From Self-Attestation to Verified Compliance
For years, defense contractors handling Controlled Unclassified Information (CUI) have been required to implement the 110 security controls defined in NIST SP 800-171. Compliance was based on self-attestation — contractors assessed their own implementation and submitted scores to the Supplier Performance Risk System (SPRS). The system relied on good faith, and the results were predictable: a significant gap between reported compliance scores and actual security postures across the defense industrial base.
CMMC 2.0 addresses this gap by introducing third-party assessment for contractors handling CUI. Level 1 (foundational) still allows self-assessment for contractors handling only Federal Contract Information. Level 2 (advanced) requires assessment by a CMMC Third-Party Assessment Organization (C3PAO) for contractors handling CUI on prioritized programs. Level 3 (expert) requires government-led assessment for contractors supporting the most sensitive programs.
The final CMMC rule was published in the Federal Register in October 2024, with a phased implementation that began appearing in contracts in early 2025. Contractors who assumed CMMC would be indefinitely delayed are now confronting a concrete timeline. The question is no longer whether CMMC will be enforced but how quickly an organization can achieve verified compliance.
The Practical Compliance Challenge
The 110 controls in NIST SP 800-171 span 14 control families covering access control, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. For many small and mid-size defense contractors, implementing all 110 controls at the level required to pass a third-party assessment represents a significant undertaking.
The most common areas of deficiency are not the obvious ones. Most contractors have basic access controls and antivirus in place. The gaps tend to be in audit logging and review, where organizations collect logs but do not systematically review them for indicators of compromise. Configuration management, where baseline configurations are not documented or enforced consistently. And incident response, where plans exist on paper but have never been tested through tabletop or functional exercises.
Organizations that have relied on Plans of Action and Milestones (POA&Ms) to document known deficiencies while deferring remediation face a particular challenge. Under CMMC, certain controls cannot have open POA&Ms at the time of assessment. The practice of acknowledging gaps without fixing them is no longer sufficient for the controls that assessors will evaluate most rigorously.
Building a Compliance Program, Not Just Checking Boxes
The most common mistake in CMMC preparation is treating compliance as a point-in-time assessment rather than an ongoing program. Organizations that rush to implement controls just before their assessment date often find that the implementations are fragile — they pass the assessment but begin to degrade immediately because there are no sustained processes to maintain them.
Effective compliance requires integrating security controls into business processes. Access reviews should be part of the employee lifecycle, not a pre-assessment scramble. Vulnerability scanning should be continuous, with a defined process for prioritizing and remediating findings. Security awareness training should be regular and relevant to the specific threats facing the organization, not an annual checkbox.
The organizations that approach CMMC as an opportunity to genuinely improve their security posture — rather than as a regulatory burden to be minimized — will find that the investment pays dividends beyond compliance. The threats targeting defense contractors are real and sophisticated. The controls required by NIST SP 800-171 and verified by CMMC represent a baseline, not a ceiling.
The Competitive Dimension
CMMC compliance is becoming a competitive differentiator in the defense market. Prime contractors evaluating subcontractors are increasingly factoring cybersecurity maturity into source selection. Organizations that can demonstrate verified compliance, not just self-reported scores, will have an advantage in competing for subcontracts on programs that require CMMC Level 2.
Conversely, organizations that cannot achieve compliance face the risk of being excluded from the defense supply chain entirely. A contractor that cannot meet CMMC requirements cannot bid on contracts that require them, and the scope of those requirements will expand over the phased implementation period.
For defense contractors of all sizes, the message is clear: the time to begin CMMC preparation is now. The assessment infrastructure — C3PAOs, assessors, and the supporting ecosystem — will face increasing demand as more contracts include CMMC requirements. Organizations that begin early will have access to assessment resources and time to remediate findings. Those that wait risk being locked out of a compliance pipeline that cannot accommodate a last-minute surge.
