Everybody knows the world of technology is changing on a massive scale; in the federal community, there is a similar seismic change, but it has to do with policy, not graphics chips.

In 2020, the Department of Defense aimed to ensure its suppliers had a reasonable level of cyber protection and released the first version of the Cybersecurity Maturity Model Certification (CMMC).

In subsequent years, CMMC became a “nice to have” rather than a mandate. COVID-19 drastically increased the number of remote users, federal technology was moving to the edge, and malicious actors continued to expand their attacks unremittingly. As a result of this “Perfect Storm,” regulators at the DoD have gotten serious about CMMC compliance.

In today’s interview, we sat down with two CMMC experts and discussed some of the challenges associated with completing the CMMC requirements.

Fortreum’s Ben Scudera mentions that as many as 300,000 companies may be looking at CMMC compliance. While individual companies can read the requirements, there can be misunderstandings.

For example, if a company tries to define Controlled Unclassified Information, it may cast too wide a net or too narrow a net. If they are audited, the entire concept of scoping CUI can become a holdup for certification.

Early versions of CMMC allowed companies to review their capabilities and report themselves. Today’s CMMC transition is from self-attestation to external audits. These audits are challenging, with only 70 C3PAOs available to support 80,000 companies that require level 2 compliance.

The process is complex, requiring detailed data scoping and significant preparation time.

Companies must strike a balance between the costs and benefits of compliance, particularly for small businesses. The conversation also touches on the broader implications of CMMC for supply chain security and the potential for CMMC to evolve beyond federal contractin