Get Started
Contact Us
Resources
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.
The White House estimated in 2018 that malicious cyber activity cost the US Economy between $57 billion and $109 billion. A Rand report now estimates the annual cost to be $250 billion dollars up to a quarter trillion every year. Cybercrime Ventures estimates it to be 10.5 % by end of the year. Existing standards in the defense industry have failed to secure the most sensitive data causing national security risks and severe economic loss. The poster child for this failure is the Chinese J-31 aircraft which is extremely similar to the American F-35 Joint Strike Fighter. It was later found that a small Australian subcontractor on the F-35 fighter project suffered a severe cybersecurity breach that was confirmed by the DOD. Reuters found that about 30 gigabytes of data was stolen in the cyber attack, including details of the F-35 Joint Strike Fighter warplane. This incident exemplifies how even small sub-contractors in large projects may possess information far beyond the direct scope of their work. Small-medium subcontractors, when breached by adversaries, have compromised major projects such as the F-35 and have led to significant economic losses and damage to national security. CrowdStrike's 2025 Global Threat Report showed 150% increase in Chinese state-backed cyber espionage activities in 2024.
Small-medium subcontractors, when breached by adversaries, have compromised major projects such as the F-35 and have led to significant economic losses and damage to national security.
The defense sector faces sophisticated cyber attacks from the most advanced adversaries such as Advanced Persistent Threat (APT) groups who are typically working in association with nation-states to pursue multiple objectives. The goals of a cyber campaign against a defense contractor could include:
In 2019, this risk was strongly recognized, and work began on the CMMC Certification. This model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community.
The final rule for the Cybersecurity Maturity Model Certification (CMMC) program was finalized and published by the Department of Defense (DoD) on October 15, 2024, and became effective on December 16, 2024. This rule (32 CFR Part 170) establishes the CMMC program and defines the requirements for defense contractors to demonstrate their cybersecurity maturity. The implementation of CMMC is being phased over three years, with the DoD planning to include CMMC requirements in select contracts in fiscal year 2025 and full implementation expected by 2028.
Key aspects of the CMMC final rule: Effective Date: December 16, 2024.
Phased Implementation: The CMMC program will be implemented in phases over three years, with initial requirements starting in FY25.
Three Levels: CMMC has three levels (1, 2, and 3), each with varying security control requirements.
Assessment and Certification: The final rule outlines the processes and procedures for assessing and certifying compliance with CMMC requirements.
Applicability to Subcontractors: The final rule clarifies that CMMC requirements can be flowed down to subcontractors.
Affirmation Requirements: The rule specifies that a senior-level contractor representative must affirm the contractor's compliance with CMMC.
The Cybersecurity Maturity Model Certification (CMMC)
The DoD implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through DFARS in October 2016. Contractors are currently required to self-verify that adequate security controls required by NIST SP 800-171 are implemented within their systems to ensure that CDI confidentiality is maintained and enforced. However, it was proven that self-verification is not generating the required security posture and that higher standards are required due to the intensifying attacks on DoD contractors.
When fully operational, the CMMC will be mandatory for any firm doing business with the Department at any level.
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. The CMMC certification is granted and validated by an independent third party assessment organization similar to the practice in the leading government cloud security standard - FedRAMP. In addition to cybersecurity control standards, the CMMC measures the maturity of a company’s institutionalization of cybersecurity practices and processes. The CMMC encompasses multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”.
When fully operational, the CMMC will be mandatory for any firm doing business with the Department at any level.
Transition to CMMC 2.0 (2021)
November 2021: In response to industry feedback and an internal review, the DoD announced CMMC 2.0, streamlining the model from five to three levels and aligning requirements more closely with existing federal standards .
Level
Level 1: Foundational - Provides basic cybersecurity hygiene for contractors handling Federal Contract Information (FCI).
Level 1 requires the implementation of 17 basic practices derived from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and covers simple, non-sensitive DoD information (like contact details, work schedules, or public reports).
Level 2: Advanced - Protects Controlled Unclassified Information (CUI), which is more sensitive than general FCI.
Requires implementing 110 additional security controls derived from NIST SP 800-171 (Protecting CUI) and implementing a mix of technical, administrative, and physical security measures.
Level 3: Expert - Provides the highest level of cybersecurity, protecting sensitive CUI and ensuring resilience against Advanced Persistent Threats (APTs).
Requires Implementing the 110 controls of NIST SP 800-171, plus an additional subset of NIST SP 800-172 (Enhanced Security Requirements for Critical Systems) and requires advanced security techniques and threat resilience.
Final Rule and Phased Implementation (2024–2025)
October 15, 2024: The DoD released the final rule for the CMMC Program, codified in 32 CFR Part 170, which became effective on December 16, 2024
Early to Mid-2025: The DoD is expected to finalize the complementary rule under 48 CFR, integrating CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS)
The DoD has outlined a four-phase implementation plan:
Importance of Cybersecurity in the Defense Sector is Only Growing
The vast and complex network of third party stakeholders in the defense sector supply chain is facing an increasing number of attacks from state-sponsored actors seeking to target less sophisticated, small third parties on the supply chain and use them as a vector to access large defense contractors.
Adversaries have regularly exploited supply chain vulnerabilities to launch sophisticated cyberattacks to gather sensitive data. Threat actors may target defense technologies to create disruptions on the battlefield or to steal intellectual property giving them a competitive advantage by reducing costs and allowing them to produce and sell new products at lower prices.
CyLogic builds, operates and continuously monitors dedicated cloud platforms for enterprises that require the highest level of security with total control of their data. Our proprietary platform, CyCloud, exceeds the DFARS frameworks, NIST SP 800-171 and CMMC compliance. CyLogic is helping DoD Contractors to be CMMC ready seamlessly - with a cloud platform and related professional services that was built specifically for DoD Contractors’ needs.