Cybersecurity Maturity Model Certification (CMMC) 2.0 for defense contractors

Comply or risk being left out of €300 billion in defense contracts

Vendors that can show robust controls will thrive in the transition to a more secure defense supply chain. The new Department of Defense framework will require third-party and government-led certification of the cyber practices of vendors and their supply chains to win or renew contracts. This framework will also apply to NATO contractors.

What's new and what's at stake

What’s new and what’s at stake?

As of 2020, enhanced security standards for defense contractors, including many in the aerospace and defense industry, take effect. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 will subject contractors to a certification process designed to bolster security and enhance visibility into the supply chain. A company’s cyber behavior — controls and practices — will receive a Level (1-3) rating, which will determine eligibility to bid on certain contracts. The CMMC 2.0, replaces CMMC 1.0 itself based on the existing self-certification model under the Defense Federal Acquisition Regulation Supplement (DFARS). The CMMC 2.0 is designed to improve protection of controlled unclassified information (CUI) and Covered Defense Information (CDI) within the supply chain. By some estimates, more than 70% of DoD data resides on the networks of contractors. 

The new requirement stems in part from ever-increasing cyber threats and exploits targeting the Defense Industrial Base (DIB) and its supply chain. According to a Navy internal review in 2019, hackers recently stole so much classified information and intellectual property from the DIB that they eroded US economic and military advantages. Nation state adversaries have exploited A&D companies and R&D capabilities in new weapons systems. Operational plans show up in the hands of our adversaries. Systems can be copied and breached. The economic impact could increase dramatically when 5G rolls out more widely, as this technology allows for exponentially faster data download and upload speeds. State actors are the biggest threat to 5G security, according to an October 2019 report by the European Commission and national cybersecurity experts.

Are all DoD and NATO contractors affected by CMMC?

Every company within the DoD supply chain — not just the defense industrial base — will be required to get certified to contract with the DoD. That could affect as many as 300,000 contractors, large and small, primary and subcontractors. 

In FY18, the DoD awarded nearly €300 billion in contracts, including products (e.g. military or civilian aircraft, ships, vehicles, weaponry, and electronic systems) and services (logistics, technical support and training, communications support, and engineering support). During the same period, the DoD's share of total government contracts was 65.9%. 

Defense contracts that involve CUI and CDI will need to comply with CMMC. Officials expect to begin adding certification standards to requests for information (RFIs) by June 2020. Since autumn 2020, some DoD requests for proposal (RFPs) explicitly state which CMMC level is required for a particular contract and provide a “go / no-go” decision for an organisation’s eligibility to win a contract. 

Existing contracts will be up for renewal depending on which CMMC 2.0 level is required by the contracting authority.

How does the certification work?

Depending on the maturity level required, all contractors will need to become CMMC-certified by conducting a self-assessment, passing a third-party audit or a government-led control to verify they have implemented the appropriate level of cybersecurity controls. 

The CMMC consists of three maturity levels ranging from Level 1 (“Foundational”) to Level 3 (“Expert”) to determine if a contractor’s cybersecurity posture is adequate to handle controlled and classified information. CMMC requires contractors to comply with expanded controls and requirements, including asset management, cybersecurity governance, recovery, and situational awareness. To be certified at a particular CMMC level, practices must be met within that level and below. For example, to meet compliance for level 3, a contractor must also comply with the controls and practices in levels 1 and 2. 


Contracts will require varying levels of CMMC certification. Projects with greater vulnerabilities or sensitivity would require a contractor to meet more stringent security standards (i.e., require a higher level certification). Vendors’ eligibility to compete for contracts will be determined by CMMC level achieved, on a contract-by-contract basis. Many civilian agencies may not award a contract to a bidder if there are contractual relationships with companies that pose geopolitical risk, most frequently driven by threats from nation state adversaries. The DoD has not yet stated the consequences of non-compliance with the CMMC process. But the most immediate impact is ineligibility to bid on future contracts or renew existing contracts.

Source: Cybersecurity Maturity Model Certification (CMMC), v. 2, November 2021

How prepared are DoD contractors for the new process?

PwC expects that companies will have much work to do to bring their cybersecurity controls up to the new standard.

Only 1% of Defense Industrial Base companies have implemented all 110 National Institute of Standards and Technology (NIST) controls, according to the DoD’s Katie Arrington. These NIST controls are foundational for CMMC 2.0 compliance.

