Nov. 18, 2025

This piece is sponsored by Eide Bailly LLP.

A version of this article originally appeared on eidebailly.com.  

The Cybersecurity Maturity Model Certification program provides a structured approach to assessing whether defense contractors meet the Department of Defense security standards for safeguarding sensitive information.

As of September, CMMC compliance is no longer optional. It directly determines contractors’ ability to win or retain DoD contracts.

The DoD will implement the program in phases over the next three years:

• Phase 1, Nov. 10: Solicitations will require CMMC Level 1 or Level 2 self-assessments. DoD also may require, at its discretion, third-party CMMC Level 2 assessments in this phase.
• Phase 2, November 2026: Applicable solicitations will require third-party CMMC Level 2 assessments.
• Phase 3, November 2027: Applicable solicitations will require CMMC Level 3 assessments performed by the Defense Industrial Base Cybersecurity Assessment Center.
• Full implementation, Nov. 10, 2028: All DoD contracts and solicitations will include the required CMMC level as a condition of award.

 Understanding the CMMC framework 

CMMC is an information security maturity model designed specifically for DoD third-party contractors, building upon existing regulations like DFARS and NIST 800-171. The goal is to ensure comprehensive security across the DoD supply chain.

Any contractor engaged with or seeking a contract with the DoD must obtain a CMMC. This applies to all tiers of the supply chain, including small businesses, commercial item contractors and foreign suppliers.

Under CMMC, companies handling Federal Contract Information, FCI, or Controlled Unclassified Information, CUI, must achieve one of the three CMMC levels, as detailed in their contracts, to qualify for defense-related projects.

Two types of data are addressed within CMMC:

• FCI: Nonpublic information provided by or created for the government under a contract for developing or delivering a product or service.
• CUI: Data requiring protection or restricted dissemination according to federal laws, regulations and government-wide policies.

 CMMC does not alter existing cybersecurity requirements for protecting FCI and CUI but rather strengthens the enforcement of existing security standards.

Steps to prepare for CMMC compliance 

Preparing for CMMC compliance involves several key steps:

1. Conduct discovery activities

Begin by assessing your current cybersecurity posture:

• Locate all assets: Inventory your organization’s hardware, software and data.
• Map data flows: Trace how FCI and CUI move through your systems.
• Understand existing controls: Review current security controls and practices to identify strengths and weaknesses.

2. Determine CMMC scope

Define the scope of your CMMC efforts:

• Identify covered assets: Determine which parts of your organization handle FCI and CUI.
• Segment systems: Isolate critical areas from other parts of your network to minimize compliance scope.
• Document boundaries: Clearly outline the scope of your CMMC efforts to ensure all relevant components are included.

3. Perform gap assessment

Execute a thorough gap assessment to compare your current cybersecurity practices with CMMC requirements:

• Review maturity levels: Identify the CMMC level required based on your contract requirements.
• Assess existing controls: Evaluate your current controls against the CMMC practices for your target maturity level.
• Identify gaps: Highlight where your current practices do not meet the required standards.

4. Develop road map and action plan

Create a comprehensive action plan to address identified gaps:

• Prioritize tasks: Determine the order in which gaps should be addressed based on risk and resource availability.
• Set milestones: Establish KPIs to monitor progress.
• Allocate resources: Assign the necessary resources, including personnel, budget and time to ensure successful implementation.

5. Remediate identified gaps

Begin remediation efforts to close the identified gaps and enhance your cybersecurity posture:

• Implement security controls: Deploy necessary controls and technologies to meet CMMC requirements.
• Update policies and procedures: Revise or create policies and procedures to align with CMMC standards.
• Conduct training: Provide education to ensure staff members understand and can effectively implement new security measures.
• Perform continuous monitoring: Establish ongoing monitoring and assessment to maintain compliance and address new vulnerabilities.

Although anyone can conduct a gap assessment, the expertise of your reviewer can impact your success in a CMMC audit. To ensure a thorough evaluation, consider working with a registered practitioner advanced. RPAs, designated by the CMMC Accreditation Body, possess an understanding of CMMC standards and are recommended to guide contractors through the preparation process.

As a certified third-party assessor organization, Eide Bailly is authorized to perform CMMC Level 2 assessments. Our team can help you prepare, validate compliance and position your organization for continued eligibility in the defense supply chain.

Next steps toward CMMC compliance 

Phased implementation of CMMC requirements has begun. Taking proactive steps now is essential for organizations seeking to work with the DoD and handle sensitive information securely. By understanding your required level, assessing your current security posture and addressing gaps in line with CMMC standards, you can position your organization for future contract eligibility.

 Not sure where to begin? Take Eide Bailly’s CMMC readiness assessment to gauge your organization’s preparedness and identify areas for improvement.