Despite an increasing cyber threat landscape, many small to mid-sized businesses (SMBs) in the Department of Defense (DoD) supply chain remain unprepared for compliance with NIST SP 800-171 R2 and CMMC 2.0. The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to improve cybersecurity across the defense industrial base (DIB), but many SMBs struggle to meet the standards, putting them at risk of losing crucial contracts. Surveys suggest that nearly 70% of SMBs are unready for the new requirements, and the real figure could be even higher due to some businesses inaccurately reporting compliance by inflating their assessment scores.
This is the final installment of the Cybersecurity Column penned by Joe Coleman of Bluestreak Compliance (August 6, 1968 — April 1, 2025). Joe was as kind as he was committed to helping manufacturers understand and meet cybersecurity compliance standards. This column series was born from his genuine desire to walk alongside others as they navigated the complexities of regulation and risk. We honor his memory and are grateful for the time, insight, and encouragement he shared with our readers.
Understanding CMMC 2.0
CMMC 2.0 simplifies the original five-tier framework into three levels:
- Level 1: Basic cyber hygiene for contractors handling Federal Contract Information (FCI)
- Level 2: Advanced practices for those working with Controlled Unclassified Information (CUI)
- Level 3: Stringent requirements for contractors involved in national security projects
Compliance is mandatory for any contractor bidding on DoD contracts, including those working indirectly for federal contractors and subcontractors. SMBs should anticipate clients to inquire about their compliance as these standards will soon impact their business relationships. Achieving compliance is a lengthy process, typically taking twelve to eighteen months.
Low Readiness and Risks
The lack of readiness among SMBs threatens both business continuity and national security. Many smaller contractors lack the resources and expertise to meet CMMC 2.0’s standards. Given the defense sector’s reliance on a wide variety of contractors, this gap could create widespread repercussions.
Financial Implications of Non-Compliance
Compliance with CMMC 2.0 can be financially burdensome. Implementing measures such as multi-factor authentication, encryption, and continuous monitoring can be costly, especially for businesses with limited resources. The lack of in-house cybersecurity expertise compounds this issue, requiring companies to hire or train specialized personnel, further increasing costs.
Failing to comply with CMMC 2.0 could result in losing valuable DoD contracts, which can be a significant portion of SMB revenue. Such losses could lead to layoffs, revenue declines, or even business closures.
Challenges to Compliance
Several challenges contribute to the widespread unpreparedness among SMBs:
Source: CanvaPro
- Complexity of requirements: While CMMC 2.0 simplifies the original framework, its specific requirements remain difficult to interpret for many SMBs, particularly in identifying necessary security measures.
- Resource limitations: The cost of achieving and maintaining compliance strains smaller businesses, which often lack the budgets for the required technology and expertise.
- Lack of cybersecurity expertise: A shortage of qualified personnel poses a significant obstacle, as demand for cybersecurity professionals is high across industries.
- Unclear timelines: Uncertainty surrounding DoD’s compliance timelines complicates planning and prioritization for SMBs.
Government Support Initiatives
To help SMBs, the DoD has introduced various programs, including training, grants, and educational resources. A phased implementation timeline also provides additional preparation time. However, industry experts suggest that further support, such as tax credits or subsidies, could help SMBs offset the costs of compliance. Clearer guidance from the DoD would also be beneficial in helping businesses navigate the certification process.
Path Forward for SMBs
To secure future contracts, SMBs must prioritize cybersecurity. This involves conducting internal risk assessments, identifying vulnerabilities, and creating compliance plans. Partnering with cybersecurity experts or managed service providers can help SMBs develop cost-effective strategies. Additionally, leveraging government resources and adopting critical security measures early will better position SMBs for CMMC 2.0 certification.
Conclusion
The widespread lack of preparedness for CMMC 2.0 poses significant risks to both SMBs and the defense supply chain. As deadlines approach, proactive measures from both businesses and the government are necessary to close the readiness gap and ensure the continued participation of SMBs in the defense sector.
About the Author:
Cyber Security Officer
Bluestreak Consulting
Source: Bluestreak Consulting
Joe Coleman was the cybersecurity officer at Bluestreak Compliance, which is a division of Bluestreak | Bright AM™. Joe worked for over 35 years in diverse manufacturing and engineering positions. His background included extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe presented at the Furnaces North America (FNA 2024) convention on DFARS, NIST 800-171, and CMMC 2.0.
