In a recent FED TECH PODCAST episode with The Oakmont Group, host John Gilroy sits down with our Fortreum cybersecurity experts Branden Reber and Ben Scudera to spotlight the critical importance of CMMC (Cybersecurity Maturity Model Certification) in the federal tech landscape.
While the DoD unveiled CMMC in 2020 to bolster supplier cybersecurity, it initially operated more as a recommendation than a requirement. However, the convergence of COVID-19-driven remote work proliferation, edge computing expansion, and increasingly relentless cyber threats has driven regulators to take CMMC compliance seriously. *theoakmontgroupllc.com
Check out the podcast recording here:
Ep. 259 Why CMMC Compliance Is Now Non-Negotiable for Tech Leaders
The Scope and Complexity of the Challenge
Fortreum estimates that around 300,000 companies are now facing CMMC compliance mandates, possibly more when considering those that bid on contracts but didn’t win.
In 2022, DoD estimated about 80,000 organizations required a Level 2 certification—but factoring in unsuccessful bidders, this number could approach 360,000.
Key Hurdles to Achieving Certification
Expertise Gap: There are very few qualified professionals, and even fewer with the necessary certification, to conduct formal audits.
CUI Scoping Errors: Defining Controlled Unclassified Information (CUI) incorrectly—either too broadly or too narrowly—can derail a company’s CMMC certification efforts.
Shift from Self-Attestation to External Audits: Earlier CMMC iterations allowed companies to self-report compliance. Now, organizations must undergo external audits via C3PAOs (Certified Third-Party Assessment Organizations). Yet, only around 70 C3PAOs are available to serve tens of thousands of businesses needing Level 2 certification.
Preparation Overhead: The certification process demands thorough data scoping and substantial prep work—posing particular strains for small and mid-sized businesses as they weigh cost versus benefit.
Strategic Implications
This isn’t just about meeting policy requirements—it’s about securing the federal supply chain. As the episode discusses, CMMC compliance could soon serve as a competitive differentiator or even a prerequisite for federal contracting.
For more information about CMMC, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, XRAMP, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
