NEW WEBSITE – CMMC Compliance

Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity is Weapon System Security, it is National Security

Weapon System cybersecurity protects the mission and the warfighter, and for companies across the Defence Industry Base (“DIB”), cybersecurity compliance, more specifically compliance with CMMC (DFARS 252.204-7021) and NIST SP 800 171 (“NIST 171”), should be on the corporate radar. Compliance with NIST 171 has been a formal requirement for contractors and subcontractors who are covered under DFARS 252.204 – 7012 (“DFARS 7012”) since December 31st 2017. Requiring contractors and subcontractors to self-attest to their compliance with the required 110 NIST cybersecurity practices.

On the 10th of September 2025, the Department of Defense (DoD) issued a Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to embed contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) program—partially implementing Section 1648 of the National Defense Authorisation Act (NDAA) for Fiscal Year 2020. Further strengthening how the DoD assesses contractor cybersecurity practices and safeguards sensitive unclassified information across its industrial base.

The DoD has clarified that compliance with CMMC and NIST SP 800-171, while not a foregone conclusion, should not be considered a new request for contractors and subcontractors covered by DFARS 252.204-7012. As it has been a contractual requirement since 2017.

A Simple Guide To CMMC, NIST SP 800-171 And Compliance

Basic Step – by – step compliance guide

CMMC is here, and adherence to DoD cyber policy and the adoption of CMMC is a commercial decision. Cybersecurity compliance under DFARS 7012, 7019, 7020 and 7021 is a cost of doing business with the DoD. The cost of NIST and CMMC compliance is significant; the DoD has been clear that, since 31st December 2017, for NIST 171 and the DIB should already be achieved. The US federal government has set the regulatory direction of travel to be followed by all Federal departments with CMMC. Going forward, contractors and subcontractors must ensure their compliance. The following is not meant to be a complete and exhaustive guide to DFARS, NIST or CMMC compliance. But a guide to the activities which any organisation should undertake to assess their basic compliance.

From the compliance of DFARS 7012 and NIST SP 800-171 through to compliance with DFARS 7021 CMMC and assurance assessments, DIB contractors must ensure that they understand their compliance obligations. They must evaluate their implementation of the necessary controls to secure Federal Contract Information (FCI) and NIST SP 800-171 for the security of Controlled Unclassified Information that are contractual obligations under DFARS, and added to DoD contracts.

The paper below discusses CMMC and NIST SP 800-171 compliance, required by the DoD November 2025 CMMC Final Rule.