CMMC 2.0 Implementation Strategies: Security Controls, External Expertise, and Strategic Approaches

The path to CMMC 2.0 Level 2 compliance represents a significant undertaking for Defense Industrial Base (DIB) organizations. In our previous article, we examined how comprehensive gap analyses and mature documentation practices establish the critical foundations for certification success. Building on those insights, this article explores the specific security control implementations and strategic approaches that differentiate successful compliance programs.

The Kiteworks and Coalfire “State of CMMC 2.0 Preparedness in the DIB” research involving 209 diverse defense contractors provides valuable insights into encryption practices, third-party access controls, external expertise engagement, and resource allocation strategies. Understanding these patterns can help organizations develop more effective compliance approaches tailored to their specific circumstances.

As we explore these findings, a clear pattern emerges: Organizations that invest strategically in specific security domains and leverage appropriate external expertise consistently demonstrate stronger overall security postures and greater certification readiness. Let’s examine the research insights that can guide your CMMC 2.0 implementation strategy.

Encryption Practices and Overall Security Posture

The implementation of encryption and other data protection methods for controlled unclassified information (CUI) represents a critical element of CMMC 2.0 Level 2 compliance. The research reveals encryption implementation serves as both a specific technical requirement and a powerful indicator of overall security control maturity.

Current Encryption Implementation Status

Among surveyed organizations:

• 69% reported following documented encryption standards with verification of implementation
• 25% indicated they encrypt some data but have gaps to address
• 4% acknowledged not consistently encrypting CUI at rest or in transit
• 2% were unsure of their encryption status

The correlation between encryption implementation and company size reveals modest but notable differences in approach. Large organizations (10,000+ employees) reported the highest rate of following documented encryption standards at 71%, compared to 69% for medium organizations (500-9,999 employees) and 67% for small organizations (<500 employees). These relatively small differences suggest that encryption implementation may be less resource-dependent than other security controls, with organizations of all sizes recognizing its fundamental importance for protecting sensitive information.

Encryption as a Security Maturity Indicator

Organizations following documented encryption standards demonstrated significantly stronger performance across all other measured security dimensions. These organizations were more likely to have fully documented security policies (73% versus 29% for those with encryption gaps), detailed POA&Ms (65% versus 23%), advanced third-party access controls (75% versus 49%), and formal vendor management programs (74% versus 28%). This pattern suggests that robust encryption implementation typically exists within a broader context of mature security practices.

The relationship between encryption status and third-party engagement strategies reveals important patterns in how organizations address encryption challenges. Organizations still in the process of selecting partners showed the highest rate of encryption gaps (42%), compared to those already working with partners (15%) or handling compliance in-house (25%). This pattern suggests that organizations often recognize encryption gaps early in their compliance journey, driving them to seek external expertise to address these technical challenges.

Encryption implementation showed strong correlation with perception of compliance challenges. Organizations following documented encryption standards most frequently identified budget constraints (34%) and executive buy-in (19%) as primary challenges. In contrast, organizations with encryption gaps or inconsistent implementation more often cited technical complexity (59%) and understanding requirements (41%). This divergence suggests that organizations overcome technical challenges as they mature their encryption practices but then face resource and organizational challenges for broader compliance efforts.

Industry sector analysis reveals interesting patterns in encryption implementation:

• Defense manufacturing organizations reported the highest rate of following documented encryption standards (78%)
• Professional services firms followed at 71%
• Technology/software companies reported 67%

These differences likely reflect variations in experience with handling sensitive information and prior compliance requirements, with defense manufacturers typically having longer experience with DoD information protection requirements.

Third-Party Access Controls and Supply Chain Security

The implementation of governance tracking and controls for third-party access to CUI addresses the substantial risks associated with supply chain security. The survey results highlight significant variation in third-party access control maturity across organizations, with important implications for overall security posture.

