How to Reduce CMMC Compliance Risks Across the Supply Chain
As of 2025, CMMC 2.0 will be a regulatory requirement for working with the DoD. UK and US-based contractors alike are in the process of implementing the compliance requirements, but are your partners doing the same?
As an essential link in its supply chain, Defense Industrial Base (DIB) contractors and subcontractors represent a potential cyber security risk to the DoD. If contractors wish to be compliant with CMMC 2.0, evaluating their own supply chain to ensure they meet high security standards is essential.
In this article we discuss how you can reduce the risks in your supply chain, providing four practical steps you can take to evaluate your partners’ security and compliance posture.
Why CMMC compliance transcends your supply chain
Cybersecurity threats are increasingly sophisticated and any breach to a third-party supplier could pose a risk to the DoD and US national security. The Ministry of Defence (MoD)’s recent breach, where personnel data was accessed through a third-party payroll system provider, proves the importance of supply chain security.
Therefore, government organisations often have regulation in place which requires their suppliers to meet certain cyber security standards. For example, the MoD has the Defence Cyber Protection Partnership (DCPP) which was designed to improve the protection of the defence supply chain from cyber threats.
CMMC 2.0 has similar implications for organisations that work with the DoD, or a contractor or subcontractor. The CMMC guidelines state that:
“If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.”
As a result, DIB contractors should also be looking to assess the cyber risks posed by their own supply chain. If they don’t, their DoD contracts may be at risk. In fact, it’s likely that other large defence organisations like the MoD or DoD partners will formally integrate CMMC 2.0 requirements into their own vendor contracts for this reason.
4 Ways to Reduce Your Supply Chain Risk Under CMMC 2.0
To ensure your supply chain aligns with the DoD’s CMMC 2.0 requirements, contractors should follow these four steps to reduce cyber risk:
1. Review the self-assessments of your current partners
In preparation for CMMC 2.0, organisations need to review their own state of compliance. Organisations will be assessed on the maturity of their cyber security practices, as well as their transparency and awareness.
To manage the potential risks posed by their own supply chain, they should apply these same principles to evaluating their vendors’ cyber posture. Perform a gap analysis against the CMMC security requirements and identify what actions third-party suppliers need to take.
Questions to answer:
- Are members of my supply chain maintaining CMMC compliance?
- Have they evidenced this?
- Are they prepared for upcoming CMMC assessments
- Am I prepared to prove my CMMC compliance?
2. Collaborate with said third parties regularly
The DoD will require timely and regular reporting on incidents, threat information, intelligence sharing, technical assistance and more. DIB contractors and subcontractors can support their upstream and downstream vendors to maintain CMMC standards by collaborating and communicating consistently.
DIB contractors should make sure that third-party suppliers are aware of the expectations under CMMC. They should also share their own CMMC policies or procedures to help their supply chain align with them.
Reviewing sub-contractors before the CMMC assessments will also give DIB contractors time to support non-compliant organisations to improve, or to terminate these contracts.
3. Partner with smaller suppliers
Smaller sub-contractors to the DoD may not have the resources to meet compliance, especially if meeting these standards requires large changes to their infrastructure or operations. Direct partners of the DoD have the opportunity to provide additional guidance and support. This may include:
- Performing audits and gap analyses
- Creating remediation plans, including CMMC compliant tool recommendations
- Sharing frameworks and policy templates
- Providing training to internal teams
- Ongoing assessment support
4. Maintain CMMC compliance across your organisation
Ensuring third-party suppliers are compliant starts with leading by example. DIB contractors should first focus on their own compliance, ensuring they have all the practices and policies in place to meet CMMC 2.0 standards.
DIB contractors can also take control over the security of communications between themselves and their partners. Secure content communication tools – such as end-to-end email encryption, granular access controls, secure file sharing, or managed file transfer – will protect sensitive data when it is shared with or sent by third parties.
Choosing compatible solutions means the security layer will remain intact no matter who data is sent to, preventing internal or external actors from accessing, downloading, sharing or editing items without authorisation.
How Kiteworks Can Help
Kiteworks is a secure file and email data communications platform built to support nearly 90% of CMMC 2.0 Level 2 requirements out of the box. With FedRAMP Moderate Authorisation, Kiteworks enables compliance requirements for NIST SP 800-171.
The Kiteworks Private Content Network also supports the rest of your supply chain. Its strong security and access control features empower defence contractors to share sensitive content internally and throughout their supply chain by email, file sharing, file transfer, and other channels, in a way that keeps CUI and other sensitive data protected at every step.
With Kiteworks, you can communicate and collaborate with all of your partners, contractors and suppliers and minimise cyber security risk.
Make sure you’re ready for CMMC and the future of the regulatory data landscape.
Download our guide to ‘Secure data communications solutions for UK-based DIB contractors’ to gain insight into data and cybersecurity trends and the solutions you need to address them.
FAQs
CMMC 2.0 applies to all third parties within the defence supply chain, including contractors, vendors, and any other contracted third parties related to the support of the Department of Defense (DoD). All organisations that do business with the DoD must comply with CMMC 2.0, based on the type of CUI and/or FCI that they process, store, send, or receive. The list of entities includes:
- DoD prime contractors
- DoD subcontractors
- Suppliers at all tiers in the DIB
- DoD small business suppliers
- Non-US companies
Once CMMC 2.0 is implemented, self-assessments for all levels will be required on an annual basis, and Level 2 and 3 will require a triennial C3PAO assessment as well.
An organisation’s level is based on the types of information they are handling. If contractors and their sub-contractors are both handling FCI and CUI data, they will be expected to meet the same level of CMMC standards. If the prime doesn’t share this information, or only shares select information, with their sub-contractors then they may be subject to a lower level.
CMMC 2.0 is an update to the Cybersecurity Maturity Model Certification (CMMC) that was initially released in January 2021. It’s the Department of Defense’s (DoD) method for requiring organisations in the DoD supply chain to protect federal contract information (FCI) and controlled unclassified information (CUI) to the appropriate level determined (there are three levels in CMMC 2.0). CMMC 2.0 is a restructure of CMMC’s maturity levels by eliminating two of the original five ratings, improving assessment protocols that reduce costs for contractors, and introducing a more flexible path to certification through Plans of Action & Milestones (POA&Ms).
Working with a CMMC Third Party Assessor Organisation (C3PAO) provides several benefits for organisations seeking certification under CMMC 2.0 standards in addition to being mandatory for Levels 2 and 3:
- Expertise: a certified third-party assessor has extensive experience assessing cybersecurity programmes across multiple industries and can provide valuable insight into best practices for achieving compliance with CMMC 2.0 standards.
- Objectivity: an independent third-party assessor provides unbiased feedback on an organisation’s security posture that can help identify areas where improvements are needed.
- Cost savings: working with a certified third-party assessor can save time and money compared to hiring internal staff or consultants who may not have expertise in assessing cyber security programmes.
- Efficiency: a certified third-party assessor can quickly identify gaps in an organisation’s security posture, helping to reduce time spent preparing for certification.
- Peace of mind: having an independent third-party assessor review a DOD supplier’s cyber security programme provides peace of mind, ensuring that organisations have taken all necessary steps toward achieving compliance with CMMC 2.0 standards.
Additional Resources