By Warren Linscott, Chief Product Officer at Deltek
In 2025, government contractors are navigating budget uncertainty, rising costs and tougher competition, while cybersecurity shifts from a “checkbox” to a core strategic priority. Small businesses, in particular, face mounting pressure from inflation, labor shortages and the rising cost of compliance — challenges underscored in Deltek’s 2025 GovCon Clarity Industry Report.
These pressures are set to intensify with the Department of Defense’s Cybersecurity Maturity Model Certification, or CMMC, now finalized and beginning its phased rollout Nov. 10. If you’re a DoD contractor or subcontractor handling federal contract information, or FCI, or controlled unclassified information, or CUI, your eligibility to win new work will hinge on CMMC compliance, making cybersecurity a strategic imperative for every GovCon, regardless of size.
Know Your Data: FCI vs. CUI
At the heart of CMMC is protecting CUI — sensitive but unclassified data created for or provided by the DoD, such as data, technical specifications or software with military or space applications. Your first step is understanding what CUI you have now or will have and where it should be stored, processed or transmitted across systems, teams and vendors.
• FCI: Information not intended for public release, provided by or generated for the government under contract; protected via basic safeguards under FAR clause 52.204-21. (Requires CMMC Level 1 self-attested certification.)
• CUI: Requires implementing the NIST SP 800-171 security controls framework (CMMC Level 2 certification) and will nearly always require a certified third-party assessment. Some contracts may even require CMMC Level 3 certification, which mandates additional controls from the NIST SP 800-172 framework and involves a DoD assessment.
Once you’ve mapped what you handle and where it lives, the path forward becomes clearer. The next questions are practical ones: Which level applies to my work? What evidence do I need to show? And by when? That’s where the CMMC levels and the rollout timeline come in.
What Does CMMC Actually Require and When?
CMMC ensures contractors protect DoD information based on sensitivity, with requirements applied in phases:
• CMMC Level 1 (FCI): Basic safeguarding aligned to FAR 52.204-21 (15 practices).
• CMMC Level 2 (CUI): 110 security requirements mapped to NIST SP 800-171. Some contracts require third-party certification (C3PAO) on a triennial cadence with annual attestations; others require self-assessment, as specified by the contracting officer.
• CMMC Level 3 (Prioritized CUI): Select controls from NIST SP 800-172 with DoD-led assessments.
The scale is massive. DoD estimates that more than 300,000 entities will need some level of CMMC certification, with roughly 118,000 expected to require a certified third-party assessment for Level 2. Yet as of September 2025, only a few hundred organizations have achieved Level 2 certification, according to CyberAB data.
Deltek’s 2025 GovCon Clarity Report found that 69 percent of contractors already plan to undergo an official CMMC audit in 2025 — a surge in demand ahead of the phased rollout that begins next month.
Why it matters: Third-party assessment capacity is limited (fewer than 100 C3PAOs as of early October 2025). Early movers lock in assessment availability and signal lower risk to primes and the DoD.
Cloud Choices Are Compliance Choices
If you process, store or transmit CUI in the cloud, your cloud service provider (CSP) must be FedRAMP Moderate Authorized or FedRAMP Moderate Equivalent. “Equivalent” means a FedRAMP-recognized third-party assessment organization, or 3PAO, has validated 100 percent compliance with the Moderate baseline and the CSP has delivered a complete body of evidence, or BoE, including the system security plan, or SSP, security assessment plan/report and continuous monitoring artifacts. The burden is on the contractor to require this of CSPs and ensure the standard is met.
Deltek’s Costpoint GovCon Cloud Moderate meets the FedRAMP Moderate Equivalency standard per DoD policy and delivers the BoE required to support Level 2 CMMC assessments, giving contractors a faster, clearer path to scoping and inheritance for key controls.
Consider CMMC as a Growth Strategy, Not a Burden
Leading contractors aren’t waiting for clauses to show up in every RFP — they’re using compliance readiness to win. Compliance isn’t just about avoiding penalties; it’s about proving you’re a trusted partner and running a smarter business.
Let’s be clear: If you’re not compliant, you’re not competitive. Aligning with a cloud provider like Deltek that supports cybersecurity compliance removes a huge portion of risk and keeps you in the winner’s circle at award time.
Also, think about the message CMMC certification sends. When you can demonstrate a verified CMMC posture, you’re telling the DoD and prime contractors, “You can trust us with sensitive information.” That confidence can make the difference in teaming decisions and bid evaluations.
Finally, don’t underestimate the operational upside. Modern, secure platforms do more than check boxes; they automate evidence collection, streamline reporting and give you better data for decision-making. Compliance becomes a driver of efficiency, not just an audit exercise.
A Roadmap to Gaining a Competitive Advantage
So how do you get ahead? Start by defining your secure boundary and the scope of your CMMC environment. Confirm the readiness of your cloud service providers and ensure they can deliver a current BoE.
Close any cybersecurity gaps by seeking guidance from CMMC professionals and determine if you’ll require a Level 2 certification. If so, select your C3PAO early, because assessment professionals are limited. Finally, look for ways to leverage automation and AI to reduce manual work, but always keep your CUI boundary and security obligations front and center.
The bottom line: CMMC is the new standard for doing business with the DoD. Contractors that embrace it early, backed by compliant technology and a security-first approach, will protect critical data and gain a durable competitive advantage.
Sponsor
×