The State of Third-Party Access Controls

Among surveyed organizations:

• 66% reported having advanced controls and systems in place for third-party CUI access
• 29% indicated they have some controls but lack full visibility and control
• 3% acknowledged this as an active gap they are working to address
• 2% were unsure of their control status

The correlation between third-party access controls and company size reveals important patterns in supply chain security approaches. Large organizations (10,000+ employees) reported the highest rate of advanced controls at 71%, compared to 63% for medium organizations and 67% for small organizations. This relatively even distribution suggests that organizations across size categories recognize the importance of third-party access controls, though implementation approaches may differ based on resources and supply chain complexity.

Organizations with advanced third-party access controls demonstrated substantially stronger performance across other security dimensions. These organizations were more likely to have fully documented security policies (78% versus 38% for those with partial controls), follow documented encryption standards (78% versus 51%), and have formal vendor management programs (77% versus 31%). This pattern suggests that robust third-party access controls typically exist within a broader context of mature security governance and technical controls.

Supply Chain Complexity and Security Investment

Supply chain complexity shows a strong correlation with third-party access control maturity. Organizations reporting more than 50 suppliers handling CUI were significantly more likely to have advanced controls (79%) compared to those with fewer than 10 suppliers (58%). This pattern suggests that organizations with more complex supply chains recognize the heightened risk and invest accordingly in more sophisticated control mechanisms.

The relationship between third-party access controls and perceived compliance challenges reveals important differences in organizational focus. Organizations with advanced controls most frequently identified budget constraints (37%) and scope complexity (24%) as primary challenges. In contrast, organizations with partial controls or identified gaps more often cited technical complexity (51%) and understanding requirements (38%). This divergence suggests that organizations mature their understanding of both technical and governance requirements as they implement more advanced third-party controls.

Industry sector analysis reveals notable differences in third-party access control maturity:

• Defense manufacturing organizations reported the highest rate of advanced controls (73%)
• Professional services firms followed at 68%
• Technology/software companies reported 63%

These differences likely reflect variations in supply chain complexity and experience with handling sensitive information, with defense manufacturers typically having more established practices for controlling information flow to suppliers and subcontractors.

External Expertise: The Compliance Accelerator

External partner engagement correlates strongly with perceived compliance readiness across multiple dimensions. The survey reveals distinct patterns in how different organizations leverage external expertise, with important implications for compliance success.

Partner Engagement Patterns

The relationship between organizational size and third-party engagement reveals important patterns in how different organizations approach external expertise:

Medium-sized organizations (500-9,999 employees) showed the highest rate of engagement with experienced partners at 50%, compared to 40% for small organizations (<500 employees) and 41% for large organizations (10,000+ employees). This pattern suggests that medium-sized organizations occupy a particular position where they have sufficient resources to engage external support but may lack the extensive internal expertise found in larger organizations.

Small organizations showed the highest rate of handling compliance in-house (22%), equal to large organizations but likely for different reasons—resource constraints for small organizations versus extensive internal capabilities for large ones.

The relationship between leadership roles and third-party engagement reveals important differences in how functional areas approach compliance assistance:

CEO/Founders reported the highest rate of engagement with experienced partners (57%), closely followed by CIO/IT Leaders (57%). In contrast, Cybersecurity Leaders reported the lowest rate of partner engagement (31%) and the highest rate of handling compliance in-house (34%). These differences likely reflect varying assessments of internal capabilities, with specialized cybersecurity leaders more confident in internal resources than generalist executives.

Impact of External Expertise

Organizations working with experienced partners were significantly more likely to report following verified encryption standards (84%) compared to those handling compliance in-house (61%) or those still selecting partners (54%). Similar patterns appeared for third-party access controls, incident response readiness, and compliance budget allocation. These correlations highlight how external expertise can accelerate and enhance compliance preparation across multiple domains.

The specific type of third-party engagement shows interesting correlations with organization size and compliance maturity:

Small organizations more frequently reported working with general cybersecurity consultants (48%), while medium and large organizations more often engaged specialized Registered Provider Organizations (RPOs) or Certified Third-Party Assessment Organizations (C3PAOs) (57% and 64%, respectively). This difference likely reflects both resource availability and compliance complexity, with larger organizations requiring more specialized expertise focused specifically on CMMC requirements.

