Six Reasons CMMC is Good for Contractors and Why You Should Embrace It Too 

by Chris Haigh, CEO & Certified CMMC Instructor, Meerkat Cyber

 


The Department of Defense’s (DoD) long-anticipated Cybersecurity Maturity Model Certification (CMMC) Final Rule took effect on December 16, 2024. For most within the Defense Industrial Base (DIB) ecosystem, the five-year evolution of CMMC has been a challenging process. Initially, the DoD transitioned from a 5-tiered CMMC 1.0 framework to a 3-tiered CMMC 2.0 framework. Rather than communicating these changes to the DIB ecosystem in advance, the DoD’s intentions were revealed through an accidental post1 on its website. Those who were preparing materials for CMMC 1.0 had to discard much of their work in response to this sudden shift.

This turbulent history has left many within the DIB apprehensive about CMMC. The journey began with National Institute of Standards and Technology (NIST) SP 800-171 self assessments, which were required across the DIB, but multiple Inspector General reports highlighted their ineffectiveness in achieving compliance. The DoD then proposed CMMC, which mandated third-party assessments and additions to the NIST SP 800-171 framework. Self-attestations were no longer deemed sufficient. However, the plan shifted again, reducing the model to three tiers, with Tier 1 allowing self-assessments, and Tiers 2 and 3 requiring third-party assessments, while eliminating the additional NIST SP 800 171 requirements.

It appears unlikely that CMMC will be phased out. Whether it is embraced or resisted, there are many positive aspects of the CMMC rollout. CMMC is a critical step for national security and business success, which the DIB signed up to do. It will:

1. Enhance National Security by Securing Data


First and foremost, the purpose of the DIB is to protect the lives of military personnel and preserve national freedom. Adversaries, particularly China, have become adept at gathering data from various sources, regardless of how insignificant that data may appear. For example, China’s cyber forces have grown to a size larger than the combined forces of the U.S. and its allies, frequently infiltrating critical infrastructure to gather sensitive information. Some of these intrusions remain undetected for years.

Even if a company does not think it handles sensitive data, it is crucial to recognize that seemingly trivial information—such as Federal Contract Information—can be highly valuable to adversaries. A seemingly innocuous detail, such as the number of tacos being delivered to a military base, can provide invaluable intelligence. This is exactly how U.S. intelligence tracked down El Chapo by following a delivery truck carrying an unusually large order. The key takeaway is that securing all data is paramount for national security.

 


Read the entire article in the Winter 2025 edition of Service Contractor magazine.