Cybersecurity Certification on the Forefront for Government Contractors

For Your Action:

Starting in early 2025, all government contractors’ ability to win new bids could be at risk unless they have taken steps to meet anticipated requirements for Cybersecurity Maturity Model Certification (CMMC). The Department of Defense (DoD) is set to begin a phased implementation of CMMC requirements in DoD contracts, mandating self-assessments for the first six months, followed by the need for full certification of compliance at Level 2 by Third-Party Auditor Organizations (C3PAOs). CMMC is not another check-the-box audit – it is a fundamental shift in how the Defense Industrial Base (DIB) protects sensitive information. Failing to comply could have disastrous consequences, from lost business opportunities to financial penalties.

CMMC Background 

Defense contractors, especially those handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), have become frequent targets of sophisticated cyberattacks in recent years, including by nation-state actors seeking to steal sensitive defense information. The goal of CMMC is to enhance the security of the DIB by establishing a unified cybersecurity standard for all DoD contractors. CMMC aims to ensure that contractors safeguard CUI and FCI by requiring the achievement of specific cybersecurity maturity levels, depending on the sensitivity of the information contractors handle. 

CMMC 1.0 was published in September 2020, after which the DoD received public comments conveying concerns, such as calls to reduce costs for smaller contractors and to clarify requirements. The evolution from 1.0 to 2.0 reflects a streamlined approach to cybersecurity requirements. Key changes include the removal of maturity processes and an increased reliance on self-assessments for lower levels. In particular, the ability to self-assess for lower levels makes the model more flexible and less burdensome, especially for smaller contractors, while still ensuring robust security standards across the DIB. Even so, relying on self-attestation is not without risk — misrepresenting compliance can expose companies to False Claims Act (FCA) liabilities, with whistleblowers incentivized to report any non-compliance.

What to Expect from the CMMC Final Rule

The CMMC Final Rule is expected to be released in late 2024 or early 2025, and will solidify requirements for DoD contractors to achieve and maintain certification under CMMC 2.0. The rule will detail the certification process, including timelines, enforcement mechanisms, and requirements for third-party versus self-assessments, depending on the level of certification needed.

Companies requiring Level 1 certification can continue to self-assess against FAR 52.204-21 regulations (Basic Safeguarding of Covered Contractor Information Systems) but should still seek advice from experienced professionals to reduce the risk of being charged under the FCA. Under the FCA, whistleblowers can be compensated up to 30% of funds that are recovered due to fraud.

Companies requiring Level 2 will likely need certification from a C3PAO; however, some companies may still be permitted to self-attest, depending on the type of CUI they handle.

Consequences for DoD Contractors

The consequences of not preparing for CMMC compliance are severe. If your organization cannot provide proof of certification by the time a contract is awarded, it will be ineligible to accept the contract. Costs for compliance can be factored into future bids, but the challenge will be achieving compliance in time. Advisors and assessors are likely to be in high demand, and organizations that delay will face resource shortages.

The time it takes to earn CMMC certification varies significantly, depending on the company’s current maturity level and desired CMMC level. 

• Level 1: Can be achieved in one to two months, but usually takes several months
• Level 2: Typically takes six to 12 months to complete

Based on these timelines, the best time to start was yesterday. The second-best time to start is today. 

Steps Contractors Should Take Now

1. Assess: Know where you stand and what needs to be done to achieve compliance. Engage a team of CMMC Registered Practitioners (RPs) and Certified CMMC Professionals (CCPs) listed on the Cyber-AB Marketplace who can conduct a gap analysis to assess your current practices against the CMMC level you require.
2. Document and Train: Formalize cybersecurity policies and procedures to align with CMMC now. Create or revise incident response plans, access controls, and data protection measures commensurate with your required certification level. Verify all employees are familiar with threats to your operations as well as the procedures associated with securing FCI and CUI.
3. Build: Invest in cybersecurity upgrades. Whether it is encryption, firewalls or monitoring systems, ensure that the tools you implement meet the requirements of the CMMC level you’re pursuing.
4. Engage: For higher levels of CMMC, engage a C3PAO in the process soon. This will help ensure that your organization meets the necessary standards before the official assessment, reducing the risk of delays or even failures.
5. Maintain: CMMC is not a one-time event. Continuous improvement, regular monitoring, and staying informed about regulatory updates are essential. Building a culture of cybersecurity excellence will help your organization remain compliant as standards evolve.

Aprio’s Compliance-as-a-Service (CaaS) program leverages a purpose-built platform combined with decades of experience to streamline and manage your Governance, Risk, and Compliance (GRC) program. We help you design and implement a tailored compliance framework that scales with your business, reducing the complexity of regulatory requirements. With continuous monitoring, automated evidence collection, and skilled guidance, we ensure you’re always prepared for external audits. We handle the complexities of maintaining compliance and providing assurance to your stakeholders. Schedule a consultation today and achieve what’s next at Aprio.com. 

Aprio is the brand name under which Aprio, LLP, and Aprio Advisory Group, LLC, deliver professional services. Since 1952, clients throughout the U.S. and across more than 50 countries have trusted Aprio for guidance on how to achieve what’s next. As a premier business advisory and accounting firm, Aprio Advisory Group, LLC, delivers advisory, tax, managed and private client services to build value, drive growth, manage risk and protect wealth, and Aprio, LLP, provides audit and attest services. With proven experience and genuine care, Aprio serves individuals, entrepreneurs, and businesses, from promising startups to market leaders alike. Aprio has grown to 2,000+ team members providing solutions to clients in industries including manufacturing and distribution, non-profit and education, professional services, real estate, construction, restaurant, franchise and hospitality, government contracting and technology and blockchain.