The recent update to the Cybersecurity Maturity Model Certification (CMMC) Program in 2023 is set to reshape cybersecurity practices for contractors and subcontractors working with the Department of Defense (DoD). In this comprehensive overview, we’ll delve into the newly proposed sections of the CMMC Program, offering insights and shedding light on potential cost impacts. For organizations in need of guidance and solutions, TechIt Services is here to assist.

Important Note:

The proposed rules update, crucial for defense contractors, was recently posted on the Federal Register. You can access the proposed rule here.


Exploring CMMC Program Proposed Rules:

The newly introduced sections in the recently published CMMC proposed updates aim to drive greater accountability and maturity in cybersecurity practices across the Defense Industrial Base. We summarize some of the key additions and their objectives.

Assessment Requirements at Level 1 (NEW):

  • Mandates annual self-assessment for contractors and subcontractors, enhancing accountability by recording results in the Supplier Performance Risk System (SPRS).

New CMMC Assessment Scope and Annual Affirmations (NEW):

  • Establishes validation requirements for systems under the new CMMC Assessment Scope, emphasizing the senior organization official’s annual affirmation of compliance.

Monitoring Contractor Compliance (NEW):

  • Shifts the responsibility of compliance monitoring to contractors, clarifying that the DoD will not replace compliance requirements with continuous monitoring.

Affirmation Requirements at Level 2 (NEW):

  • Requires senior officials from prime contractors and relevant subcontractors to affirm their organization’s compliance annually, entered electronically into the SPRS.

Affirmation Requirements at Level 3 (NEW):

  • Similar to Level 2 but with additional security requirements pending finalization of CMMC. Affirmations of compliance are post-assessment and annual thereafter.

Updates to CMMC Levels 4 and 5 Based on Public Comment (NEW):

  • Respond to public feedback, introducing flexibility in implementation for better alignment with NIST SP 800–171B/172 and CMMC 1.0 Levels 4 and 5.

New Requirements for CMMC Level 3 (NEW):

  • Introduces additional security protection and assessment requirements based on NIST SP 800–172, acknowledging the evolving nature of cybersecurity threats.


While the proposed changes to the CMMC program target improving security posture, they introduce new cost considerations for contractors. We highlight the major areas where budgetary impacts are expected.

Enhanced Administrative and Compliance Costs:

  • The additional self-assessment and affirmation requirements may increase administrative workload, potentially resulting in higher operational costs, particularly for smaller organizations.

Need for Advanced Cybersecurity Solutions:

  • Compliance with updated security requirements, especially at higher CMMC levels, will require investments in advanced cybersecurity infrastructure and tools, potentially posing a significant expenditure.

Training and Personnel Development Expenses:

  • Ongoing training programs to ensure staff compliance with the latest cybersecurity practices may lead to increased expenditure on training and personnel development.

Potential Cost Savings with Flexibility:

  • The flexibility in implementing Levels 4 and 5 offers organizations the opportunity to adopt cost-effective cybersecurity measures tailored to their specific needs and threat environments.

Unforeseen Reassessment Costs:

  • Changes in the CMMC Assessment Scope may necessitate new assessments, resulting in unexpected financial burdens, especially for organizations undergoing frequent infrastructure changes.


Note from TechIt Services:

TechIt Services has developed specialized solutions utilizing Microsoft 365 in a FedRAMP High compliant environment, aiming to reduce complexity and the burden on organizations. Our services cater to a range of adoption levels, from Small Businesses to Large Organizations.


While the proposed rules signify a commendable step forward in fortifying cybersecurity standards within the defense sector, they bring forth new financial challenges. Navigating these changes requires a delicate balance between compliance costs and the imperative of robust cybersecurity practices. For tailored solutions and expert guidance, contact TechIt Services at [Your Phone Number] or [Your Email Address]. Safeguard your organization against evolving cyber threats while maintaining fiscal sustainability. Contact TechIt Services | Learn More