CMMC and FedRAMP in Practice

Government contractors are entering a new era of cybersecurity accountability.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is no longer theoretical. Federal Risk and Authorization Management Program (FedRAMP) expectations are tightening. And GSA has quietly raised its own cybersecurity bar, issuing new CUI protection requirements built on a more demanding control baseline than CMMC itself.

In our recent LinkedIn Live discussion, leaders from Unanet sat down with cybersecurity specialists from CMMC advisory and assessment firms BDO USA, CohnReznick, and Aprio to talk about what CMMC and FedRAMP readiness look like in real life. The conversation moved beyond theory and dug into authorization boundaries, enterprise resource planning (ERP) systems, subcontractor risk, and how to sustain compliance over time.

If you are a government contractor (GovCon) navigating CMMC 2.0 and related mandates, here are the key takeaways and what they mean for your business today.

1. CMMC readiness is not a 90-day project

The panel was unanimous on one point: CMMC readiness takes time.

Across their clients, CMMC advisory and assessment firms see everything from teams that have been planning for years to those just starting to assess impact. Even the most mature government contractors need a meaningful runway.

Plan for at least 12 to 15 months to move from initial scoping to true certification of readiness, according to BDO Managing Director Christina Reynolds.

That timeline reflects the reality that CMMC is not just a technical exercise. It demands:

• Formal documentation, including policies, procedures, and system security plans (SSPs)
• Cultural adoption across the enterprise
• Repeatable evidence collection processes
• Alignment between written controls and actual day-to-day practice
• Mock assessments and remediation cycles
  

As one firm emphasized, you must be able to show both:

• Soft evidence: what your policies say you do
• Hard evidence: proof that you do it consistently

The biggest misconception the experts see is that CMMC is an IT project. In reality, it is an enterprise transformation that touches how you work, how you document, and how you manage risk across the business.

2. GSA is raising the bar independently of CMMC

CMMC dominates the compliance conversation, but it is not the only framework contractors need to track. In January, GSA issued CIO IT SEC 21-1 and 21-2 Revision 1— and it takes a different approach from CMMC.

The bigger message is that not all CUI is CMMC. CUI exists across many types of federal contracts, not only those with DoD. A contractor holding both defense and civilian work may need to comply with two distinct frameworks, each with its own control baselines, assessment bodies, and timelines.

As one panelist put it, everybody is taking this seriously. It is not about regulations for their own sake. Every agency is treating cybersecurity as critical to national security and is finding its own path to enforcement.

What to do now: Review your non-DoD contracts to determine whether CUI obligations exist outside the CMMC framework. Do not assume that CMMC compliance covers all your federal cybersecurity requirements. And keep an eye on upcoming changes.

3. CMMC is a business strategy, not a compliance cost

A recurring message from Aprio and CohnReznick was simple: stop treating CMMC as a one-time compliance expense. It is the cost of participating in the defense market. More than just an “IT thing,” CMMC compliance impacts every part of the business and that awareness needs to exist within firms.

The underlying controls, based on NIST SP 800-171, have been around since 2016. CMMC incorporates third-party validation and directly links certification to contract eligibility.

Whether you are confident or unsure about your readiness, it’s important to acknowledge that it takes 12 to 15 months to get from the beginning to end stage where you are going to your C3PAOs. 

Your certification status influences:

• Your ability to bid on new work
• Recompete viability for existing programs
• Option year renewals
• Whether primes include you in key supply chains

As one panelist summarized it, these are the new rules of engagement.

If your business strategy includes pursuing Department of Defense (DoD) contracts over the next three to five years, CMMC readiness needs to be part of your operational roadmap today. That is how you gain control and confidence in your pipeline rather than reacting to each new requirement.

4. For small GovCons, contracts are a logical place to start, then define your authorization boundary

For a smaller GovCon that feels overwhelmed and asks, “Where do we begin?” The answer starts with contracts.

You need clarity on questions like:

• Do you have DFARS 252.204-7012 in existing contracts?
• Are you subject to 252.204-7021?
• Will upcoming bids require CMMC Level 2?

From there, the conversation must move quickly to one of the most critical concepts in CMMC: your authorization boundary.

Your boundary defines:

• Where controlled unclassified information (CUI) lives
• Which systems process or store that CUI
• Which users have access
• What cloud services are in scope
• Which endpoints interact with that data
  

Mistakes in defining the boundary are among the most common causes of assessment issues. Many organizations discover that CUI is far more widespread than they expected, showing up in:

• CAD and engineering systems
• Technical documentation
• ERP platforms
• Email and collaboration tools
• File-sharing platforms
• Printed materials and field devices
• Subcontractor portals
  

Before you design controls or invest in new tools, you need a clear, shared understanding of what you are protecting and where it lives. That clarity simplifies your workday and keeps you from over-engineering the wrong areas.  

5. ERP systems are often undervalued, and often scoped out incorrectly

ERP systems are often not considered in CMMC scoping.

Many contractors initially assume their ERP is outside the authorization boundary. That assumption rarely survives a detailed review of what is stored and processed there, including:

• Contract documents
• Requests for information (RFIs) and requests for proposals (RFPs)
• Marked CUI attachments
• Bills of materials, including International Traffic in Arms Regulations (ITAR)-controlled content
• Procurement and supplier data

If CUI is processed, stored, or transmitted within your ERP, then that system is in scope for CMMC.

