« Return to Newsletter

Featured Article: Will your CMMC readiness keep your business afloat?

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework that outlines the required security controls for government contractors. If your organization isn’t actively preparing for CMMC compliance, you risk disqualification from future defense contracts.

CMMC is live, and readiness starts now.

This article outlines the current cybersecurity requirements and critical steps Virginia’s ship repair leaders must take to stay compliant and avoid going off the deep end.

 

Review your security policies to avoid that sinking feeling

The CMMC 2.0 rollout model adopts a long tail phased approach, implementing four phases over the next three years.

The DoD, however, reserves the right to begin implementing requirements ahead of planned phases.

This suggests that while CMMC is being rolled out.

  1. CMMC-based requirements will begin appearing in contracts as of Early 2025, and
  2. Cybersecurity compliance is affecting contract decisions today

A memo from the DoD dated January 30, 2025, emphasized that companies handling Controlled Unclassified Information (CUI) must [already] comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which, in turn, mandates an existing implementation of National Institute of Standards and Technology (NIST) SP 800-171.

The Defense Contract Management Agency (DCMA) has started conducting audits, focusing on contractors' Supplier Performance Risk System (SPRS) scores.

The result: contractors achieving SPRS scores below 80 are at risk of increased oversight and could potentially lose their right to bid for future contracts.

 

Risks of non-compliance

Failure to meet CMMC requirements carries serious consequences which could include

  • Loss of contracts
  • Competitive disadvantages
  • Increased audit scrutiny

For Virginia's ship repair companies these risks carry even more weight, as ship repair is a critical component of our National Security. This makes ship repair leaders a top enforcement target for the DoD.

Organizations that fail to meet cybersecurity standards could be sidelined from future projects.

 

CMMC 2.0 requirements

CMMC 2.0 formalizes cybersecurity requirements into three (3) levels.

For ship repair companies, contractors, and subcontractors

  • Plan to meet the requirements of Level 2 (Advanced) CMMC compliance
  • Companies handling CUI: an outside assessment performed by a CMMC Third-Party Assessor Organization (C3PAO) will be required to maintain contract eligibility

Level 1

Level 2

Level 3

Foundational

Advanced

Expert

Applies to companies that only handle Federal Contract Information (FCI)

Applies to companies handling CUI

Reserved for contractors supporting high-security DoD programs

Requires 17 basic security controls and an annual self-assessment

Requires compliance with NIST SP 800-171 and a Third-Party Assessment Organization (C3PAO) every 3 years for (companies with prioritized contracts)

Requires compliance with NIST 800-172 and government-led audits

Steps to make your CMMC compliance shipshape

 

Take action today

Connect with your compliance and standards team to review these major focus areas to determine your company's CMMC readiness. 

Step 1: Benchmark your company’s CMMC compliance

Leaders should consider and discuss the following:

-    SPRS score: a score below 80 signals risk and requires immediate remediation

-    NIST 800-171 gap analysis: identify areas of improvement

-    Cybersecurity compliance strategy: well-structured plans and policies are a must to pass a third-party assessment

-    External resources: industry groups and funding resources to streamline compliance have been explored

Step 2: Conduct a NIST 800-171 self-assessment

A self-assessment will evaluate cybersecurity posture and validate the company’s SPRS score. Any score below 80 indicates serious gaps that must be addressed immediately.

Step 3: Identify and close compliance gaps

Perform a gap analysis to identify readiness opportunities by highlighting missing security policies, weak access controls, insufficient encryption, lacking incident response plans, and poor security control documentation.

Addressing each of these areas is critical before engaging in a CMMC assessment.

Step 4: Build a CMMC Compliance Roadmap

CMMC program compliance isn’t a one-time project - it’s an ongoing process. Leaders must ensure their teams are:

  • Assigning responsibility for cybersecurity compliance
  • Documenting security policies and controls
  • Preparing for third-party C3PAO assessments
  • Implementing continuous monitoring and risk management strategies

Without a clear roadmap, companies risk delays, increased costs, and contract loss.

Step 5: Leverage industry resources and support

The cost of compliance can be significant, but funding opportunities exist to help businesses upgrade cybersecurity measures. Virginia offers cybersecurity grants that ship repair companies can leverage to offset compliance costs.

Organizations like the Virginia Ship Repair Association (VSRA) provide industry-specific guidance and best practices to help businesses navigate CMMC compliance.

 

Final Thoughts

CMMC readiness is no longer optional, it’s mission critical.

If your ship repair business depends on defense contracts, now is the time to assess, act, and secure your future.

Connect with a cybersecurity expert today to protect your contracts and stay afloat in the evolving defense landscape.

Industry leaders like Valor also offer resources where you can learn about the mistakes companies often make when striving to meet CMMC requirements.

 

Author: Greg Tomchick, Valor Cybersecurity


« Return to Newsletter