Get Ready for Mandatory CMMC Compliance

Source: Article from Cherry Bekaert
08/13/25, 05:36 AM | Automation & IIoT, Engineering | Compliance, cybersecurity

By Steven J. Ursillo, Jr., CMMC Certification Lead and Information Assurance and Cybersecurity Partner at Cherry Bekaert, and Brian Kirk, Senior Manager, Information Assurance and Cybersecurity at Cherry Bekaert 

The cybersecurity stakes are rising fast for companies doing business with the federal government, especially for manufacturers. As leaders grapple with shifting trade policies, tariffs, and economic instability, cybersecurity risks are often overlooked. Contractors working with the Department of Defense (DoD) who delay preparation for the Cybersecurity Maturity Model Certification (CMMC) risk losing eligibility for future contracts.

 

What is CMMC and Why is it Critical?

The CMMC program is the DoD’s framework for ensuring its contractors meet standardized cybersecurity protocols to protect Controlled Unclassified Information (CUI). With over 300,000 contractors in the Defense Industrial Base (DIB), many of whom are small to mid-sized manufacturers, the program aims to identify and address potential cyber vulnerabilities across the entire supply chain.

The model requires organizations that handle CUI to align with NIST 800-171, Rev. 2, security requirements and, in most cases, undergo third-party assessments. Once the final Acquisition Rule—codified in 48 CFR Parts 204, 212, 217, and 252—goes into effect, currently expected on October 1, 2025, the DoD will be authorized to enforce CMMC requirements in solicitations and contracts as a condition for awarding or maintaining DoD work.

 

Why Companies are Lagging Behind

Even with a looming deadline, a significant number of contractors are behind in their CMMC readiness. Why? CMMC compliance is competing for attention amid a wave of other urgent challenges. The already complex process, marked by questions around cost, scope, and applicability, is being further complicated by ongoing uncertainty around tariffs and trade restrictions. As companies navigate Section 301 tariffs on Chinese imports and grapple with fluctuating materials costs, their resources and focus are increasingly stretched thin.

A study by Merrill Research uncovered a troubling reality: while 75% of contractors believe they’re compliant based on internal assessments, just 4% actually meet the standards when tested by a certified third party. This gap between perception and reality could result in lost contracts and revenue for those who wait too long.

Ignoring CMMC today might feel like a way to reduce stress, but inaction now could become a major liability later. Failing to meet compliance requirements could jeopardize a company’s standing in the market and its ability to compete going forward.

Smaller manufacturing operations often rely on outdated technology and lean IT teams—factors that make them vulnerable to cyberattacks, including ransomware and supply chain attacks. And the consequences are costly. IBM’s 2023 Cost of a Data Breach Report estimates that the average breach in industrial sectors costs $4.9 million.

 

Prime Contractors are Already Enforcing CMMC

Even before the final rule takes effect, prime contractors are already holding their subcontractors accountable to CMMC-level standards. Procurement leaders need confidence that every link in the supply chain can safeguard sensitive information.

That means even if a company doesn’t contract directly with the DoD, it could still be required to prove compliance to maintain valuable partnerships. Failing to meet expectations could push companies out of key supply chains altogether.

 

CMMC Compliance is a Business Advantage

While achieving CMMC certification may seem like a heavy lift, it often brings additional benefits to the business:

  • Updates to legacy IT systems
  • Improved security posture and reduced breach risk
  • Greater trust with customers and partners
  • Easier alignment with other frameworks like ISO 27001 and NIST CSF

With cybersecurity becoming a national priority, organizations that get ahead of the curve will be better positioned to succeed in a more regulated landscape. CMMC certification can serve as a stepping stone toward greater resilience and long-term growth.

 

Don’t Wait for the Rule to Drop

The rulemaking process may conclude in late 2025, but getting certified is not a quick process. Preparing for CMMC requires months of preparation, gap assessments, remediation, and documentation. Companies that procrastinate may find themselves locked out of new defense work and struggle to catch up.

While much of the public conversation is focused on tariffs and trade wars, CMMC is quietly becoming the new gatekeeper for defense contracts. For defense manufacturers and procurement teams alike, CMMC compliance is a strategic necessity for those seeking to expand their federal business.

 

About the authors:

Steven Ursillo Jr. is a Partner and CMMC Certification Lead in the Firm’s Information Assurance and Cybersecurity practice. With over 20 years of experience, he specializes in information system security, cyber fraud prevention and detection, security and privacy governance, risk management, internal control over financial reporting, and IT assurance issues. He has provided end-user security awareness training and performed live hacking demonstrations on simulation systems including network, wireless, mobile, application and web application attacks.

 

Brian Kirk is a Senior Manager in Cherry Bekaert’s Cybersecurity practice and a Lead CCA, with over 12 years of experience in cybersecurity advisory, risk, and attest services. He has successfully led a team in conducting various assessments and audits to establish compliance with several key cybersecurity standards and frameworks. These include readiness assessments and examinations for the Cybersecurity Maturity Model Certification (CMMC), National Institute of Standards and Technology (NIST), Defense Federal Acquisition Regulation Supplement (DFARS), International Organization for Standardization (ISO) 27001, System and Organization Controls (SOC), and Health Information Trust Alliance (HITRUST). Brian holds multiple certifications, including a Certified Public Accountant (CPA), Certified Information Systems Auditor (CISA), Certified HITRUST CSF Practitioner (CCSFP), Certified CMMC Professional (CCP), and Lead Certified CMMC Assessor (CCA).

 

More Engineering Stories | Articles | News

Comments (0)

This post does not have any comments. Be the first to leave a comment below.

Post A Comment

You must be logged in before you can post a comment. Login now.

Featured Product

Rapid Prototyping with the Modular Motor Series

Rapid Prototyping with the Modular Motor Series

Quick to configure. Quick to build. Quick to deliver. Parvalux understands the importance of getting product in the hands of customers quickly and efficiently. The Modular Range does just that allowing customers to configure their own solution, selecting motor and gearbox, adding encoders and brakes to create a solution perfectly suited for their specific applications such as conveyor belt systems, picking systems, parcel sorting equipment, pallet shuttles and automated storage and retrieval systems (ASRS). Read our modular range guide for specifics.
More Products
Feature Your Product