Since its initial release in 2020, the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program has undergone substantial fine-tuning. But with the CMMC Final Rule (32 CFR) in effect and assessments ongoing, CMMC is no longer a moving target.

CMMC 2.0 requirements should begin appearing in DoD contracts in mid-2025. Many prime contractors already want subcontractors that handle controlled unclassified information (CUI) to prove compliance with CMMC Level 2. This is well ahead of the DoD’s phased rollout timeline, which puts CMMC Level 2 language (48 CFR) in contracts in mid-2026.

If your business is still in “wait and see” mode with CMMC 2.0 compliance, the time to start preparing is long past. Especially if you handle CUI under a current DoD contract, you need to take immediate steps to remediate any NIST 800-171 compliance gaps and prepare for a looming CMMC Level 2 third-party audit.

What will be some of your biggest CMMC compliance concerns? This article discusses the top 3 CMMC challenges you need to prepare for, based on experiences with clients across the US defense industrial base (DIB).

Key takeaways

• The top 3 CMMC implementation challenges—scoping, identifying CUI, and getting C-level buy-in—are inseparably linked and must be approached holistically.
• Scoping your CMMC environment is by far the most prevalent CMMC challenge.
• As part of marking CUI, it is critical to identify any CUI Specified data, such as International Traffic in Arms Regulations (ITAR) data and other export controlled data.
• Failure to engage your C-suite in CMMC certification will not only doom the effort operationally, but also constitute a compliance violation, as CMMC mandates verifiable management oversight. 

Spoiler alert: The top CMMC challenges are all related

By near universal agreement among CMMC service providers and orgs seeking certification (OSCs), the 3 top challenges DIB SMBs consistently face with CMMC 2.0 are:

1. Scoping, by a wide margin. 
2. CUI marking and asset management.
3. Getting management buy-in to finally make CMMC investments. 

What makes these challenges even more formidable is, you can’t solve one without solving the others. For example, without first marking CUI you can’t accurately know your CMMC scope. Plus, you need to know your CMMC scope to identify the CMMC relevant assets to manage. But none of these activities will get off the ground if senior leaders balk at providing the necessary resources. 

Top challenge #1: Scoping, far and away

Defining the scope of your CMMC environment is among the first activities you need to complete on the path to CMMC Level 2/NIST 800-171 compliance. Scoping determines the subset of your total IT environment that a certified third-party assessor organization (C3PAO) will audit for compliance.

Since CMMC’s goal is to safeguard CUI, CMMC scoping centers on identifying all the CUI you handle, where it is stored, and what assets (systems, networks, processes, and people, including cloud-based assets and service provider assets) store, process, transmit, and/or create CUI (see challenge #2).

As you identify your CUI, you can start diagraming all your CUI data flows and pinpointing the associated in-scope assets. This will let you define the boundaries of your CMMC compliance environment, also known as a CMMC enclave.

According to the DoD’s latest CMMC Level 2 scoping guide, you should consider these four asset types as part of your CMMC scope:

1. CUI assets, which are those that directly store, process, and/or transmit CUI.
2. Security protection assets, which include the hardware, software, etc. used to protect CUI. Examples include a firewall or endpoint protection solution. Managed service providers (MSPs) and managed security service providers (MSSPs), along with other cybersecurity vendors and their cloud-based or on-premises infrastructure and services are also considered security protection assets relative to CUI. 
3. Contractor risk managed assets, which are the assets you use to reduce the risk associated with sharing CUI with subcontractors and other third parties. An example would be a policy and associated procedures that prevent or limit sharing CUI.
4. Specialized assets, which refers to a potentially huge range of systems and devices that can create and/or process CUI. This includes test equipment, CNC machines, PLC systems, and other operational technology (OT), sensors and other Internet of Things (IoT) devices, government furnished equipment (GFE), and more.

Scoping is a major challenge because it is both interdependent and dynamic. As you map your data flows you must plan how you can simplify and reduce the size of your CUI footprint and associated CMMC scope. Minimizing your CMMC enclave is critical to achieve and maintain compliance and certification in a resource efficient manner. 

Top challenge #2: CUI marking and asset management

To complete your scoping exercise, you must identify and mark all your CUI and track down all your CUI relevant assets. Then you can devise a CMMC Level 2 compliant program to manage those assets.

As noted above, without comprehensive CUI marking you cannot identify the associated assets you must manage or know your CMMC enclave scope

A major difficulty with mapping all your CUI is knowing what CUI is in the first place. Even when you talk with experts about whether a particular data type is CUI, the response is frequently, “It depends

There are many CUI groupings and categories, and many defense contracts fail to clearly identify what CUI a contractor will receive. There is a longstanding tendency to “call everything CUI” just to play it safe. This creates uncertainty around CUI marking and can add to compliance cost and complexity.

Top challenge #3: Getting management buy-in on CMMC investments

The fact that so many senior executives in the defense supply chain are still wavering on DoD mandated cybersecurity investments that have been in place since DFARS 7012 became effective in late 2017 says a lot about the true state of cybersecurity across the DIB. Many orgs are self-attesting to NIST 800-171 compliance scores that would not stand up to an independent audit.

According to John Laffey, a program manager and lead auditor with Perry Johnson Registrars, “With leadership, the main thing we’re looking for is that at the top level there’s buy-in, whether it be with ISO 9001 or with the CMMC model,” states John. “At a minimum, you need a top-level message to the organization about what we’re doing, why it’s important, how it’s going to help us, what the expectations are—really driving the entire process and continuing to champion it; making sure resources are available.”

A robust cybersecurity posture takes more than technical implementation, and it cannot be relegated solely to IT. It requires a coordinated effort and a cultural shift with active participation at every business level. Without “tone from the top,” a major ongoing effort like CMMC compliance has no real chance of success. This is why leading cybersecurity standards like CMMC and ISO 27001 require proof of ongoing senior management involvement.

What is the recommended approach to get started with these challenges?

While the top CMMC challenges just discussed are interdependent and are often addressed in parallel, there is a recommended approach to help with the “chicken versus egg” conundrum:

1. Engage the awareness and ultimately the support of senior leaders. A recommended “interdepartmental communication” approach is to discuss costs, ROI, etc. over the common ground of managing business risk.
2. Take a look at your contract and/or speak with your contracting officer and legal advisor to pinpoint any data the contract identifies as CUI or as otherwise needing protection. 
3. With that guidance as a starting point, comprehensively map all relevant data flows and identify where CUI, federal contract information (FCI), and any other CMMC relevant data is stored, transmitted, or processed. Be certain to identify all CUI Specified data, such as ITAR data, which requires controls beyond CMMC Level 2. You may need specialized expertise to ensure success and avoid onerous noncompliance risk or a failed certification audit.
4. Having definitively marked your CUI, you can identify all the assets that relate to CUI and define your CMMC enclave scope. Then you’ll know what you need to protect to achieve CMMC Level 2 compliance and certification. 
5. After having identified your CMMC relevant assets, you can develop a sound asset management plan in line with CMMC requirements as part of your CMMC compliance activities. 

What’s next?

To speak with a CMMC expert about solving your company’s unique CMMC 2.0 compliance challenges, contact CBIZ Pivot Point Security.