Former DoD CMMC Director and Chief Defense Industrial Base Cybersecurity Stacy Bostjanick delivered a clear message to government contractors today: CMMC is just the bare minimum for enhancing DIB cybersecurity and national security more broadly. 

“Now is the time for us to step up and get cybersecurity requirements in place for our intellectual property and information to be secure,” she said.

At the Secureframe National Cybersecurity Summit on May 11, Stacy Bostjanick offered a clear picture of why the CMMC program exists, where the ecosystem stands today, and her vision for the future. 

"NIST 800-171 [the security standard for CMMC Level 2] is the ground floor of what you need to do," Bostjanick said. "We called CMMC a maturity model because we want organizations to mature and grow and anticipate the next hack capability and improve as they go. This isn't a one-and-done slap on the table.”

Her biggest takeaway: certification isn’t the end goal of CMMC. Cybersecurity maturity is. The availability and integrity of the defense supply chain is. The protection of American innovation and people is. 

Why CMMC was created

As the DoD’s Chief Defense Industrial Base Cybersecurity and Deputy CIO for Cybersecurity in the Chief Information Officer’s office, Bostjanick helped develop CMMC in 2018 and led it through two iterations to the final program thousands of DIB organizations are navigating today.

What many people fundamentally misunderstand about the program is that the security requirements of CMMC aren’t new. The assessment requirements are. 

These were created because some—not all—DIB organizations were “gaming the system” of existing regulations like DFARS 7012, which required organizations to self-attest that they implemented NIST 800-171. Bostjanick referenced one contractor who they discovered had a Plan of Action & Milestones that wouldn't have brought them into compliance until 2099. "I'll be dead by then," she said.

The foundational purpose of CMMC is not to punish contractors that weren’t meeting DFARS 7012 requirements, however. It’s to ensure that every organization in the DIB is capable of protecting sensitive defense information in order to “make the opportunity cost of stealing our information way higher,” Bostjanick explained.

What’s happening now: CMMC cost and accessibility

Since the initial program was released in 2020, there have been recurring concerns about CMMC costs, timelines, and assessor availability—particularly whether certification is even realistic for small and mid-sized businesses. 

Bostjanick’s response: it's already being done. “There’s been over 1,000 organizations [Level 2] certified, and roughly 50% are SMBs. So they’re doing it and have been able to afford it,” she emphasized. 

Based on discussions with organizations and C3PAOs in the industry during her tenure at the DoD, she cited average costs for Level 2 assessments ranging from $25,000 to $110,000, with the higher end reported by large primes with multiple locations and environments. She also included estimates for one-time implementation costs for NIST 800-171 of $50,000 and annual maintenance costs of $34,000.She also included implementation cost estimates for NIST 800-171, noting that these costs are high but that NIST 800-171 has been required under DFARS 7012 since 2017.

"We’ve heard reports of SMBs that got assessed in as little as two months," she added, pushing back against claims that CMMC takes too long. 

She also pushed back on the narrative that assessor capacity is the bottleneck to DIB readiness: “Some C3PAOS are booked out until December, but some are waiting for clients to reach out to them. We haven’t heard of an organization not being able to get an assessment. What we're hearing is companies aren't ready,” she said.

To help, some C3PAOs are offering three-year payment plans. Cloud solutions are making it possible to stand up an environment that meets most NIST 800-171 requirements. The Cyber AB has a Marketplace to help companies find and evaluate assessors that meet their needs and budget. The ecosystem, she argued, is there.

"Don't let fear of starting hold you back,” she advised organizations.

The urgency behind CMMC is national security, not contract-eligibility

The urgency behind CMMC is an adversary strategy that has been devastatingly effective, especially in recent years.

Rather than attacking large prime contractors or defense agencies directly, nation-state actors increasingly target the “soft underbelly of the supply chain,” Bostjanick said. This underbelly consists of smaller contractors, like welders, fabricators, and other specialty or component manufacturers, who receive sensitive defense information from higher tiers in the supply chain, even though they don’t need it to do their jobs and often don’t have the cybersecurity controls in place to protect it. 

"We need to be more deliberate about information sharing," she said, "and only provide information that companies need to do their job and ensure that companies receiving that information are protected."

This is mission-critical since cost-cutting has created single-source suppliers throughout the DIB, which means single points of failure, Bostjanick explained. If an adversary identifies and exploits one, the consequences ripple across the entire defense ecosystem and nation.

“Typically, we see people don’t care about [cybersecurity requirements] until they get hit by an attack,” she said. “We need to get secure before that… and stop giving away information to adversaries for free.”

Adversaries, she argued, aren't trying to out-innovate the U.S. They're trying to out-manufacture the U.S. by stealing designs and systems that American companies spent years and millions of dollars developing.

“We are the leading tech innovator in the world. Let’s not lose our footing because we’re letting people steal our information.”

CMMC is the start, not the finish line

Bostjanick was direct about the limits of the final program she helped create. NIST 800-171, the underlying security standard of CMMC Level 2, is not robust enough to stop a nation-state actor, she acknowledged. That capability only begins to emerge at CMMC Level 3, where a subset of NIST 800-172 controls is required in addition to NIST 800-171.

The current framework, she explained, grew out of a compromise: the Department of Defense originally wanted to impose NIST 800-53 as the cybersecurity requirement on the defense supply chain, but industry pushed back, arguing it wasn't ready. What emerged—NIST 800-171 and NIST 800-172, which would eventually form the foundation for CMMC—was the pared-down version of NIST 800-53.

“We always knew CMMC was just step 1. It was to get companies to understand their environments and get focused on cybersecurity,” she explained. But CMMC is only one part of a larger effort to “continuously improve as a nation to make sure we’re not giving away our intellectual property and state secrets,” she emphasized. 

Looking ahead, Bostjanick expects CMMC's reach to extend well beyond the DoD. While some agencies are waiting to see how the CMMC rollout goes (and others, like the GSA, have rolled out their own CUI protection requirements), Bostjanick noted that some state and local governments and universities are already starting to require CMMC. She expects other agencies to follow suit, especially once the FAR CUI Rule is finalized.

“The government typically doesn’t reinvent the wheel. My prediction is that a lot of agencies are going to adopt CMMC and certification as proof that those requirements have been met.”

Her longer-term vision is that cybersecurity is no longer a mandate coming from the top-down, but a collective responsibility of government contractors at all tiers. 

“My dream is that we don't need a federal requirement for CMMC, that we know what’s at stake and people are interested in meeting requirements and not getting hacked,” she said.