In the evolving landscape of cybersecurity, staying abreast of the latest regulatory updates for CMMC compliance is crucial. The recent developments in the Cybersecurity Maturity Model Certification (CMMC) program, as proposed by the Department of Defense (DoD), mark a significant shift in compliance requirements for businesses in the Defense Industrial Base (DIB). This article offers an overview of the proposed rule, an analysis of major changes, and how you can proactively prepare for CMMC’s final rollout.

Overview of the Proposed Rule for CMMC Compliance

The proposed rule for CMMC represents a pivotal update in the DoD’s approach to enhancing the security of the DIB and marks a significant step towards the implementation of DFARS 252.204-7021. The rule introduces refined levels of certification, aligning closely with established National Institute of Standards and Technology Special Publications—NIST SP 800-171 R2—controls. This alignment underscores the government’s commitment to standardized, rigorous cybersecurity practices across all levels of defense contracting—an approach to further secure information within the defense supply chain. For businesses within this sector, understanding and adapting to these changes is not just about compliance, but about safeguarding national security interests.

Detailed Analysis of Major Changes

Among the most critical aspects of the proposed CMMC rule is the finalization of its framework. This solidifies the standards and practices that defense contractors will need to adhere to. Particularly noteworthy is the alignment of CMMC Level 2 with NIST SP 800-171 R2 controls, a move that streamlines compliance requirements while maintaining a high standard of security.

For organizations pursuing CMMC certification, Plans of Actions and Milestones (POA&Ms) will be allowed under specific conditions. Although, it is mandatory that contractors start an assessment without a POA&M. Achieving a full score on the NIST SP 800-171 during the assessment isn’t mandatory, but a minimum score of 88 out of 110, representing 80%, is required and only specific security controls are authorized to be placed on a POA&Ms. Additionally, all identified security gaps must be remedied within a 180-day timeframe following the initial assessment.

The good news is, Joint Surveillance Voluntary Assessments (JSVA) with a perfect score of 110/110, and without any open POA&Ms, can be directly converted into CMMC Level 2 certification.

Ultimately, the alignment of CMMC Level 2 with the NIST SP 800-171 R2 controls is particularly significant, promoting a unified approach to meeting both CMMC and NIST requirements.

SecureStrux’s Role in Supporting CMMC Compliance

The DoD estimates that a substantial 95% of organizations managing Controlled Unclassified Information (CUI) will require certification by a C3PAO, in contrast to a much smaller group that will have the option to conduct self-assessments.

As a leader in cybersecurity solutions, SecureStrux stands at the forefront of guiding businesses through these regulatory updates. Our tailored solutions in risk assessments, gap analysis, engineering solutions, and compliance inspections are designed to meet the unique needs of organizations within the DIB.

5 Tips and Strategies to Prepare

Key Takeaways:

  1. Adaptation is Crucial: The evolving CMMC requirements necessitate a flexible approach to cybersecurity compliance.
  2. Alignment with NIST Standards: Understanding and integrating NIST SP 800-171 R2 security controls into your cybersecurity strategy is essential.
  3. Expert Guidance Matters: Leveraging expertise, like that of SecureStrux, can streamline your transition to the updated CMMC framework.
  4. Early Preparation Pays Off: Beginning the compliance journey now will ensure a smoother adaptation to these new standards.
  5. Ongoing Vigilance: Continuous monitoring and updating of cybersecurity practices are key to maintaining compliance.

The period for public comments presents a vital chance to impact the development of the CMMC program. You may submit your comments through the Federal Register by February 26, 2024, to contribute to the shaping of the CMMC framework.

Your Partner in CMMC Preparation and Compliance

The updated CMMC rule is more than a compliance checklist; it’s a commitment to higher cybersecurity standards. Staying informed and prepared is key. At SecureStrux, we are dedicated to providing the expertise and solutions needed so you don’t have to navigate the complexities of CMMC compliance alone.

Contact SecureStrux for expert guidance and support in aligning your cybersecurity strategies with the latest standards. Together, we can strengthen your cybersecurity defenses and ensure your compliance with the new CMMC requirements. Reach out to SecureStrux for guidance and support today.



As a cybersecurity firm with deep roots in the Department of Defense (DoD) cybersecurity community, we provide specialized services in the areas of compliance, vulnerability management, cybersecurity strategies, and engineering solutions. Since 2013, we’ve partnered with hundreds of organizations within and outside the DoD to understand and proactively manage their risk. Our strength within the DoD has allowed us to easily translate best practices to our clients in other industries including Energy, Manufacturing, Architecture, Education, and Aerospace.

The latest in Cybersecurity

Enter your email to get the latest news, updates,
and content on cybersecurity.

"*" indicates required fields