Security

How Agencies Can Stay Ahead of the CMMC Game in 2025

A handful of larger contractors will have Cybersecurity Maturity Model Certification-authorized services ready to go when the security requirements begin appearing in contracts next year.

Tony Woolf

Tony Woolf is the Head of Government Cloud Managed Services at CDW.

Asim Iqbal

Asim Iqbal is the CTO of Enquizit. A role fueled by his experience in security, storage, and resilience.

The Department of Defense wants a smooth transition into the Cybersecurity Maturity Model Certification 2.0 era after spending the past four years reworking its original rule.

One way defense agencies can make future contracting easier is by working with industry partners offering CMMC-compliant services once the security requirements begin appearing in agreements, which is expected to occur as soon as early 2025.

DOD posted its final rule, establishing the CMMC 2.0 program for verifying its contractors and implementing required security measures around contract and controlled unclassified information, to the Federal Register in October. The rule goes into effect on Dec. 16, 2024, and will be followed by a three-year phased implementation starting with contractor self-assessments.

CDW Government counts itself among a few larger contractors that will have a CMMC-certified enclave to protect defense agencies’ data beginning early next year, having prepared for the new contract requirements for the past seven months. Agencies would be wise to take advantage of such tools from the jump.

Click the banner below to see how identity and access management can improve the user experience.

CMMC 2.0 Presents Early Hurdles for Most Contractors

Despite DOD’s efforts to make CMMC compliance less costly by allowing for contractor self-assessments, small vendors with small defense contracts likely won’t be ready if requirements do indeed begin to be included in agreements in the first quarter of 2025. They simply lack the revenue to achieve compliance, especially if they haven’t been planning for this moment.

In the past, DOD gave vendors with winning contract bids time to achieve compliance with its security requirements before they started hosting its data in accordance with agreements. That’s no longer the case.

Vendors must be CMMC compliant when they bid, and it will take a year or longer to receive authorization. Those hoping DOD will extend deadlines yet again will likely be disappointed.

Defense agencies won’t even necessarily be the ones driving CMMC compliance moving forward; prime contractors will demand their subcontractors become compliant or refuse to bid with them.

Vendors expecting to fall back on civilian agency work could find themselves out of luck. If funding for a particular contract touches DOD, vendors may still need to prove CMMC compliance.

DISCOVER: Going multicloud is an easy way to control agency costs.

CDW Can Be a Managed Services Provider for Defense Agencies

CDW already has a number of small defense contracts in hand with phase two built in, and bigger ones are in the pipeline. The company can be a managed services provider for defense agencies in the CMMC era with some prerequisites.

First, CDW must understand what controlled unclassified information the contract is asking it to protect and where it resides within the agency. Then, CDW’s legal team examines the contract wording so CDW can provide services that fit within the required framework.

CDW can currently provide U.S.-based support as it prepares CMMC-authorized services, including a secure corporate enclave for customer contracts and a management enclave for managing environments containing customer CUI.

These offerings will keep defense agencies that choose to work with CDW ahead of the CMMC game in 2025.

This article is part of FedTech’s CapITal blog series.