More than one-fourth of defense professionals surveyed by the National Defense Industry Association (NDIA) work for organizations that have been subjected to cyber attacks. Companies in the sector do not have great confidence that they could recover from such attacks within 24 hours. Only about 30 percent of defense organizations have a full understanding of costs required to recover from a cyber attack, and nearly half of prime contractors are unable to confirm the system security plans of their subcontractors.

Small companies pose the biggest cyber risks, said Assistant Defense Secretary for Acquisition Kevin Fahey to reporters at the Pentagon. "The problem is that our adversaries don’t try to come in through the big companies, they come in through the fifth, sixth tier,” he said. “Most of our problems, that’s where they’re coming in.”

DoD contractors should view the process as a way to mature beyond ad hoc, inconsistent cybersecurity processes in their organization. The Pentagon sees the new model as setting the stage for a broader, more complex journey to better understand the defense supply chain.

What should contractors do now?

As a non-certifying body, PwC helps contractors identify where to invest based on cost-benefit analysis. We take a risk-based approach in incremental controls deployment and/or system architecture changes, presenting various cost-risk options (low cost / high risk; medium cost / medium risk options; and high cost / low risk). 

PwC applies a five-phased approach for efficient compliance:

1. Start with a current state assessment

Many organisations lack the resources to do a comprehensive assessment. Others may be tempted to simply use prior DFARS self-assessments or existing NIST 800-171 compliance materials, or skip this current state assessment altogether. But the CMMC 2.0 puts structure and an accreditation body in place, and the current state assessment is 90% of the documentation and detail required in the System Security Plans (SSPs) and Plans of Actions and Milestones (POAMs). 

A current state assessment that is accurate and complete is the right foundation for full compliance. Understand your technology and applications that process, create, or store CUI. Identify your organisation’s target CMMC 2.0 level. Conduct discussions with the right people in your organisation to detail security requirements from NIST 800-171 and CMMC 2.0. Companies may have already invested in NIST 800-171 controls, and there could be ways to efficiently convert these to CMMC 2.0 compliance. If a company has been through DIB CAC audit, there will be reciprocity in the form of credit for implementing ISO 27001-specific controls.

2. Address control gaps

Review your controls documentation and processes for safeguarding CUI. Identify and address previously undiscovered control gaps, based on new evidence discovered during the assessment per CMMC 2.0 requirements. Control gaps can range from lacking the right skill sets to overlooking a policy or procedure, or failing to have a sophisticated identity and access management solution. Organisations aspiring to achieve CMMC 2.0 certification levels 3 would have more advanced gaps. 

3. Plan for remediation and compliance

Develop a plan to address deficient controls and reach the target CMMC 2.0 level desired by your organisation and obtain certification. Remediation can take anywhere from a few weeks, for addressing some smaller gaps, to a few years for larger technology implementation efforts. Achieving certification at Level 1 may take a few weeks, while reaching higher levels may take a few months or longer, given the increase in requirements. The level of effort will vary, depending on the client, contract, environment, and the nature of the gaps. It also hinges on which CMMC levels organisations are moving between. Having a gap does not mean you are not at the required level of compliance. If you have the remediation plan in place and the contracting officer’s representative at the Prime contractor above you in the supply chain and/or the contracting officer’s representative at the DoD is comfortable with the plan, you can get certified.

4. Idenfity key stakeholders across the organization

Cyber exploits can laterally move across functions, departments, and systems. Risks breed in the gaps, silos, and hand-offs. Compliance will require champions across the organisation. Who should be involved from the technical, business, compliance, and executive leadership during the planning, remediation, and compliance process? Who should be involved in ongoing CMMC 2.0 compliance efforts and decision making for the organisation?

5. Build continuous compliance capability

Conduct regular status meetings and checkpoints with remediation owners to track status and identify risks before they impact the organisation’s overall CMMC 2.0 compliance. Many organisations will reach this point, if they have executed the previous steps - it is a natural progression from the POAMs and is part of the standard PM practice within any organisation. An additional benefit is that clear updates can be included in communications with contract officers. Additionally, set the stage for continuous improvement in cybersecurity. Integrate the compliance process into your company’s existing processes within Internal Audit, IT Compliance, or other equivalent internal groups. Implement automation and technical monitoring mechanisms where possible, to ease the burden, and to ensure that the organisation stays aware of security risks.

CMMC Schedule

cmmc schedule hero title calendar

Contact us

Connect with PwC Belgium