Greg Tomchick, Valor Cybersecurity and VSRA Cybersecurity Committee Co-Chair
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework that outlines the required security controls for government contractors. If your organization isn’t actively preparing for CMMC compliance, you risk disqualification from future defense contracts.
CMMC is live, and readiness starts now.
This article outlines the current cybersecurity requirements and critical steps Virginia’s ship repair leaders must take to stay compliant and avoid going off the deep end.
Review your security policies to avoid that sinking feeling
The CMMC 2.0 rollout model adopts a long tail phased approach, implementing four phases over the next three years.
The DoD, however, reserves the right to begin implementing requirements ahead of planned phases.
This suggests that while CMMC is being rolled out.
- CMMC-based requirements will begin appearing in contracts as of Early 2025, and
- Cybersecurity compliance is affecting contract decisions today
A memo from the DoD dated January 30, 2025, emphasized that companies handling Controlled Unclassified Information (CUI) must [already] comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which, in turn, mandates an existing implementation of National Institute of Standards and Technology (NIST) SP 800-171.
The Defense Contract Management Agency (DCMA) has started conducting audits, focusing on contractors' Supplier Performance Risk System (SPRS) scores.
The result: contractors achieving SPRS scores below 80 are at risk of increased oversight and could potentially lose their right to bid for future contracts.
Risks of non-compliance
Failure to meet CMMC requirements carries serious consequences which could include
- Loss of contracts
- Competitive disadvantages
- Increased audit scrutiny
For Virginia's ship repair companies these risks carry even more weight, as ship repair is a critical component of our National Security. This makes ship repair leaders a top enforcement target for the DoD.
Organizations that fail to meet cybersecurity standards could be sidelined from future projects.
CMMC 2.0 requirements
CMMC 2.0 formalizes cybersecurity requirements into three (3) levels.
For ship repair companies, contractors, and subcontractors
- Plan to meet the requirements of Level 2 (Advanced) CMMC compliance
- Companies handling CUI: an outside assessment performed by a CMMC Third-Party Assessor Organization (C3PAO) will be required to maintain contract eligibility
Level 1
|
Level 2
|
Level 3
|
Foundational
|
Advanced
|
Expert
|
Applies to companies that only handle Federal Contract Information (FCI)
|
Applies to companies handling CUI
|
Reserved for contractors supporting high-security DoD programs
|
Requires 17 basic security controls and an annual self-assessment
|
Requires compliance with NIST SP 800-171 and a Third-Party Assessment Organization (C3PAO) every 3 years for (companies with prioritized contracts)
|
Requires compliance with NIST 800-172 and government-led audits
|
Steps to make your CMMC compliance shipshape
Take action today
Connect with your compliance and standards team to review these major focus areas to determine your company's CMMC readiness.
Step 1: Benchmark your company’s CMMC compliance
Leaders should consider and discuss the following:
- SPRS score: a score below 80 signals risk and requires immediate remediation
- NIST 800-171 gap analysis: identify areas of improvement
- Cybersecurity compliance strategy: well-structured plans and policies are a must to pass a third-party assessment
- External resources: industry groups and funding resources to streamline compliance have been explored
Step 2: Conduct a NIST 800-171 self-assessment
A self-assessment will evaluate cybersecurity posture and validate the company’s SPRS score. Any score below 80 indicates serious gaps that must be addressed immediately.
Step 3: Identify and close compliance gaps
Perform a gap analysis to identify readiness opportunities by highlighting missing security policies, weak access controls, insufficient encryption, lacking incident response plans, and poor security control documentation.
Addressing each of these areas is critical before engaging in a CMMC assessment.
Step 4: Build a CMMC Compliance Roadmap
CMMC program compliance isn’t a one-time project - it’s an ongoing process. Leaders must ensure their teams are:
- Assigning responsibility for cybersecurity compliance
- Documenting security policies and controls
- Preparing for third-party C3PAO assessments
- Implementing continuous monitoring and risk management strategies
Without a clear roadmap, companies risk delays, increased costs, and contract loss.
Step 5: Leverage industry resources and support
The cost of compliance can be significant, but funding opportunities exist to help businesses upgrade cybersecurity measures. Virginia offers cybersecurity grants that ship repair companies can leverage to offset compliance costs.
Organizations like the Virginia Ship Repair Association (VSRA) provide industry-specific guidance and best practices to help businesses navigate CMMC compliance.
Final Thoughts
CMMC readiness is no longer optional, it’s mission critical.
If your ship repair business depends on defense contracts, now is the time to assess, act, and secure your future.
Connect with a cybersecurity expert today to protect your contracts and stay afloat in the evolving defense landscape.
Industry leaders like Valor also offer resources where you can learn about the mistakes companies often make when striving to meet CMMC requirements.
Author: Greg Tomchick, Valor Cybersecurity
« Return to Newsletter