Partner-engaged organizations showed especially strong performance in documentation (76% fully documented versus 43% for in-house), scoping definition (63% well-documented versus 27% for in-house), and third-party risk management (72% formal programs versus 39% for in-house). These areas require specialized knowledge and typically benefit from external perspective and experience with similar organizations.

The timing of partner engagement appears to influence overall compliance approach. Organizations that engaged partners early in their compliance journey (before completing gap analyses) reported higher rates of comprehensive readiness efforts, including formal vendor management programs (68%) and centralized remediation tracking systems (71%). This pattern suggests that early external guidance helps establish more structured, comprehensive compliance approaches from the outset.

Key Compliance Challenges and Resource Allocation

The survey results highlight the diverse challenges organizations face in pursuing CMMC 2.0 Level 2 compliance, with resource constraints, technical complexity, and organizational factors emerging as key themes. Organizations’ identified challenges vary significantly based on size, compliance maturity, and specific role perspective.

Primary Implementation Obstacles

Among all respondents:

• 36% identified budgetary and resource constraints as their greatest challenge
• 31% cited technical complexity
• 12% pointed to scope complexity
• 11% mentioned executive buy-in
• 10% highlighted understanding requirements

Organizations at different compliance maturity stages report markedly different challenge perceptions. Organizations with fully documented policies and advanced security controls most frequently identified budget constraints (38%) and scope complexity (26%) as primary challenges. In contrast, organizations with partial documentation and security gaps more often cited technical complexity (53%) and understanding requirements (27%). This progression suggests that organizations focus initially on understanding and implementing technical requirements before confronting resource allocation and scope definition challenges.

Budget Allocation Patterns

Budget allocation for CMMC 2.0 compliance shows significant variation across respondent organizations:

• 34% reported having an approved budget with a dedicated team
• 48% indicated partial budget allocation with plans to expand resources
• 15% acknowledged limited or no specific budget allocation
• 3% were unsure of their budget status

The correlation between budget allocation and company size follows expected patterns:

• 62% of large organizations reported approved budgets with dedicated teams
• 38% of medium-sized organizations had dedicated budgets
• Only 23% of small organizations had dedicated compliance budgets

The relationship between challenge perception and compliance timeline reveals important patterns in how organizations approach CMMC preparation. Organizations identifying technical complexity as their primary challenge projected longer compliance timelines, with 67% anticipating certification within 12 to 24 months of the final rule. In contrast, organizations citing budget constraints showed more aggressive timelines, with 41% planning certification within 6 to 12 months. This divergence suggests that technical understanding, rather than resource availability alone, may be the more limiting factor in compliance velocity.

Strategic Recommendations Based on Research Findings

The survey findings reveal clear pathways to successful CMMC Level 2 compliance, with organizations’ approaches varying significantly based on size, leadership involvement, and maturity of security practices. Based on these insights, here are five key actions organizations should prioritize for compliance success.

Five Key Actions for CMMC Success

Implement Advanced Governance Tracking and Controls for CUI Access

Organizations with advanced third-party access controls demonstrate dramatically stronger security posture, with 78% following documented encryption standards versus 51% for those with partial controls. The 66% of organizations already employing advanced controls show 77% higher rates of formal vendor management programs, creating comprehensive visibility throughout their supply chains.

This finding is particularly significant for organizations with complex supply chains—those with more than 50 suppliers handling CUI are significantly more likely to implement advanced controls (79%) compared to those with simpler supply chains (58%).

Develop Comprehensive Security Layers for Data Protection

Survey data shows that organizations following documented encryption standards (69% of respondents) achieve significantly better security across multiple dimensions. These organizations are three times more likely to have fully documented policies (73% versus 29%) and detailed POA&Ms (65% versus 23%) compared to those with encryption gaps.

The research reveals that organizations with minimal documentation are 30 times more likely to report inconsistent encryption of CUI—highlighting a critical vulnerability in the supply chain. Prioritizing encryption implementation alongside complementary controls creates defense-in-depth protection of sensitive information.

