These questions arise from recent experiences with contractors navigating the implications of the Cybersecurity Maturity Model Certification (CMMC) for their supplier relationships. With the Department of Defense's CMMC affecting over 200,000 contractors and their suppliers, your team likely shares the same concerns as many others.
Do We Really Need to Audit Every Supplier, or Can We Tier This?
Yes, you can and should tier your suppliers. Start by identifying which suppliers handle Controlled Unclassified Information (CUI). Suppliers like your office supply vendor don't need CMMC certification, but your cloud infrastructure provider does.
Create three categories: suppliers who handle CUI directly, suppliers with access to systems processing CUI, and suppliers who do neither. Focus CMMC efforts on the first two categories. Prioritize within these based on contract value and data sensitivity. For example, a supplier supporting a $50M contract and processing technical data should be audited first. In contrast, a supplier on a $200K contract with only read access to non-technical CUI is lower priority.
Require CMMC Level 2 certification for suppliers handling CUI. For those with incidental access, ask for a self-assessment and evidence of controls like encryption, multi-factor authentication (MFA), and incident response procedures.
How Do We Tell a 15-Person Supplier They Need to Get Certified Without Losing Them?
Communicate that CMMC is a market requirement, not a personal demand. Suppliers wanting to work with any DoD contractor will need certification eventually.
Frame it as a timeline discussion, not an ultimatum. For instance, say, "We need to see a certification roadmap by Q2 and completion by Q4." Offer resources such as C3PAOs other small suppliers have used, typical timelines, and cost-sharing models for suppliers serving multiple primes.
Some suppliers may opt out of DoD work due to the investment. For critical suppliers, consider whether bringing capabilities in-house or switching to a certified alternative is more viable. Most suppliers will pursue certification if given clear expectations and timelines.
Can We Just Add CMMC Requirements to Our Standard Contract Terms?
You can include them, but contracts alone won't ensure compliance. Your contract should specify:
- Required CMMC level (usually Level 2)
- Certification timeline
- Right to audit security controls
- Incident notification requirements (standard is within 72 hours)
- Flow-down requirements for subcontractors
- Termination rights if certification fails
However, contracts don't guarantee current control implementation. Establish a bridge process. Require suppliers to complete the NIST SP 800-171 self-assessment and submit a Plan of Action & Milestones (POA&M) for any gaps. Review their POA&M to ensure high-risk items like MFA, encryption, and access controls are prioritized.
Contracts create accountability; your supplier risk program provides visibility.
What Happens If We're Mid-Contract with a Supplier Who Can't Get Certified in Time?
You have three options:
Negotiate a Transition Plan: Allow six months for certification with enhanced monitoring. Conduct quarterly security reviews, require monthly POA&M updates, and document everything. This is feasible if progress is genuine and the contract doesn't involve highly sensitive CUI.
Isolate Their Access: Move them to a network segment without CUI access. Provide sanitized data sets and have your team handle CUI portions. This is costly and complex but maintains the supplier relationship while protecting compliance.
Find a Replacement: Begin procurement now, plan a 90-day transition, and accept overlap costs. This is necessary if the supplier shows no progress or handles critical technical data.
Document your risk decision. Your assessor will want to see that you identified the gap and took reasonable steps to address it.
Are We Actually Going to Get a Competitive Advantage from Early Certification?
Yes, but the window is narrow. Currently, many primes are verifying their supply chains. Being certified before competitors makes you a lower-risk option. Procurement teams will prefer you over an equivalent supplier still "working on it."
The advantage manifests in three ways: access to bids you might otherwise miss, the ability to command higher rates by reducing the prime's compliance burden, and building relationships with primes who appreciate your proactive approach.
However, this advantage will fade as certification becomes standard. Companies maintaining an edge will use CMMC as a foundation for broader security improvements like faster incident response and better security monitoring.
How Much Is This Actually Going to Cost Us?
For a mid-sized contractor (500-1000 employees), budget $150K-$400K for initial certification. This includes assessment fees ($30K-$75K), remediation costs ($50K-$200K), and consultant support if needed ($40K-$125K).
Smaller suppliers may spend less on assessments but more proportionally on remediation if starting from basic security practices. Annual maintenance—surveillance assessments, continuous monitoring, and updated documentation—typically costs 20-30% of initial certification.
Operational changes incur hidden costs. Allocate staff time for evidence collection, policy updates, and training. Budget for ongoing tools like SIEM, vulnerability scanning, and MFA as permanent security program additions.
Where Do We Go from Here?
Begin with your current NIST SP 800-171 assessment if available. This forms the foundation for CMMC Level 2. Identify your top 10 suppliers by contract value and CUI exposure, and request their security documentation now. Don't wait for contract renewals.
Join the DoD's CMMC community forums or your industry association's working groups. Implementation details are evolving, and you'll gain more insights from other contractors than any single consultant. Ensure your procurement and security teams collaborate—this is both a compliance and vendor management issue.
