Featured Article: Will your CMMC readiness keep your business afloat?

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework that outlines the required security controls for government contractors. If your organization isn’t actively preparing for CMMC compliance, you risk disqualification from future defense contracts.

CMMC is live, and readiness starts now.

This article outlines the current cybersecurity requirements and critical steps Virginia’s ship repair leaders must take to stay compliant and avoid going off the deep end.

 

Review your security policies to avoid that sinking feeling

The CMMC 2.0 rollout model adopts a long tail phased approach, implementing four phases over the next three years.

The DoD, however, reserves the right to begin implementing requirements ahead of planned phases.

This suggests that while CMMC is being rolled out.

1. CMMC-based requirements will begin appearing in contracts as of Early 2025, and
2. Cybersecurity compliance is affecting contract decisions today

A memo from the DoD dated January 30, 2025, emphasized that companies handling Controlled Unclassified Information (CUI) must [already] comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which, in turn, mandates an existing implementation of National Institute of Standards and Technology (NIST) SP 800-171.

The Defense Contract Management Agency (DCMA) has started conducting audits, focusing on contractors' Supplier Performance Risk System (SPRS) scores.

The result: contractors achieving SPRS scores below 80 are at risk of increased oversight and could potentially lose their right to bid for future contracts.

 

Risks of non-compliance

Failure to meet CMMC requirements carries serious consequences which could include

• Loss of contracts
• Competitive disadvantages
• Increased audit scrutiny

For Virginia's ship repair companies these risks carry even more weight, as ship repair is a critical component of our National Security. This makes ship repair leaders a top enforcement target for the DoD.

Organizations that fail to meet cybersecurity standards could be sidelined from future projects.

 

CMMC 2.0 requirements

CMMC 2.0 formalizes cybersecurity requirements into three (3) levels.

For ship repair companies, contractors, and subcontractors

• Plan to meet the requirements of Level 2 (Advanced) CMMC compliance
• Companies handling CUI: an outside assessment performed by a CMMC Third-Party Assessor Organization (C3PAO) will be required to maintain contract eligibility

Level 1	Level 2	Level 3
Foundational	Advanced	Expert
Applies to companies that only handle Federal Contract Information (FCI)	Applies to companies handling CUI	Reserved for contractors supporting high-security DoD programs
Requires 17 basic security controls and an annual self-assessment	Requires compliance with NIST SP 800-171 and a Third-Party Assessment Organization (C3PAO) every 3 years for (companies with prioritized contracts)	Requires compliance with NIST 800-172 and government-led audits

Steps to make your CMMC compliance shipshape

 

Take action today

Connect with your compliance and standards team to review these major focus areas to determine your company's CMMC readiness. 

Leaders should consider and discuss the following:

-    SPRS score: a score below 80 signals risk and requires immediate remediation

-    NIST 800-171 gap analysis: identify areas of improvement

-    Cybersecurity compliance strategy: well-structured plans and policies are a must to pass a third-party assessment

-    External resources: industry groups and funding resources to streamline compliance have been explored

A self-assessment will evaluate cybersecurity posture and validate the company’s SPRS score. Any score below 80 indicates serious gaps that must be addressed immediately.

Perform a gap analysis to identify readiness opportunities by highlighting missing security policies, weak access controls, insufficient encryption, lacking incident response plans, and poor security control documentation.

Addressing each of these areas is critical before engaging in a CMMC assessment.

CMMC program compliance isn’t a one-time project - it’s an ongoing process. Leaders must ensure their teams are:

• Assigning responsibility for cybersecurity compliance
• Documenting security policies and controls
• Preparing for third-party C3PAO assessments
• Implementing continuous monitoring and risk management strategies

Without a clear roadmap, companies risk delays, increased costs, and contract loss.

The cost of compliance can be significant, but funding opportunities exist to help businesses upgrade cybersecurity measures. Virginia offers cybersecurity grants that ship repair companies can leverage to offset compliance costs.

Organizations like the Virginia Ship Repair Association (VSRA) provide industry-specific guidance and best practices to help businesses navigate CMMC compliance.

 

Final Thoughts

CMMC readiness is no longer optional, it’s mission critical.

If your ship repair business depends on defense contracts, now is the time to assess, act, and secure your future.

Connect with a cybersecurity expert today to protect your contracts and stay afloat in the evolving defense landscape.

Industry leaders like Valor also offer resources where you can learn about the mistakes companies often make when striving to meet CMMC requirements.

• CMMC Compliance Formula eBook
• Free CMMC Pre-Assessment
• CMMC Accreditation Body News
• CMMC 2.0 Program Updates from the DoD

 

Author: Greg Tomchick, Valor Cybersecurity

« Return to Newsletter