Although the U.S. Federal Government outsources much of its work to thousands of private contractors, there is at least one thing officials know how to produce in abundance without any outside help: acronyms. Just summarizing the Cybersecurity Maturity Model Certification (CMMC) program requires enough of them to fill a bowl of alphabet soup.

The CMMC is a U.S. Department of Defense (DoD) program designed to ensure that Defense Industrial Base (DIB) companies, whose work requires handling Controlled Unclassified Information (CUI), are capable of safeguarding that data in compliance with the National Institute of Standards and Technology (NIST).

While the program’s goals are laudable — ensuring that private-sector contractors can protect sensitive government data — the CMMC has actually made it more difficult for DIB companies to demonstrate they can adhere to the government’s cybersecurity standards. And, considering the DoD reached a consensus on its CMMC Final Rule in July 2023, and that certification will eventually be necessary to win defense contracts, any would-be contractor needs to understand the program’s nuances and challenges.

As the industry pointed out almost immediately after the DoD unveiled the first version of CMMC in 2020, the program demanded contractors climb a steep cliff to achieve certification. Many defense contractors said the program required too great an overhaul of their digital infrastructure and processes, and that completing the certification would be too costly.

Even more frustrating for these businesses was that, under CMMC 1.0, certification required third-party verification of compliance with the program’s requirements. But contractors pointed out that there simply weren’t enough consulting firms offering CMMC compliance assessments — and the ones available were cost-prohibitive.

CMMC 2.0 creates new problems

To its credit, the DoD listened to the industry’s concerns and used the input to develop CMMC 2.0. Another laudable attempt to improve the cybersecurity infrastructure. But unfortunately, the newer version of the program introduces new challenges — both for contractors and for the long-term security of the government’s sensitive data.

One of the program’s biggest changes is that, under CMMC 2.0, contractors can now perform self-assessments for the lower compliance levels. The goal was to make the process quicker, more efficient, and less costly. But many contractors — particularly smaller businesses and those in nontechnical fields — are expressing concern about self-certifying because they aren’t confident enough their assessments will withstand a future government audit.

The CMMC’s guidelines also fail to make clear which of its three compliance levels a defense contractor would need to achieve in order to qualify for specific contracts.

And for the DoD itself, there are, of course, real risks to implementing the newer, more lenient CMMC 2.0. If private-sector contractors with no in-house data security expertise are self-certifying the compliance of their cybersecurity infrastructure, the long-term effects could be more vulnerable DoD data.

With adversarial governments and non-state actors trying every day to infiltrate U.S. digital networks and systems — and with DoD contractors’ data of particular value to cybercriminals — now is clearly not the time to be making CMMC certification more lenient or confusing.

A suggestion for DIB contractors

If you’re a DIB company today, or a business hoping to win DoD contracts in the future, you need to know all these contracts will soon list CMMC certification as a prerequisite to bid on the work. With the DoD sending its CMMC Final Rule to the Office of Management and Budget (OMB) for review in late July 2023, you should expect CMMC compliance to begin affecting your chances of earning defense work sooner rather than later.

So, what’s the quickest and least disruptive way to achieve certification, other than simply self-certifying and hoping your defense contract isn’t later canceled when an audit determines your firm falls short of compliance?

The best practice here is to partner with a managed security service provider (MSSP) — yes, the private sector produces its share of acronyms too. This is a specific type of IT consulting firm that specializes in cybersecurity.

The best of these MSSPs will work with third-party auditors to review their own work and make sure the systems they set up for their clients — in this case, a defense contractor aiming for CMMC certification — do, in fact, meet the requirements for compliance with the program.

Bottom line

Trying to navigate the process of achieving CMMC certification has cost many defense contractors more money and diverted more resources than they would’ve liked. And, in many cases, these organizations remain unsure if their certification will hold up to a government review. Learn from their experience, and let a qualified MSSP take on the certification process for you.