CMMC readiness: Top 3 disruptions affecting the Defense Industrial Base
Engage a CMMC certified professional or assessor, or at least assess your contracts and clarify CUI expectations with your contracting officer.
The finalization of the Cybersecurity Maturity Model Certification (CMMC) rule marks a shift in how Defense Industrial Base (DIB) contractors engage with the Defense Department. Yet a recent survey paints a concerning picture: More than 16% of respondents reported little to no readiness for CMMC compliance, half admitted to being only moderately or slightly prepared, and 13% said they’d taken no action at all.
There are multiple reasons for this state of unpreparedness, but the biggest issue revolves around the cost of compliance, timeline confusion for certification, and the definition and scope of controlled unclassified information (CUI).
Cost is the #1 challenge
The survey found that 57% of respondents indicated cost as a top preparation challenge, with 35% reporting they don’t know what they have spent to date on preparing for CMMC or that they have invested less than 1% of their budgets.
A bit of history explains this: Since 2017, DoD contractors have been required to self-attest to Defense Federal Acquisition Regulation Supplement (DFARS) 7012, which mandates implementation of National Institute of Standards and Technology Special Publication 800-171r2. CMMC was created to validate those controls through third-party assessment.
Many confuse implementation and assessment costs. Implementation is mandated under DFARS 7012, while assessment is tied to CMMC. However, contractors often avoid including these costs in bids to stay competitive. This has led some to delay compliance altogether, an approach that’s unsustainable now that certification is becoming mandatory.
Consequently, contractor proposal teams may not understand how to account for the implementation or assessment costs in their bid process. Often, this is overlooked due to not wanting to raise bid rates, which are perceived to be detrimental to the bid process. During the DFARS 7012 rulemaking, the DoD fully understood rates would increase. Also, while the implementation may be more burdensome on those with a single contract, for multiple contracts, the costs can be spread over these contracts in addition to the number of years on the period of performance. Because of the widespread concern among DoD contractors about raising rates and becoming less competitive, many contractors have chosen not to include compliance costs at all in their bid rates. Without the inclusion of compliance costs in their bids, these contractors lack the means to charge back those activities to the customer and, as a result, have often opted not to focus on compliance.
Confusing information from DoD
Half of the respondents surveyed said their biggest challenge was conflicting or confusing guidance from the government. With CMMC’s long and winding rulemaking process, it’s no wonder. Regulatory timelines are complex, often shifting with political changes, adding to the confusion.
However, as with the cost issue, challenges related to confusing information also reflect a misunderstanding of the complicated rulemaking process. Federal regulations go through a number of steps (proposal, public comment period, publication in the Federal Register) before final adoption. Each step comes with its own timeline, and those timelines are constantly subject to change. As a result, many observers become confused about all of the (seemingly) conflicting deadlines and requirements. On top of that, with a new administration and new Congress, additional review periods are needed, potentially creating more confusion.
Questions about CUI scope
Nearly half (49%) cited confusion over the boundaries and what constitutes CUI. While the DoD should define CUI clearly in each contract, officials have admitted that training, even internally, has fallen short.
In the recently proposed 48 Code of Federal Regulations (CFR) Federal CUI rule (“federal” meaning outside the DoD even) may require agencies to define expected CUI types more clearly, which would provide much-needed clarity. In the meantime, contractors should follow the CMMC L2 Scoping Guide: Identify any asset that stores, processes or transmits CUI, including security protection data, and understand how data flows in and out of the boundary.
CMMC is new, and speed bumps are inevitable. But don’t wait. Compliance has been enforceable since 2017 under DFARS 7012. The sooner you act, the greater the competitive edge.
Large primes are already moving forward. You should, too. Engage a CMMC certified professional or assessor, or at least assess your contracts and clarify CUI expectations with your contracting officer.
Don’t be a roadblock. Inaction not only delays certification, but it could also expose your organization to serious legal risk under the False Claims Act.
Thomas Graham is vice president and chief information security officer at Redspin.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
