Security

Major Contractors Close In on CMMC 2.0 Readiness

Don’t bank on receiving relief if your small business is subject to new Cybersecurity Maturity Model Certification requirements to compete for federal contracts.

Tony Woolf

Tony Woolf is the Head of Government Cloud Managed Services at CDW.

Major federal contractors are positioning themselves to provide advisory and managed compliance solutions that adhere to the Cybersecurity Maturity Model Certification 2.0 before it’s required in contract language later this year.

While there is not yet an official list of companies already offering CMMC-certified services, large vendors handling contracts with controlled unclassified information are well on their way.

Integrators and external service providers such as CDW Government are actively developing advisory solutions and secure enclave offerings in preparation for the rollout of CMMC 2.0 assessments. These services are being designed to align with both CMMC Level 2 and the National Institute of Standards and Technology Special Publication 800-171 requirements, enabling defense contractors and agencies to prepare for eventual third-party assessments.

Click the banner below to see how identity and access management can improve the user experience.

C3PAOs and Major Vendors Are Already in CMMC’s Assessment Phase

Although CMMC assessments have only recently begun, some external service providers (ESPs) have already undergone third-party assessments, and many others are actively preparing. As CMMC third-party assessor organizations (C3PAOs) ramp up their capacity, organizations across the defense industrial base (DIB) are aligning their environments and security practices to meet CMMC Level 2 requirements.

Some agencies have already begun requiring contractors to be Level 2-certified or at least have their assessments scheduled.

In certain cases, C3PAOs themselves still need to be assessed before they can assess other companies.

CONSIDER: Agencies must reduce barriers to adopting cloud innovations.

Don’t Assume Your Business Will Be Afforded CMMC Relief

CMMC 2.0 deadline extensions aren’t expected currently because of the phased approach to its implementation, designed to address small business concerns and avoid major disruptions.

Some contractors conducted self-assessments early to identify and address compliance gaps, and many small and midsize DIB companies are turning to ESPs such as CDW for offerings that are aligned with CMMC standards.

Companies looking to be competitive immediately should be conducting self-assessments against NIST 800-171 now and, if necessary, seeking high-demand advisory services concerning setting up an enclave, buying Azure Government or CMMC as a whole. Identify contracts that require protection as controlled unclassified information; identify where CUI may be processed, stored or transmitted; and create asset lists and associated network diagrams.

Secure enclaves are emerging as a key strategy in this effort. These purpose-built environments enable defense contractors to process CUI within a compliant boundary, simplifying the path to certification.

UP NEXT: Cloud vendors must consider FedRAMP’s identity and authentication controls.

By consolidating required security controls, supporting assessment readiness and establishing clear data protection zones, enclaves can reduce both the complexity and cost of compliance. As CMMC adoption accelerates, these secure environments are becoming critical infrastructure for meeting evolving federal cybersecurity obligations.

Map out security controls inherited from ESPs used for cloud or compliance and verify that they can provide documentation proving they meet CMMC requirements.

Finally, budget for CMMC assessments and cyber investments because they will impact your organization’s operational costs. Smaller businesses, particularly those that handle CUI, that think they might be subject to CMMC requirements should not assume relief is coming if they can’t meet the deadlines.

This article is part of FedTech’s CapITal blog series.