The Ripple Effects of CMMC Requirements

The US Department of Defense (DoD) is currently in the process of implementing CMMC (Cybersecurity Maturity Model Certification) requirements for private sector businesses. This affects contractors in the DoD supply chain, and this new requirement will ultimately affect around 300,000 companies associated with the DoD.

One new update to the CMMC rollout was the announcement of 15 pathfinder contracts requiring CMMC certification that will be awarded during the 2021 fiscal year.

Though the number seems small, due to the CMMC requirements of cybersecurity throughout the entire supply chain, the ripple effect of these new CMMC requirements will be exponential.

Pathfinder Contracts Awarded

The Pentagon announced on Dec. 10 that the following 7 contracts are under consideration to be part of the initial 15 contracts:


  • Integrated Common Processor
  • F/A-18E/F Full Mod of the SBAR and Shut off Valve
  • Yard services for the Arleigh Burke Class destroyer

Air Force:

  • Mobility Air Force Tactical Data Links
  • Consolidated Broadband Global Area Network Follow-On
  • Azure Cloud Solution

Missile Defense Agency:

  • Technical Advisory and Assistance Contract

Despite the small number of contracts being awarded in this first announcement, there are an estimated 1500 companies associated with the original 15 that will need to achieve CMMC compliance. This is due to the number of suppliers and subcontractors of these companies also requiring accreditation.

CMMC 1.0 is the first final rule that governs the certification, and to support the CMMC, the Department of Defence has agreed that a third-party auditor will assess how well these contractors align with the cybersecurity requirements and hygiene practices.

Companies can be awarded a CMMC maturity level of 1–5, with 5 being the highest possible standard achieved, and the most secure.

Full compliance is going to happen in small steps, and that’s why only 15 pathfinder contracts will be awarded in 2021. By 2025, it’s expected that around 48,000 companies will need to comply with CMMC.

What Contractors Must Do To Prepare for CMMC

DoD contractors must prepare for CMMC certification, and this involves a few steps. They must complete a scored self-assessment that runs in accordance with the new methodology as standard.

Following this, they have to then create a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) before reporting these to the Supplier Performance Risk System (SPRS). The scored self-assessment is a new NIST 800-171, and they have to post their score in the SPRS before any contracts can be awarded.

Contractors are responsible for flowing these requirements down to any suppliers and contractors, too, and DCMA will be checking on this with CMMC audits. These audits will ensure that the self-assessment has been completed with an accurate score, requiring more accountability from companies completing the self-assessment. The POA&M also have to be accurate and realistic, as do the SSP.

CMMC in the Future

There are still changes and improvements being made to CMMC, and new announcements will likely continue through its total implementation in 2025. The best thing DoD contractors can do to continue to prepare for CMMC and remain eligible for contracts is to stay up to date with new compliance requirements as they are announced.