NEW WEBSITE – CMMC Compliance

Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity is Weapon System Security, it is National Security

Weapon System cybersecurity protects the mission and the warfighter, and for companies across the Defence Industry Base (“DIB”), cybersecurity compliance, more specifically compliance with CMMC (DFARS 252.204-7021) and NIST SP 800 171 (“NIST 171”), should be on the corporate radar. Compliance with NIST 171 has been a formal requirement for contractors and subcontractors who are covered under DFARS 252.204 – 7012 (“DFARS 7012”) since December 31st, 2017. Requiring contractors and subcontractors to self-attest to their compliance with the required 110 NIST cybersecurity practices.

On the 10th of September 2025, the Department of War (DoW) issued a Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to embed contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) program—partially implementing Section 1648 of the National Defense Authorization Act (NDAA) for Fiscal Year 2020. Further strengthening how the DoW assesses contractor cybersecurity practices and safeguards sensitive unclassified information across its industrial base.

The DoW has clarified that compliance with CMMC and NIST SP 800-171, while not a foregone conclusion, should not be considered a new request for contractors and subcontractors covered by DFARS 252.204-7012. For covered entities, it has been a contractual requirement since 2017.

A Simple Guide To CMMC, NIST SP 800-171 And Compliance

Basic Step – by – step compliance guide

CMMC is here, and adherence to DoW cyber policy and the adoption of CMMC is a commercial decisions. Cybersecurity compliance under DFARS 7012, 7019, 7020, and 7021 is a cost of doing business with the DoW. The cost of NIST and CMMC compliance is high; the DoW has been clear that, since 31st December 2017, for NIST 171 and the DIB should already be achieved. The US federal government has set the regulatory direction of travel to be followed by all Federal departments with CMMC. Going forward, contractors and subcontractors must ensure their compliance. The following is not meant to be a complete and exhaustive guide to DFARS, NIST, or CMMC compliance. But a guide to the activities that any organisation should undertake to assess its basic compliance.

From the compliance of DFARS 7012 and NIST SP 800-171 through to compliance with DFARS 7021 CMMC and assurance assessments, DIB contractors must ensure that they understand their compliance obligations. They must evaluate their implementation of the necessary controls to secure Federal Contract Information (FCI) and NIST SP 800-171 for the security of Controlled Unclassified Information that are contractual obligations under DFARS, and added to DoW contracts.

The paper below discusses CMMC and NIST SP 800-171 compliance, required by the DoW November 2025 CMMC Final Rule.