maturity profile. 
• Level 2 (Intermediate): Builds upon Level 1 by adding some documentation and transitioning to protection CUI. Also, there is now an actual enforcement mechanism, and you must have a third-party assessment of your security posture if you want to be certified at that level. Most likely, if detailed technical data or PII are involved in your contract, this would be your minimum level of compliance. 
• Level 3 (Expert): This is basically advanced persistent threat protection.  Few companies need it at least right out of the gate on a new contract (but there are plenty that need it on ongoing programs). 

The key changes from earlier versions are that contractors have explicit guidance around where they are in implementation and when they will be assessed. New proposed rules require contractors to notify the contracting office within 72 hours of any event impacting their ability to maintain the required cybersecurity level or changes to their CMMC compliance status. 

Real Challenge: Current State of Contractor Readiness 

The current state of contractor readiness reveals that only a few have completed a self-assessment that would serve as the baseline for CMMC compliance requirements. Most contractors haven’t even begun on the blocking and tackling. 

There are three main reasons for this readiness gap: 

• Information Overload: Contractors feel they need to try to do everything at once. The volume of documentation can literally paralyse small teams that are already thinly spread across other contracts. 
• Resource Constraints Impact Contractors of Every Size: Small businesses do not have dedicated IT staff, and larger entities find it difficult to spread cybersecurity expertise across multiple locations/sites and systems. 
• Contractors are Frustrated Because This is a Moving Target: Many postponed preparation, waiting for final rules, only to discover that the things that had to be done are basic cybersecurity fundamentals, many of which should have been in place years ago. 

The contractors succeeding with CMMC compliance share common approaches. They have a starting point to accomplish the fundamentals, add to them incrementally, and most importantly, have sustainable practices rather than searching for perfect practices. 

How to Build Your CMMC Compliance Foundation? 

Building your CMMC compliance foundation will first require you to start with asset inventory and data classification. You cannot protect what you don’t know you have.  

Here are four steps to help you build a CMMC compliance foundation: 

• Create a simple spreadsheet listing all devices, software, and data systems. Identify which systems handle FCI or CUI. This is your compliance roadmap. 
• Proceed to document your current security practices. You are likely already doing more than you think. Password policies, antivirus software, and backup procedures are all security controls. Write it down before finding gaps. 
• Implement fundamental network separation. Separate your business network from systems that will process, store, or transmit government information.  
• Finally, implement access controls systematically. For example, have user accounts for each employee, and ensure that users are only granted the access they need. Promptly revoke access for ex-employees, and use multi-factor authentication for all systems supporting CUI. These practices fulfill multiple CMMC practices at once. 

Practical Strategies for Level 1 Compliance 

Level 1 self-assessment is easy to complete if you have the proper documentation in place. Develop a compliance checklist that maps each control requirement to your implementation. Be specific and describe how, not what! 

• Start with physical security basics. Lock server rooms and filing cabinets. Install security cameras for areas containing sensitive information. Create visitor logs and escort procedures. These are tangible actions that meet multiple mandates, and also show that you can think about security logically. 
• Build incident response procedures your team will actually use. Write simple templates for reporting security events, designate communications channels, and practice these procedures often. Most contractors find gaps through simulations rather than events. 
• Train your whole workforce about security awareness. Have a monthly security discussion during an all-hands meeting, show real examples of phishing emails, and develop short reference cards for commonly encountered security issues. When your employees are engaged, they’re the best security tool you can have. 

Level 2 Implementation: Advanced Strategies That Work 

Level 2 compliance requires third-party assessment, making preparation critical.  

• Start by conducting an honest gap analysis based on the NIST SP 800-171 framework. Identify and prioritize high-impact, low-cost improvements and implement them before throwing money at expensive solutions. 
• Implement configuration management for all systems. Document standard configurations for workstations, servers, and network devices. Utilize automated tools where possible to ensure consistency. Some of the most successful contractors use free or low-cost configuration management platforms. 
• Enable comprehensive logging and monitoring. Configure systems to log security events and user activities. Use automated mechanisms to detect potential issues. Review logs regularly– many contractors find security enhancements through log analysis. 
• Develop a formal system security plan tailored to your environment. If you submit a generic template, they will probably not pass the safety review. Be prepared to document your network architecture, how data moves around in your network, and the security mechanisms you have in place. Safety assessors want to see that you know what is going on within your own systems.  

