This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

By Matthew J. Schiavone, CPA, CISSP, CISA

Despite seemingly endless media reports highlighting that cyberthreats are a real risk to corporate operations, many organizations are stagnant in their pursuit of cybersecurity. Why?

Budgetary constraints may be one excuse; another may be confusion over the myriad frameworks, standards, and best practices that can make planning a nightmare. Do you choose ISO 27001, National Institute of Standards and Technology (NIST) 800-53, or NIST 800-171? Then add in each state’s data breach regulations and industry-specific requirements, and we have a host of compliance requirements to track and monitor. While cybersecurity stagnation is inexcusable, it is understandable. But maybe, just maybe, a workable security framework has arrived.

The Cybersecurity Maturity Model Certification (CMMC), a program developed by the Department of Defense (DoD) to ensure its contractors properly protect sensitive information, seeks to remedy many stumbling blocks in enhancing cybersecurity, including standards compliance and trustworthy assurance mechanisms.

What Is CMMC?

The CMMC framework assesses and enhances the cybersecurity posture of its supply chain. While DoD contractors must comply with the NIST SP 800-171 via the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, that regulation does not provide a mechanism for demonstrating compliance (compliance has been based on trust). CMMC, which is being enforced on a contractual basis, adds the verification component.

The DoD is intent on improving the identification and communications of cybersecurity risk by having certified independent third-party organizations conduct audits to demonstrate contractors’ compliance with CMMC. Companies in the DoD’s Defense Industrial Base Sector will be required to have the certification, though likely at lower maturity levels for less sophisticated and smaller businesses.

CMMC focuses on the NIST standards and best practices, and maps these controls and processes across three maturity levels. With each level of maturity, the required controls and processes grow more sophisticated. For example, Level 1 maturity is “Foundational” and includes 17 of the NIST 800-171 guidelines; whereas Level 3 (still in development) is the “Expert” level and will be based on a subset of NIST 800-172 controls requiring an advanced degree of controls and processes.

The DoD has not set a date for when contractors must demonstrate compliance with CMMC, and implementation of these efforts has progressed slowly. Part of the holdup has been finalizing the framework and vetting and certifying the assessors (Certified Third-Party Assessor Organizations, or C3PAO), which is a key piece of the puzzle.

CMMC as a Remedy

There are quite a few things to like about CMMC thus far. It provides a standardized framework with levels of maturity to foster continual improvement, and it provides for an assessment of the assessors. These two mechanisms drive cybersecurity and maturity through a standardized framework and common mechanism to provide assurance of compliance. However, the amount of time it has taken to finalize the framework, vet assessors, and commence cyber improvement initiatives has stalled progress for everyone.

The purpose and elements of CMMC is correct and will prove beneficial in enhancing cybersecurity. What CMMC lacks is action -- a common problem with CMMC and organizational security alike.

Matthew J. Schiavone, CPA, CISSP, CISA, is a principal in HBK’s quality control department, specializing in risk advisory services, cybersecurity, among other areas. He can be reached at mschiavone@hbkcpa.com.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.