| By Olivia Ernst |

Understanding CMMC

The United States Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) Program on December 16, 2024, to protect sensitive unclassified information, such as Federal Contract Information (FCI) and controlled Unclassified Information (CUI), shared with contractors and subcontractors. The program consists of cybersecurity requirements that companies must meet to do business with DoD, with verification assessments required as a condition of contract award.

CMMC provides assessments at three levels: Basic Safeguarding of FCI, Broad Protection of CUI, and Higher-Level Protection of CUI Against Advanced Persistent Threats. Depending on the level and data handled, companies may perform self-assessments or be evaluated through a Certified Third-Party Assessment Organization (C3PAO) or the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The department will implement CMMC through four phases between 2025 and 2028. Phase 1 begins on November 10, 2025, when DoD solicitations will require Level 1 or 2 assessments where applicable. Remaining phases will roll out annually, aiming to require all CMMC levels for all solicitations and contracts by 2028.

Compliance Challenges

DoD prime and subcontractors face significant cost challenges in achieving CMMC compliance. Recent CMMC changes, such as reduced certification levels and self-assessments for lower-risk data, have eased the financial burden, yet many contractors, particularly smaller ones, still struggle to afford IT infrastructure upgrades and compliance services. A 2024 letter from the US Small Business Administration’s Office of Advocacy flagged unclear timelines and assessment logistics as key strains on small businesses. According to a May 2025 CyberSheath survey of 300 US contractors, 62% reported that tool and solution costs impacted their ability to achieve compliance. The survey also revealed widespread unpreparedness for Phase 1. While more than half claimed they were over 80% ready, actual readiness proved far lower. For example, 69% reported compliance with DoD NIST 800‑171, the foundation for CMMC, yet only 30% passed DoD medium/high assessments, indicating contractor overconfidence and suggesting true preparedness was even weaker than reported.

Foreign firms face added hurdles beyond those confronting US contractors. CMMC requirements apply equally to international entities, even those already compliant with domestic cybersecurity standards, and they too must undergo C3PAO assessments depending on the level and data handled. While international companies can train as C3PAOs, the overall shortage of C3PAOs makes qualified assessors scarce abroad. Most reviews can proceed remotely, yet physical infrastructure inspections demand on-site visits, driving up costs and timelines for overseas firms when being assessed by a US-based C3PAO.

Strategic Implications

The increased costs associated with CMMC create additional barriers to entry and can adversely impact business growth, squeezing out small businesses and reducing overall competition among contractors. CMMC implementation may thus contribute to the already existing trend of monopolization in the industry. Relying too heavily on a small handful of contractors can hinder innovation and increase the prevalence of overpriced and underperforming products and services. The implications of losing foreign contractors are similar. Though foreign contractors make up a small portion of US defense purchases (roughly 3.7% in 2022), they play a vital role in providing specialized services and products that are unavailable in the US. While CMMC is crucial for the US’s cybersecurity framework, mitigating the challenges it poses for small businesses will be important for the DoD to maintain a competitive and innovative defense industrial base.