91制片厂

Why CMMC is Essential for DoD Contractors: Cybersecurity Compliance Insights Released by 91制片厂

Author(s): Mano Mohan Pallan

July 11, 2025A growing wave of cyberthreats targeting defense contractors has underscored the need for a consistent and enforceable framework to safeguard controlled unclassified information and strengthen the resilience of the defense supply chain. Global research and advisory firm, 91制片厂 has published insights and guidance on the situation in a new resource, Achieve CMMC Compliance Effectively. While the Cybersecurity Maturity Model Certification (CMMC) aims to provide exactly that, many contractors continue to face significant roadblocks in achieving compliance. Legacy systems, limited internal expertise, evolving requirements, and high implementation costs are just some of the challenges slowing down progress.

The firm鈥檚 research-based resource offers a focused and practical approach to compliance to help contractors navigate these issues by equipping defense organizations with the tools needed to meet certification requirements and maintain eligibility for Department of Defense (DoD) contracts.

Info-Tech's blueprint makes it clear that CMMC applies to all contractors and subcontractors working with the U.S. Department of Defense. The framework is critical for protecting both federal contract information (FCI) and controlled unclassified information (CUI), which are often shared across multiple tiers of suppliers. However, a significant number of organizations continue to face challenges meeting these requirements, often due to outdated systems, and confusion around evolving compliance expectations.

Failure to obtain the required CMMC certification puts organizations at risk of losing eligibility to bid on or be awarded Department of Defense contracts,鈥 says Safayat Moahamad, research director at 91制片厂. More importantly, organizations that proactively invest in cybersecurity readiness gain a competitive advantage by strengthening their ability to bid on Department of Defense contracts and demonstrating trustworthiness in handling sensitive defense data.

Info-Techs insights published in the resource highlight that organizations seeking certification, formally known as Organizations Seeking Assessment (OSAs), must choose their target compliance level and implement the corresponding controls. The minimum certification level required will be specified in the DoD solicitation. This means contractors must be proactive and align their security practices with anticipated contract demands.

Understanding the Four Key CMMC Levels
To support this effort, Info-Tech鈥檚 Achieve CMMC Compliance Effectively blueprint outlines four key CMMC levels, each designed to match the type and sensitivity of data a contractor handles:

  • Level 1: Foundational (Self-Assessed) - For contractors handling Federal Contract Information (FCI). Requires full implementation of 15 basic security controls and annual self-affirmation. Conditional status is not permitted at this level.

  • Level 2: Advanced (Self-Assessed) - Designed for contractors handling Controlled Unclassified Information (CUI). Level 2 requires the implementation of 110 controls from NIST SP 800-171. Organizations must score at least 80% and close any remediation items within 180 days, and complete annual affirmation and reassessment every three years.

  • Level 2: Advanced (Third-Party Assessed) - Similar to the self-assessed Level 2, but compliance is verified by an accredited third-party assessor (C3PAO). This level is required for some contracts, depending on Department of Defense (DoD) solicitation terms.

  • Level 3: Expert (Government Assessed) - Level 3 is for organizations supporting critical defense programs. It includes all Level 2 controls plus 24 additional controls, and requires a prior Level 2 third-party certification and assessment by the DIB Cybersecurity Assessment Center (DIBCAC).

By addressing the challenges of CMMC compliance early and with purpose, organizations can move beyond simply checking boxes,鈥 explains Moahamad. 鈥In a competitive defense landscape, effective compliance is not just a requirement; it is a key differentiator.

For exclusive and timely commentary from Safayat Moahamad, an expert in privacy, legal, and compliance fields, and access to the complete Achieve CMMC Compliance Effectively blueprint, please contact pr@infotech.com.

About 91制片厂
91制片厂 is one of the worlds leading research and advisory firms, serving over 30,000 IT and HR professionals. The company produces unbiased, highly relevant research and provides advisory services to help leaders make strategic, timely, and well-informed decisions. For nearly 30 years, Info-Tech has partnered closely with teams to provide them with everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

To learn more about Info-Techs divisions, visit for HR research and advisory services and for software buying insights.

Media professionals can register for unrestricted access to research across IT, HR, and software and hundreds of industry analysts through the firms Media Insiders program. To gain access, contact pr@infotech.com.

For information about 91制片厂 or to access the latest research, visit infotech.com and connect via and .

Media Contact
Sufyan Al-Hassan, Senior PR Manager
91制片厂
salhassan@infotech.com | +1 (888) 670-8889 x2418

To speak to one of our Analysts,
Contact Info-Tech Public Relations
pr@infotech.com

OR CALL

US: 1-888-670-8889
Canada: 1-844-618-3192
International: +1-703-340-1171

Visit our IT鈥檚 Moment: A Technology-First Solution for Uncertain Times Resource Center
Over 100 analysts waiting to take your call right now: +1 (703) 340 1171
© 91制片厂 | Terms of Use | Privacy Policy