Level 3 Execution: Strategies for Long-Term Security  

Level 3 compliance is all about proving security maturity. You’ve got to show that your processes are not just repeatable, but also manageable and adaptive.  

• Formalize risk management: Keep a living risk register, regularly update it on a quarterly basis and assign ownership. 
• Use role-based access controls: Give permissions based on roles, review them often and apply least-privileges. 
• Integrate vulnerability management: Automate scans, patch quickly, and document remediation with evidence. 
• Establish continuous monitoring: Track measurable metrics like incident response times, uptime, and system performance. 
• Secure the supply chain: Assess subcontractors and suppliers for compliance, send out questionnaires, and add security clauses to contracts. 

Working with Assessors and Certification Bodies 

To work with a CMMC Assessor and Certification Body, you must first understand that assessors conduct assessments, while Certification Bodies oversee the assessment process and issue certifications.  

You will likely need a CMMC-Approved C3PAO for the Level 2 assessment process, where they will verify compliance with the CMMC framework at your required maturity level.  

Here’s what to keep in mind: 

• Choose assessors based on experience with organizations similar to yours. Seek references from contractors in your industry sector and of a similar size. Experienced assessors offer valuable guidance through preparation, not just assessment. 
• Get ready before the assessment. Do your own internal readiness assessments using the criteria that the assessors use to fix any clear gaps ahead of time—contractors who are well-prepared upfront often complete assessments faster and with fewer findings. 
• Keep communication flowing during the entire assessment. Don’t guess what is required if something doesn’t seem clear; ask for clarification. Don’t provide documentation or other evidence piecemeal; get it ready in its entirety and deliver it when requested. Assessors appreciate openness and being well-prepared. 
• Plan for continuous compliance, not just initial certification. Establish processes for maintaining security controls and documentation after certification. Many contractors struggle with ongoing compliance because they view certification as a one-time event. 

Why a CMMC Compliance Audit is Important? 

A CMMC compliance audit is a necessary protection mechanism for DoD contractors and the defense supply chain. Here’s why: 

• Regulatory Compliance: Auditing contractors comply with Department of Defense cybersecurity standards to reduce loss of contracts and legal implications. 
• Improved Security: An audit identifies vulnerabilities in current systems so that organizations can strengthen and protect sensitive information. 
• Industry Credibility: A CMMC compliance audit assures the government and other partners are committed to cybersecurity. 
• Risk Reduction: An audit ensures a reduced likelihood of a data breach or cyber-attack by having best practices for operations in place. 

Companies that undergo a CMMC compliance audit protect themselves and are better positioned within the defense contracting industry. 

Building Long-term Compliance Success 

Building long-term compliance success requires weaving security into everyday business operations rather than treating it as a one-time checklist. 

• Integrate security thinking into business processes rather than treating it as a separate compliance activity. Include security considerations in project planning, vendor selection, and system changes. This prevents many compliance problems before they occur. 
• Establish regular review cycles for policies, procedures, and technical controls. Schedule a quarterly compliance meeting to catch issues early, make improvement plans, and budget for necessary changes. 
• Create feedback loops between operations staff and management. Your frontline staff usually experience security issues before anyone else. Ensure you have established communication channels to report security concerns and recommendations.  
• Plan for growth and change in your compliance program. Design security controls that scale with your business. Include requirements of laws or regulations you may become subject to because of a merger, acquisition, or new partnership in your risk assessment. Proactive planning prevents compliance crises during business growth. 

Building a Path to Sustainable CMMC Compliance 

CMMC compliance can be daunting for your organization, but success does not require perfection upon implementation. It requires a methodical preparation approach, pragmatic steps forward, and ongoing commitment.  

Successful contractors that are meeting CMMC compliance have a few things in common: they understand and start early, have a systematic approach, view security as a business enabler vs a burden, leverage scalable solutions, and build compliance as their organization matures.