The Future of CMMC Compliance

December 10, 2024

Current Lay of the Land: CMMC Compliance

Since its initial release in January 2020, the Cybersecurity Maturity Model Certification (CMMC) has undergone a series of fundamental changes. Fortunately, CMMC compliance requirements became much clearer when the US Department of Defense (DoD) published its CMMC Final Rule in October 2024.

As a result, CMMC will have an impact on nearly every DoD contractor and subcontractor, and it’s anticipated that references to CMMC will be included in DoD contracts as early as March 2025. You can learn more about CMMC’s timing in this CMMC Deadline guide.

Since the CMMC space has been moving forward rapidly, here’s a recap of recent updates:

CMMC Level 2 or Level 3 assessments will be required as a condition of contract award for all applicable contracts that involve Controlled Unclassified Information (CUI).
CMMC Level 1 self-assessments will be required for all applicable contracts that involve Federal Contract Information (FCI). You can find out more about the assessment requirements for all compliance levels in this CMMC assessment guide,
Throughout the CMMC implementation process, you can expect increased scrutiny of your IT Security processes.
Your company will also need to continuously validate its supply chain security practices, not only for CMMC, but for future cybersecurity mandates.

As they say, the only thing constant is change. So, you need to remember that CMMC won’t remain stagnant, and you will need to adapt your cybersecurity procedures accordingly.

My experience is that average organization could take 12 to 18 months to become CMMC compliant, even if it has the required technical skill-sets in place. So, I’ve outlined best practices below that’ll help to get your program started.

‍CMMC Compliance: Where to Start

With government regulations evolving rapidly- along with the cyberthreats the regulations are meant to address- it’s easy for an organization to become overwhelmed. But, that doesn’t have to be the case. By following these basic approaches, you’ll be well on your way to complying with key cybersecurity regulations, including CMMC.

Harness Your People Power

It’s important to get your entire organization on board for any changes that you’ll be making. In particular, you need to take the following steps:

If you haven’t already done so, develop and obtain buy-in on the business use case for CMMC from your executive and operational teams. CMMC is an organizational mindset and practice that leads to security and compliance.
Educate and regularly communicate the role, responsibility, accountability, and impact with your end-users, internal support teams, and your executive team.
Train your employees in cybersecurity best practices, particularly related to phishing, the risk of using third-party sites, tools, and software code, along with the impact of non-security oriented development processes.
Get organizational resolve from your teams to improve cybersecurity protection. (You may need to devote extra time to educate potential IT Security detractors in your company that better productivity and more effective cybersecurity can go hand-in-hand).
Acknowledge and reward desired security-centric behavior.

In other words, you need to develop a security culture. Culture trumps strategy every day of the week and twice on Friday (I’m loosely quoting the famous consultant Peter Drucker here, but you get the point). At base, your corporate strategy and culture need to be aligned. They will drive your communication, education and training efforts, along with your organizational resolve.

Implement Technology Best Practices

Here, rather than implementing a large number of point solutions, you want technology to work with you rather than against you. As such, you need to:

Assess your IT Security status over time in the following areas: hardware security, software security, technical configurations, and IT assets.
Focus on implementing the hardware controls that’ll have the most short-term (and long-term) impact in reducing your attack surface and risk to the organization.
Avoid jumping to the end solution: For example, you need to review your entire application security process before pursuing a specific IT solution that is promised to meet all of your security needs. As legendary software engineer Fred Brooks often lamented, there is no “Silver Bullet” in software engineering. That rings true for cybersecurity as well.

Instead, focus on manageable implementation of security best practices that integrate with current solutions (with an eye on future success) and generate the best ROI for the business’ operations, as well as for your IT and security teams.

Improve Your IT Security Processes

Plain and simple, people and technology can’t be effective without sound IT Security processes. Recommended steps include the following:

As with any successful plan, prioritize what steps you need to take to attain your goals and regularly track your progress.
Determine when and how you will achieve your required IT Security standards.
Monitor and update your compliance efforts as threat vectors, technology, and regulations change.
Engage a trusted third party to help with your journey. This can often save you considerable time and enable you to benefit from the third-party provider’s experience with other clients and industries.

Remember that you can’t boil the ocean, but you can focus on strategic projects that have the biggest impact. Align your security objectives with business opportunities. You need to make IT security a competitive advantage and don’t hesitate to leverage help internally and externally.