With CMMC officially coming into effect by the end of this year, the pressure is on for defense contractors to get compliant. If you haven’t already, now’s the time to get serious.  

A recent article posted by Federal News Network stated, “… a recent survey paints a concerning picture: More than 16% of respondents reported little to no readiness for CMMC compliance, half admitted to being only moderately or slightly prepared, and 13% said they’d taken no action at all.¹”  

The three challenges to readiness identified by survey respondents (in order) aren’t new. They are:  

• Cost  
• Confusing information
• Controlled Unclassified Information (CUI) scope  

In my experience, these have been the top three challenges since the original cyber DFARS -7012 was in draft. Let’s take a closer look at each one.  

Cost  

This is a multifaceted challenge, the first aspect of which is often cultural – cybersecurity is seen as an “additional” cost. In 2025, it shouldn’t be. It’s one of many required costs for being in business (any business, not just the Defense Industrial Base). While a general lack of cyber requirements across industries perpetuates this myth, CISOs and the rest of the C-Suite need to address this head-on by changing the company culture.  

The second facet is accounting for this cost in your contracts with the DoD or Primes. There are different ways to handle this, and while not the focus of this article, CohnReznick‘s team can help you determine the best approach.  

The other aspect is the mindset that “CMMC makes us do extra cybersecurity.” This is another myth. If we look at Canada, their defense contractors are required to meet NIST 800-171 r3, while here in the US, the DoD only requires r2. Said another way, your competitors up north are doing more and still competing with you.  

If we take Controlled Unclassified Information (CUI) out of CMMC and replace it with “information your company wants protected” (however you define it), then we quickly realize that of the six functions (Govern, Identify, Protect, Detect, Respond, and Recover) defined by NIST for a holistic cyber program, four aren’t sufficiently addressed. NIST 800-171 r2 gives us good coverage in the Protect function, and some Detect, but the rest of them are almost nonexistent. And that’s just the minimum - you need to do much more than what is required by CMMC to have a reasonable cybersecurity program.  

I’m not ignoring the fact that if your organization has not done this, it does “cost” to fix this deficiency. But in the meantime, your competitors are racing past you, and the cost to catch up grows. Your cyber insurance cost likely increases every year, and the lack of good cyber hygiene across all industries is one of the foremost reasons. It’s time to change your culture and execute a cyber program that protects your business, safeguards your investments, and strengthens your competitive edge.  

Confusing information  

In the CMMC’s drawn-out rulemaking process, the timing has shifted throughout, and the comments haven’t always been clear. The lack of clarity around CMMC can make it difficult for organizations to know when and where to use their limited resources. The swirl of information, delays, perceived changes, and so on make it easy to adopt a “wait and see” approach. However, that approach is also costing your organization.  

As time goes on, you add more systems, complicate business processes, and reinforce a culture that hasn’t accepted CMMC. Delaying the decision to meet requirements often leads to higher costs, greater disruption, and tougher cultural shifts, just to reach a standard that was set over a decade ago - not one that reflects today’s cybersecurity landscape.  

If you aren’t preparing to meet CMMC (you are very late), get started now. The old saying about trees, The best time to plant a tree was 20 years ago. The second-best time is now, applies to CMMC. The final rule is expected in late September or early October 2025, at which point, your business has a real risk of not being able to participate in contracts because of noncompliance. The FAR rule, which places similar requirements as CMMC on federal contracts, is expected next year. Soon, the U.S. government, the largest purchaser of goods and services in the world, will require anyone conducting business with it to meet a basic cyber posture.  

It’s time to break out of analysis paralysis and implement your program. A well-designed, comprehensive cyber program already exceeds CMMC requirements. By protecting your organization’s data, IP, resources, and people, you position yourself to easily meet contractual requirements with the DoD and federal government.  

CUI scope  

Many organizations are confused about what CUI is, if they have it, and what they do with it. While it’s important to know what CUI is, using a lack of understanding as a reason to delay meeting the requirements is a poor excuse. Most organizations want to know what CUI is so they can limit the scope of their CUI environment.  

As I mentioned earlier, if you think of CUI as “information your company wants protected,” then it’s clear—you need to protect your whole environment. It’s not about isolating 39% or any portion of your systems. That sensitive information lives everywhere in your business. Whether it’s CUI, NYDFS NPI, ePHI, or any other critical data, it all needs to be protected in a way that meets the required standards. That isn’t to say there isn’t a time or a place for an enclave. There is. But what really matters is building strong cyber hygiene into your company culture, and that starts with recognizing that your cyber program is a requirement to be in business, not an additional burden. Changing your approach from “doing what is needed” to “our cyber posture makes us better” opens new growth opportunities. Having the right cyber program means you can be a first mover into new contracts and markets. You don’t need to “build” to take on the work; you can do it now.   

The critical role of culture:  

While the survey’s answers varied, they all reflected the same theme: culture. Every organization has a choice: continue to struggle with these challenges or change their culture and stop thinking of them as challenges. There are many practical ways to address all of these issues and to turn them into competitive advantages.  

If you’re interested in learning more about how to approach these challenges, then CohnReznick can help. Our team has been dealing with these specific issues since the original cyber DFARS was in draft in 2013. We have helped shape the language in CMMC v1 and v2. As a Registered Provider Organization (RPO) and a Certified Third-Party Assessor Organization (C3PAO), we have helped many organizations meet CMMC and pass their certifications. CohnReznick has been certified twice by the Defense Industrial Base Cybersecurity Assessment Center - meaning we don’t just preach; we also live by our words. And we’ve done this for over a decade.