Engage Specialized Third-Party Expertise for Compliance Acceleration

Medium-sized organizations (500-9,999 employees) lead in this approach with 50% working with specialized partners. This engagement correlates with substantially better security outcomes—76% achieve fully documented policies versus 43% for those handling compliance independently.

Organizations with completed gap analyses engage external partners at nearly triple the rate (62%) of those yet to begin assessment (21%), recognizing the value of specialized expertise. The timing of engagement matters—organizations that partner early in their compliance journey report higher rates of comprehensive readiness efforts.

Adopt Zero-Trust Data Exchange Solutions to Streamline Compliance

With 29% of organizations reporting partial visibility over third-party CUI access, implementing zero-trust architectures addresses a critical vulnerability. The 76% of organizations working with experienced partners that achieve advanced access controls demonstrate how specialized solutions can overcome this challenge.

Defense manufacturers lead in this implementation (73%), leveraging solutions that maintain security while enabling necessary information sharing. For organizations with complex supply chains, these approaches deliver both compliance and operational efficiency.

Begin With Thorough Gap Analysis Against All 110 NIST SP 800-171 Controls

The 41% of organizations that completed comprehensive assessments are three times more likely to implement strong security controls than those who haven’t started. This critical foundation identifies vulnerabilities requiring immediate attention.

The research demonstrates a clear correlation: Organizations completing gap analyses are 73% more likely to have fully documented cybersecurity policies, and 77% more likely to follow verified encryption standards compared to those who haven’t begun assessment. Starting with this comprehensive analysis provides the roadmap for all subsequent compliance activities.

Implementing a Phased Approach

The research reveals distinct stages in the compliance journey, each requiring tailored strategies:

1. Assessment Phase: Begin with comprehensive gap analysis and documentation development, focusing on understanding requirements before implementing technical controls. Here, it is very important to identify and engage a third-party advisory partner that can guide you through the assessment and implementation processes.
2. Implementation Phase: Prioritize addressing technical complexity challenges while developing systematic documentation and control verification mechanisms.
3. Maturation Phase: Focus on scope definition, partner management, and continuous monitoring, with emphasis on maintaining compliance beyond certification.

Organizations should align resource allocation and timeline expectations based on their current compliance stage, recognizing that challenges evolve throughout the journey.

Securing DIB Supply Chains: CMMC 2.0 Level 2 Success Strategies

As CMMC 2.0 Level 2 implementation continues across the Defense Industrial Base, the Kiteworks and Coalfire survey provides invaluable guidance for organizations at all readiness stages. The findings clearly indicate that strategic investment in robust security controls, comprehensive documentation, and appropriate external expertise significantly enhances an organization’s ability to achieve and maintain compliance while improving overall security posture.

Organizations showing the strongest compliance readiness demonstrate consistent patterns: They implement layered security controls with particular emphasis on encryption and third-party access management, strategically leverage external expertise, and align resource allocation with evolving compliance challenges. These approaches yield measurable benefits across all security dimensions.

Perhaps most significantly, the research demonstrates that compliance investments deliver value beyond certification requirements. Organizations following structured compliance approaches report stronger overall security governance, improved risk management capabilities, and more effective protection of sensitive information throughout their supply chains.

The coming months will be critical for DIB organizations as CMMC 2.0 requirements become contractual obligations. By following the evidence-based strategies outlined in this research, organizations can navigate the compliance journey more efficiently and effectively, ultimately strengthening both their security posture and their competitive position in the defense marketplace.

For organizations beginning their compliance journey, the message is clear: start with comprehensive assessment, implement robust security controls methodically, and consider strategic external support. For those further along, focus on addressing the evolving challenges appropriate to your maturity stage. In all cases, view CMMC compliance not as a checkbox exercise but as an opportunity to strengthen your organization’s overall security posture and better protect the sensitive defense information entrusted to your care. Finally, make sure you engage with a trusted and experienced third party to guide you through the CMMC 2.0 Level 2 certification process.

Additional Resources

• Blog Post Zero Trust Architecture: Never Trust, Always Verify
• Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
• Blog Post What It Means to Extend Zero Trust to the Content Layer
• Blog Post Building Trust in Generative AI with a Zero Trust Approach
• Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer