February 6, 2025
The security of the defense supply chain is critical to national security. The Department of Defense (DoD) has established the Cybersecurity Maturity Model Certification (CMMC) to ensure that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) meet strict cybersecurity standards. Prime contractors must be compliant and responsible for ensuring their subcontractors achieve and maintain CMMC certification. To remain competitive, secure future contracts, and maintain good relationships with prime contractors, subcontractors must implement CMMC requirements.
CUI and FCI data are defined on page 3 of our 2025 CMMC Guide and Compliance Checklist.
CMMC establishes a framework for cybersecurity best practices across the defense industrial base. The model consists of multiple levels, but CMMC Level 2 compliance is the primary focus for most subcontractors since it applies to organizations handling CUI. Smaller businesses that only manage FCI only need CMMC Level 1. Level 3 is typically reserved for major defense contractors like Lockheed Martin and General Dynamics.
Subcontractors that supply the defense industry are now receiving requests (requirements, expectations) from prime contractors to become CMMC certified. The prime contractors are responsible for ensuring they and their subcontractors are compliant. Otherwise, they risk being ineligible for the award of new contracts with the Department of Defense.
It is recommended that companies handling FCI or CUI data limit the scope of an official CMMC certification assessment by carefully segmenting where in their environment the data is stored, and strictly controlling and documenting which individuals can access the data.
Dewpoint’s experts advise subcontractors to meet with prime contractors to discuss what data is absolutely necessary to transmit to perform the work. In some cases, the prime contractor may not need to disseminate controlled data, reducing the scope of or eliminating the need for CMMC certification.
Subcontractors are frequent cyberattack targets due to their less mature cybersecurity standards than larger prime contractors. Pressing risks include:
According to Fortinet, supply chain attacks have affected major industries, exposing the risks associated with third-party vendors that lack robust security measures. One of the most notable examples is the SolarWinds attack, where Russian-linked hackers infiltrated the IT management company’s software updates, compromising many government agencies and defense contractors. The attack demonstrated how a single weak link in the supply chain can have widespread consequences.
As a Registered Practitioner Organization (RPO) with the Cyber AB, Dewpoint has the expertise to guide defense contractors and subcontractors through the CMMC compliance process. Our Registered Practitioners (RPs) help organizations:
For more details on CMMC terminology and certification requirements, visit Cyber AB’s official resource page. Read about the official assessment: Official CMMC Assessment Process v2.0 | PDF.
For many subcontractors, CMMC compliance is both a business decision and a security imperative. While IT teams will manage the technical aspects, business leaders must prioritize compliance to ensure contract eligibility and long-term viability in the defense sector. The key benefits of achieving CMMC compliance include:
CMMC is complicated, but Dewpoint’s experts provide guidance throughout the cybersecurity maturity spectrum. Our team helps prime and subcontractors meet CMMC requirements and strengthen their cybersecurity posture.
Get started today:
Dewpoint, an award-winning, Michigan-based technology firm, has been helping businesses prepare for, stay ahead of, and respond to IT challenges for over 27 years. From IT security to infrastructure management to automation, cloud migration, and beyond, Dewpoint has long been a trusted technology resource for businesses.
Sources & References