The Cybersecurity Maturity Model Certification program is officially off the ground.
CMMC is the Pentagon’s program to evaluate whether defense contractors are following requirements for protecting controlled unclassified information. The cybersecurity requirements, based on National Institute of Standards and Technology controls, have been in Defense Department contracts since 2016.
It took years for CMMC to become a reality. But the final rule to implement CMMC into contractual requirements took effect Nov. 10.The rule establishing CMMC as a program had already gone into effect last year.
DoD has a phased implementation plan for the program. During Phase 1, over the next year, the department will largely require CMMC self-assessments from contractors. But DoD programs have the discretion to require Level 2 CMMC third-party assessments over the next year as needed.
Tackling third-party CMMC assessments
During Phase 2, starting next November, those third-party assessments will become standard in applicable contacts.
Those third-party assessments are a key facet of the CMMC program and its goal to ensure defense contractors follow cybersecurity requirements.
The Cyber Accreditation Body is responsible for authorizing the CMMC third-party assessment organizations (C3PAOs) that will carry out those independent assessments. And Matthew Travis, CEO of The Cyber AB, said work is well underway to building out the scaffolding that will support the CMMC program.
“If there’s any remaining skepticism of whether or not the department was serious about this conformity regime, you can now just look at the Code of Federal Regulations and see both rules there,” Travis said during Federal News Network’s Risk & Compliance Exchange 2025. “Now, the real challenge is to scale the ecosystem.”
‘Impending bow wave’
So far, just under 500 defense contractors have voluntarily achieved a Level 2 CMMC certification, Travis shared.
But the Pentagon has estimated that the requirement for a Level 2 third-party assessment could apply to as many as 80,000 companies as CMMC is phased in.
“I am concerned about the impending bow wave that I think we’ll see in demand,” Travis said.
Some C3PAOs already have a backlog of assessments that stretch into next year.
“Now is the time to move if you’re ready,” Travis added. “People are going to start racing to the checkout line, and it’s going to be a wait. So move now if you’re ready, and if you’re not ready, get ready, because the sooner you do it, the sooner you’ll be able get a slot.”
Among the voluntary Level 2 assessments that have occurred to date, Travis said “false starts” have been an issue for some organizations.
“We heard frequently from the C3PAOs that they had to call it off mutually once the organization seeking certification realized all the things that they hadn’t fully done,” Travis said. “And the C3PAO said, ‘We might want to pause here. Go back to work and call us when you’re ready.’ ”
Travis said the 110 requirements required under Level 2 go beyond technical controls.
“It does require an organizational commitment,” he said. “There are physical security requirements, there are training requirements that human resources has to be involved in. There are leadership requirements in terms of resourcing.”
Another key lesson gleaned from early assessments is the need for companies to understand their external service providers. Travis said most organizations rely on cloud service providers or managed service providers for many IT and cybersecurity needs.
But whether they’re a CSP or an MSP — and to what extent they are involved in an organization’s handling of controlled unclassified information — are crucial questions in a CMMC assessment.
“Knowing who’s helping you and knowing your organization is fully committed are probably the two biggest takeaways that we’re hearing from industry,” Travis said.
CMMC’s ‘long pole in the tent’
The Cyber AB, through its no-cost contract with the Pentagon, is responsible for authorizing C3PAOs and certifying the people who conduct CMMC assessments.
Travis said there are just under 600 certified CMMC assessors today. Half of them are eligible to lead assessment teams.
But to meet the envisioned scale of the CMMC program — evaluating tens of thousands of defense contractors annually — Travis estimates there’s a need for between 2,000 and 3,000 assessors.
“That’s the most important part of the ecosystem that has to be grown. … That’s a long pole in the tent,” Travis said.
Initially, the challenge to building a pool of assessors was DoD’s drawn out rulemaking process: There was no financial incentive to become an assessor with no CMMC requirements on the horizon.
But Travis said the challenge now is getting CMMC assessors through the process quickly enough as DoD phases in the requirements. The process of becoming an assessor involves training, exams and passing a Tier 3 DoD background investigation, which is equivalent to being investigated for a secret-level security clearance. Those investigations can often take months.
Travis said assessors don’t necessarily need to start with a technical background. He pitched it as a “great way for folks to get engaged in cybersecurity.”
“Whether it’s a full time job or a side hustle, these assessors are going to be in demand,” Travis said. “And so the compensation that goes with it, I think, is compelling. We are encouraging folks, if they haven’t considered entering into the CMMC program, think about becoming an assessor.”
Discover more articles and videos now on our Risk & Compliance Exchange 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
