Suppliers within the defense industrial base, including contractors and subcontractors, now must undergo assessments to prove that they can sufficiently perform cybersecurity capabilities as specified in the Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD) when pursuing certain types of business. Many suppliers are concerned about the changes in their businesses and operational practices that could occur as a result of these new requirements. Specifically, small and midsize suppliers worry that the CMMC requirements are too burdensome on their budgets and personnel, and one of the most consistent issues for suppliers is confusion about what and how much needs to be done to attain certification. 

CMMC requires that suppliers meet the security maturity level requirement for the projects they wish to bid on. 

Pondurance believes suppliers should evaluate their own readiness and ability to pass an assessment by working with a registered provider organization (RPO) to identify any gaps and make adjustments before the organization undergoes its final audit. Finally, they must pass an assessment conducted by an authorized third-party assessment organization (C3PAO) to achieve certification, a process they will need to undergo every three years. 

While the process for certification can be difficult, it can be made more manageable for suppliers when they know what to expect. There are many challenges that suppliers face as they prepare for CMMC, including mapping the government information on their networks, understanding the controls required, knowing how to perform the testing needed, and figuring out the workloads and costs involved.

Fully Mapping the CUI

The DoD implemented CMMC to protect sensitive government information or data, known as controlled unclassified information (CUI), throughout the supply chain. Contractors and subcontractors alike must understand what CUI is and all of its relevant forms.

CMMC requires that suppliers track and understand where the CUI resides on their networks. Suppliers must gain a complete understanding of what CUI they have and which systems it touches to ensure proper scope, without blindly adding CMMC controls where they are not needed. Also, suppliers need to map life cycle data flows to ensure accuracy and completeness.

Understanding the Controls

CMMC can require satisfying hundreds of security practices for compliance, depending on which maturity level is desired. As maturity levels increase, the number of security practices  increases, resulting in proving performance over a larger set of controls. Maturity level 1 requires 17 security practices, level two requires 72 security practices, and level three requires 130 security practices. Suppliers should take the time to understand the full scope of the practices and ensure they are able to produce acceptable evidence and artifacts to prove that they have met each of them.  

Deploying, Testing, Remediating, and Validating

There is no participation award for the CMMC. A supplier either meets the requirements for certification or it doesn’t. Preparation and readiness are key to ensuring that a supplier is ready for a final assessment. A supplier may assess its own readiness for the assessment, but many suppliers will choose to work with an RPO for advice, consultation, and recommendations to help them identify and close gaps. RPOs are U.S.-owned companies that have passed a background investigation, committed to a code of professional conduct, signed an agreement with the CMMC Accreditation Body, and have at least one authorized registered practitioner on staff at all times.

Understanding the Workload and Costs

While working through the CMMC requirements, suppliers should be prepared for additional workloads and costs. The new requirements can drive additional needs for new tools, skills, and resources for tasks that have not previously been performed. The costs can involve operational costs, such as tools, personnel, and time to perform the controls in a compliant manner, and administrative costs, such as managing the assessment, working with the C3PAO, managing internal compliance, and understanding the controls, policies, and procedures.


Yes, the process for CMMC can be difficult, but knowing what to expect can minimize the worries and confusion. Suppliers should face the challenges head-on to experience the reward of certification following the first assessment with a C3PAO. 

Learn more about CMMC in our panel discussion Successfully Navigating Through CMMC: What You Need To Know.

Tim Burke headshot

Tim Burke

Principal Product Manager | Pondurance

Tim Burke, Principal Product Manager at Pondurance, has 20-plus years of experience in hosted managed IT services, cloud services, and cybersecurity services. He has a proven record for bringing new services to market and continually improving and expanding existing services and solutions. Tim has experience in driving the full range of product life cycle management activities.