If your ERP is software as a service (SaaS), it also brings FedRAMP requirements into play. This is where the relationship between CMMC and FedRAMP stops being theoretical and becomes operational. Your core business system may sit at the center of your compliance strategy, not at the edge.

6. FedRAMP and CMMC: the shared responsibility model in action

Under DFARS 252.204-7012, cloud service providers that process, store, or transmit CUI must meet one of two FedRAMP thresholds: FedRAMP Authorized or FedRAMP Moderate Equivalent. Each path has different verification steps, and it is important to understand the distinction.

FedRAMP Moderate Equivalent status

If a provider has achieved FedRAMP Moderate Equivalent status, in the Marketplace, these providers appear in a "Ready" status. To confirm their standing, you should:

• Look up the provider in the FedRAMP Marketplace and confirm the "Ready" designation
• Identify the independent assessor listed for that provider
• Request a letter of attestation from the provider confirming FedRAMP readiness to the DoD standard
• Under the moderate equivalent path, 100 percent of the required controls must be satisfied.
• Map shared responsibility controls in your SSP
• Demonstrate implementation during an assessment
• Maintain evidence that supports inherited and customer-managed controls

The nuance that often gets missed is this: even when you use a FedRAMP system, your organization seeking certification (OSC) keeps responsibility for its own compliance. Regardless of which path your provider follows, as the contractor you are responsible for verifying your provider's status and documenting how it supports your own CMMC compliance. Specifically, you must:

• Document inherited controls accurately
• Map shared responsibility controls in your SSP
• Demonstrate implementation during an assessment
• Maintain evidence that supports inherited and customer-managed controls

FedRAMP reduces scope. It does not eliminate your obligations under CMMC. You gain clarity and a smaller footprint to manage, but you cannot outsource accountability.  

7. Supply chain risk is now strategic risk

CMMC is rolling out in phases, but primes are already looking ahead. They are evaluating not only current contract requirements, but also the likely requirements for the work they plan to pursue next year and beyond.

As CMMC certification becomes a condition of award:

• Subcontractors without certification may be left off teams
• Capture strategies and teaming arrangements may change
• Long-standing supplier relationships may be reevaluated

Some primes are exploring shared, secure environments to support critical subcontractors that are not yet certified. Others are using detailed questionnaires to gauge supplier maturity, asking about:

• Target CMMC level (Level 1 vs. Level 2)
• Current Supplier Performance Risk System (SPRS) score
• Defined authorization boundaries
• Certification timelines

 For subcontractors, that makes CMMC more than a compliance checkbox. It becomes a question of long-term viability. If you miss certification, you may not just miss one bid. You could miss out on five-year contract opportunities that would have anchored your pipeline.  

8. Culture is the long-term differentiator

Another theme from the conversation was cultural. To sustain CMMC, cybersecurity cannot remain a project with a start and end date. It has to become part of how your organization operates.

That means involving:

• Human resources for personnel security and onboarding
• Facilities teams for physical security controls
• Operations for process alignment
• Contracts for flow-down and supplier requirements
• IT for technical implementation and monitoring
• Executive leadership for risk ownership and prioritization

CMMC cannot sit with a single systems administrator or compliance manager.

Security awareness, documentation discipline, and incident response are cross-functional responsibilities. Organizations that embed cybersecurity into their culture will find it easier to maintain compliance year over year. Those that treat it as a one-time effort are likely to repeat the same fire drills every cycle.

When you build this muscle, you not only meet requirements. You free your team to focus on delivering work they are proud of, instead of scrambling to reconstruct evidence each time an audit appears.

9. What “good” really looks like

So, what does a mature, CMMC-ready GovCon look like in practice?

In the panel’s experience, high-performing organizations tend to show:

• Clear and defensible authorization boundaries
• Thoughtful use of FedRAMP systems with well-documented control inheritance
• Minimal unnecessary scope that keeps cost and effort under control
• Strong alignment between documentation and what actually happens day to day
• A defined subcontractor and supplier strategy anchored in clear expectations
• Continuous monitoring and periodic internal reviews
• Executive ownership of cybersecurity risk and investment

These organizations view CMMC not as a fear-driven requirement, but as operational hygiene. Their cybersecurity posture is becoming a differentiator in proposals, supporting stronger, more confident conversations with both government customers and prime contractors.  

Final thoughts: CMMC is here. Strategy beats panic.

CMMC 2.0 is no longer a distant possibility. FedRAMP requirements are tightening. GSA has also introduced its own CUI protection standards that go beyond what CMMC requires today. The GovCons that stay competitive will be those that treat cybersecurity as a core part of business strategy.

Contractors that act now can protect:

• Bid continuity across their portfolios
• Eligibility to join or remain on prime teams
• Trust within critical supply chains
• Their teams from constant audit-driven disruption
• The integrity of their data and operations

The message from experts at BDO, CohnReznick, Aprio, and Unanet was clear: start now. Define your boundary. Involve your whole organization. Use CMMC and FedRAMP as drivers to simplify your environment, clarify responsibilities, and build a culture of security.

That is how you gain control, protect your future pipeline, and find more time for what matters most: delivering exceptional work to your government customers.