Expert Insights from Olivia Friedrich
The Cybersecurity Maturity Model Certification (CMMC) is more than a checklist—it’s a critical part of the Department of Defense’s mission to secure the defense industrial base. With the transition to CMMC 2.0, defense contractors must be proactive in understanding the changes and preparing for compliance.
We spoke with Olivia Friedrich, cybersecurity expert and CMMC RP (Registered Practitioner), to break down what CMMC is, why it matters, and how businesses can get ready for CMMC 2.0.
What Is CMMC and Why Is It Important?
“CMMC is a framework created by the Department of Defense (DoD) to ensure that defense contractors are protecting sensitive government data,” says Friedrich. At its core, CMMC is about building strong cybersecurity habits—not just meeting a one-time requirement.
“It’s important because it ensures [contractors] are building real cybersecurity habits that safeguard national security.”
How Does CMMC Strengthen the Defense Supply Chain?
According to Friedrich, CMMC helps eliminate weaknesses in the supply chain by requiring companies to meet specific security standards before they handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).“It’s basically a team effort to keep sensitive info out of the wrong hands.”
Who Needs to Be CMMC Compliant?
“If you’re in the defense supply chain and dealing with sensitive data, CMMC compliance is a must,” Friedrich states plainly.
This includes prime contractors, subcontractors, and even small IT vendors for the sharing of Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) during contract performance. “Even if you’re a small vendor or IT service provider supporting a larger defense project, you’re in scope.”
What’s New in CMMC 2.0?
CMMC 2.0 simplifies and streamlines the original model into three organizational maturity levels: Foundational, Advanced, and Expert. As Friedrich puts it,
“Instead of five certification levels, there are now three. This makes it easier for companies to understand where they fit.”
The CMMC 2.0 Framework incorporates a systematic approach to achieving higher levels of certification and cybersecurity maturity.
Key Changes in CMMC 2.0
Friedrich outlines the major updates:
- “The reduction from five levels to three”
- “Self-assessments for Level 1 and some Level 2 contractors”
- “The use of Plans of Action & Milestones (POA&Ms), meaning contractors can still bid on contracts while working toward full compliance.”These changes reduce the burden on smaller contractors while maintaining strong security expectations.
How It Helps Small and Mid-Sized Businesses
“Small and medium-sized businesses will benefit from CMMC 2.0’s more flexible framework,” Friedrich notes. Self-assessments and POA&Ms offer more affordable, realistic paths to compliance; However, self-assessments require sign-off from an executive member of the organization and false claims can result in canceled contracts or hefty fines.
What Does CMMC 2.0 Mean for Defense Contractors?
“Contractors need to evaluate where they fall under the new three-level model and adjust their cybersecurity programs accordingly,” says Friedrich. For most Level 2 contractors, that means implementing all 110 NIST 800-171 controls and preparing thorough documentation.
She adds: “Leadership involvement is more critical in CMMC 2.0 because executive-level attestation is required to confirm compliance.”
Timelines and Deadlines to Watch
While the final rule for CMMC 2.0 is expected in 2025, Friedrich says the DoD will roll it out gradually. Here’s what you need to know:
- Level 3: DIBCAC assessment every 3 years, annual affirmation
- Level 2: Third-party assessment (C3PAO) or self-assessment every 3 years, annual affirmation
- Level 1: Annual self-assessment, annual affirmation
And if you’re not ready? “No certification, no contract.”
How to Prepare for CMMC 2.0 Compliance
According to Friedrich, there are several critical areas to focus on:
“Access control, incident response, system and communications protection, and configuration management” are some of the top priorities pulled from the NIST 800-171 standard.
Security Upgrades to Prioritize
To meet CMMC 2.0 requirements, Friedrich recommends several upgrades:
- “Implementing multi-factor authentication (MFA)”
- “Endpoint protection”
- “Encryption for data at rest and in transit”
- “Regular patch management”
- “Centralized logging and monitoring tools”
These steps can significantly reduce risk and increase audit-readiness.
How to Streamline the Process
“Start with a clear plan and a realistic timeline,” advises Friedrich. Rushing at the last minute can increase the likelihood of compliance errors.
She also recommends bringing in outside expertise:
“Bringing in a CMMC Registered Practitioner (RP) or consultant can help businesses prevent missteps.”
Why You Should Start Preparing Now
Friedrich is clear: “Businesses should start preparing for CMMC 2.0 compliance now because preparing early gives them the time to fix gaps, make necessary upgrades, and implement procedures without too much pressure.”
Documentation and evidence gathering takes time, and failing to prepare could mean losing out on contracts when CMMC becomes a firm requirement.
The Risks of Delaying
“The most obvious risk is losing out on DoD contracts,” Friedrich warns. “Delays can also lead to rushed compliance efforts, which increases the chances of failing an audit.”
Plus, she points out, delayed efforts can leave your data vulnerable—“Cyberattacks are only becoming more sophisticated.”
Where to Find Help
Looking for resources? Friedrich recommends starting with:
- The NIST SP 800-171 publication
- Consulting with CMMC Registered Practitioners (RPs) or C3PAOs
Final Thoughts
CMMC 2.0 may seem like a moving target, but with the right approach, it’s entirely achievable. “For a business to gain a CMMC certification, it takes effort. Documentation and evidence are a big part of the assessment and businesses should be able to easily provide them,” Friedrich concludes.
If you’re a defense contractor, the time to start is now.
