With increasing cyber threats targeting the defense supply chain, Cybersecurity Maturity Model Certification (CMMC) compliance is now a critical factor for contract eligibility. Info-Tech Research Group's blueprint equips contractors and subcontractors with practical strategies to meet evolving cybersecurity standards and safeguard sensitive information.

TORONTO, July 11, 2025 /PRNewswire/ - A growing wave of cyberthreats targeting defense contractors has underscored the need for a consistent and enforceable framework to safeguard Controlled Unclassified Information (CUI) and strengthen the resilience of the defense supply chain. Global research and advisory firm, Info-Tech Research Group, has published insights and guidance on the situation in a new resource, Achieve CMMC Compliance Effectively. While the CMMC aims to provide exactly that, many contractors continue to face significant roadblocks in achieving compliance. Legacy systems, limited internal expertise, evolving requirements, and high implementation costs are just some of the challenges slowing down progress.

The firm's research-based resource offers a focused and practical approach to compliance to help contractors navigate these issues by equipping defense organizations with the tools needed to meet certification requirements and maintain eligibility for Department of Defense (DoD) contracts.

Info-Tech's blueprint makes it clear that CMMC applies to all prime and subcontractors working with the DoD. The framework is critical for protecting both Federal Contract Information (FCI) and CUI, which are often shared across multiple tiers of suppliers and service providers. However, a significant number of organizations continue to face challenges meeting these requirements, often due to system integration and data flow issues, which are further complicated by confusion around evolving compliance expectations.

"Not providing the required level of assessment or certification to the DoD puts organizations at risk of losing eligibility to bid on or be awarded defense contracts," says Safayat Moahamad, research director at Info-Tech Research Group. "More importantly, organizations that proactively invest in cybersecurity resilience gain a competitive advantage by strengthening their ability to bid on DoD contracts and demonstrating trustworthiness in handling sensitive defense data."

Info-Tech's insights published in the resource highlight that Organizations Seeking Certification (OSCs), and Organizations Seeking Assessment (OSAs), must choose their target compliance level and implement the corresponding controls. The certification level required for specific contracts will be stated in each DoD solicitation. This means contractors must be proactive and align their security practices with anticipated contract demands.

Understanding the CMMC Levels

To support this effort, Info-Tech's Achieve CMMC Compliance Effectively blueprint outlines four key CMMC levels, each designed to match the type and sensitivity of data a contractor handles:

• Level 1: Foundational (Self-Assessed) - For contractors handling Federal Contract Information (FCI). Requires full implementation of 15 basic security controls and annual self-affirmation. Conditional status is not permitted at this level.
  
  
• Level 2: Advanced (Self-Assessed) - Designed for contractors handling Controlled Unclassified Information (CUI). Level 2 requires the implementation of 110 controls from NIST SP 800-171. Organizations must score at least 80% and close any remediation items within 180 days, and complete annual affirmation and reassessment every three years.
  
  
• Level 2: Advanced (Third-Party Assessed) - Similar to the self-assessed Level 2, but compliance is verified by an accredited third-party assessor (C3PAO). This level is required for some contracts, depending on Department of Defense (DoD) solicitation terms.
  
  
• Level 3: Expert (Government Assessed) - Level 3 is for organizations supporting critical defense programs. It requires a Level 2 C3PAO certification. In addition, 24 controls from NIST SP 800-172 must be assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

"By addressing the challenges of CMMC compliance early and with purpose, organizations can move beyond simply checking boxes," explains Moahamad. "In a competitive defense landscape, effective compliance is not just a requirement; it is a key differentiator."

For exclusive and timely commentary from Safayat Moahamad, an expert in privacy, legal, and compliance fields, and access to the complete Achieve CMMC Compliance Effectively blueprint, please contact pr@infotech.com.

About Info-Tech Research Group
Info-Tech Research Group is one of the world's leading research and advisory firms, serving over 30,000 IT and HR professionals. The company produces unbiased, highly relevant research and provides advisory services to help leaders make strategic, timely, and well-informed decisions. For nearly 30 years, Info-Tech has partnered closely with teams to provide them with everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

To learn more about Info-Tech's divisions, visit McLean & Company for HR research and advisory services and SoftwareReviews for software buying insights.

Media professionals can register for unrestricted access to research across IT, HR, and software and hundreds of industry analysts through the firm's Media Insiders program. To gain access, contact pr@infotech.com.

For information about Info-Tech Research Group or to access the latest research, visit infotech.com and connect via LinkedIn and X.

View original content to download multimedia:https://www.prnewswire.com/news-releases/why-cmmc-is-essential-for-dod-contractors-cybersecurity-compliance-insights-released-by-info-tech-research-group-302503125.html

SOURCE Info-Tech Research Group