The Defense Industrial Base (DIB) is not a homogeneous block. From commercial to non-profit, software to hardware, manufacturing to consulting, shipyards to laboratories, Department of Defense (DoD) contractors come in all shapes and sizes, and from all 50 states.
The Defense Industrial Base (DIB) is not a homogeneous block. From commercial to non-profit, software to hardware, manufacturing to consulting, shipyards to laboratories, Department of Defense (DoD) contractors come in all shapes and sizes, and from all 50 states.
But there is one element that unites all of them: CMMC 2.0.
From Q1 2025, all members of the DIB have to be CMMC 2.0 compliant. If you handle Controlled Unclassified Information (CUI) and plan to work on DoD contracts as either a prime or subcontractor, here’s three critical things you need to know.
1. You need to prove CUI security no matter your size
The ‘Big Five’ (Lockheed Martin, RTX, General Dynamics, Boeing and Northrop Grumman) account for roughly a third of DoD contracts. The remainder of the DoD’s $420 billion pot is split between large firms (i.e. Huntington Ingalls Industries and General Electric) and SMEs (i.e. Torch Technologies Inc and Deployed Resources) with small businesses winning nearly 25% of DoD prime contracts in 2022-23.
But no matter if you have 20 or 20,000 employees, you’re responsible for proving your CUI security in order to be CMMC compliant. For example, prime contractors must ensure all their subcontractors handle and protect their CUI correctly or find another supplier. Small suppliers, such as niche consultancies or custom part providers, must prove their management of CUI adheres to CMMC requirements or miss out on subcontracted work.
2. CUI compliance is time-consuming
CUI comes in many forms, but in general, any document, drawing or design included in DoD contracts are CUI by default. If you handle CUI, such as construction blueprints or test reports, you need to satisfy 110 security requirements and 320 assessment objectives aligned with NIST SP 800-171 to pass CMMC Level 2. DIB members need to adhere to all of these controls to receive CMMC certification and compliance will be assessed externally by third-party experts.
But CUI is just one part of the CMMC process. The time taken to get assessment ready will vary between large DIB firms and SMEs with 12-18 months seen as a minimum for mid-sized enterprises (followed by 9-15 months for the assessment). With CMMC expected to come into force in Q1 2025, time is of the essence.
3. Balance CUI security with productivity
CMMC 2.0 was designed to protect the DoD’s supply chain (and the sensitive national security information they hold) from cyberattacks - not slow down their production processes. As such, when using tools to protect, track and control access to your CUI, you need to prioritize practicality. If your team of engineers, consultants or scientists have to face cumbersome security checks every time they access a technical report that is CUI, then you’ll lose DoD contracts due to inefficiency not CMMC compliance.
Instead, look for security tools that have the flexibility to adapt to CMMC requirements and don’t adversely impact the end-user experience. For instance, as part of CMMC, you need to prevent foreign nationals from accessing military drawings. If you have a non-US citizen on your production line or work with overseas teams (even if they’re part of your company), your CUI security tools must provide controls to prevent foreign nationals’ access to CUI.
CMMC 2.0 is around the corner. To ensure you’re compliant, you need to work out where your CUI lives, who has access to it and implement tools to secure and monitor CUI. If you use CAD files for DoD contracts, such as technical drawings, it’s highly likely these CAD files are considered CUI.
To find out how to easily protect and track CAD files that are CUI, check out our eBook.