AWS Public Sector Blog

Preparing for CMMC 2.0 compliance: What contractors can do today

Banner image with headline, "Preparing for CMMC 2.0 compliance: What contractors can do today"

After years of preparation, the Department of Defense (DoD) has finally rolled out a new framework for ensuring cybersecurity in its supplier base: the Cybersecurity Maturity Model Certification (CMMC) 2.0. In June 2024, DoD Deputy CIO for Cybersecurity David McKeown announced the agency would begin requiring CMMC 2.0 compliance in the first quarter of 2025. In fact, some requests for proposals from defense industrial base (DIB) companies already include this requirement.

CMMC compliance will soon be a must-have for federal contractors, so they need to plan now for how to achieve it. Getting ready today will prevent them from getting caught flat-footed and scrambling after receiving a request for proposal with the CMMC requirement or needing to provide affirmative attestations on existing contracts. More importantly, it will help companies maintain their competitive advantage.

The path towards compliance differs according to the level needed and the assessments involved. Fortunately, there is no shortage of resources available to help—including from Amazon Web Services (AWS) and its partners.

In this post, I explain what contractors need to know right now to prepare for the changes coming in 2025.

What do the different CMMC 2.0 levels mean?

All contractors that work with the US government must comply with special rules—but contractors that handle sensitive information have even more regulations to follow. CMMC seeks to classify contractors based on the sensitivity level of the data they handle.

There are three levels of CMMC certification, with Level 1 being the most basic. “Level 2 will apply to the vast majority of DIB companies,” notes Sanchez, “and they’ll have the most resources to get compliant because it’s a much bigger market.”

Level 2—which applies to some 80,000 organizations—requires companies to have an institutionalized management plan to implement cyber hygiene practices that safeguard controlled unclassified information (CUI). This includes all the NIST SP 800-171 r2 security requirements and processes. Level 3 compliance is required for contractors that deal with the most sensitive, high-value information and affects only about 600 companies.

“Smaller companies with more limited resources will need strong CMMC-fluent partners to help them become compliant,” says Sanchez. “Thankfully, the Level 2 ecosystem is building quickly,” with solutions and partners quickly emerging to help companies achieve CMMC compliance.

To understand where compliance support is needed, the DoD provides a self-assessment tool for DIB contractors. For compliance with Level 2 and above, however, companies will need to get a third-party certification to verify their degree of compliance. This could take several weeks, depending on the size of the environment, the amount of data, and the availability of staff to provide information to the auditor.

The assessment provides a score for how well a contractor meets the CMMC requirements, and the higher the score, the better. “At some point, you are your score. It will become a real differentiator for companies,” explains Sanchez.

How can the AWS Cloud help companies become compliant?

With many common compliance frameworks built into its infrastructure, including Federal Risk and Authorization Management Program (FedRAMP), using AWS Cloud tools allows companies to become compliant faster—instead of trying to build from scratch, on-premises. “Using a FedRAMP service that’s already compliant is going to help you be compliant with CMMC,” explains Sanchez. “For example, if you have a database in-house that is not FedRAMP compliant, you can instead use a database in AWS that is. Another option is to create an enclave in an environment that is secure—such as the AWS GovCloud (US) Regions—and store your data there. FedRAMP is the gold standard for secure cloud services.”

However, because CMMC applies to more than cloud services, companies must determine if they need to make additional changes to become fully compliant. “Companies need to make a decision about whether to move the entire organization towards CMMC compliance—or perhaps just migrate the data to a secure enclave in the AWS Cloud and then focus on getting compliance for employees who interface with the data,” says Sanchez. “It may be excessive to pursue CMMC compliance for the finance and accounting departments that never work with controlled unclassified information (CUI), for example.”

AWS Partners such as Rackspace Technology can help DoD suppliers make this determination and provide an offsite solution that enables CMMC compliance without disrupting business operations. When choosing a vendor to work with, contractors should research the vendor’s amount of experience with compliance, especially in the IT realm, and their ability to network with other experts to provide a more comprehensive package.

What are the most important steps to take now?

“Moving forward, CMMC is going to be the key to working with the government,” says Sanchez. “This will require a cultural shift in terms of how many companies do business.”

While becoming compliant can feel daunting, there are at least four low-lift things DIB suppliers can do right away, according to Sanchez:

  1. Commit to the CMMC journey – As mentioned earlier, achieving compliance with CMMC requires a cultural shift for most businesses and is not a one-and-done event. Organizations must take a positive approach to CMMC compliance in both current and future business operations.
  2. Conduct a self-assessment – Where are the gaps? Even if a company will ultimately need a third-party validator for Level 2 compliance, the DoD self-assessment tool identifies areas where the most support will be needed.
  3. Identify vendors who can help – Since hiring an in-house compliance team is expensive and can take companies off-mission, outsourcing is a smart move for many suppliers. Developing a short list of vendors today will save time later once a company has decided which aspects of the business to make compliant.
  4. Standardize and automate – Where possible, move toward solutions that deliver consistent and predictable outcomes. These types of solutions simplify compliance tasks, help maintain a compliant environment, and contribute to lowering CMMC compliance costs.

As the CMMC 2.0 deadline approaches, ignoring compliance requirements becomes increasingly risky. Contractors without compliance stand the chance of losing out to other companies. The good news, according to Sanchez, is that an entire ecosystem of resources and partners is ready to help.

“CMMC is here, and companies that don’t already have it are going to need to get it quickly,” says Sanchez. “You’re better off building partnerships with vendors that can help you—so you can stay focused on your core mission.”

Further reading

Read related stories on the AWS Public Sector Blog:

Resiliency imperatives for CIOs with sensitive and highly-available cloud environments in AWS GovCloud (US)

Support FedRAMP and CMMC compliance with the Landing Zone Accelerator on AWS

Protecting transportation agencies in the era of cybersecurity

TAGS: , , ,
Abel Sanchez

Abel Sanchez

Abel Sanchez is a senior solutions architect working for Rackspace Technologies, specializing in FedRAMP, StateRAMP, and CMMC architectures. He has more than 15 years of experience working in Department of Defense (DoD) secure environments coupled with active CISSP, Amazon Web Services (AWS), and Azure certifications. Abel holds a bachelor's degree in computer science and MBA degrees.