To address these risks, the DoD has long required compliance with standards like NIST SP 800-171 for protecting controlled unclassified information (CUI). The Cybersecurity Maturity Model Certification (CMMC) program builds on this by introducing a compliance framework that assesses whether vendors’ cybersecurity practices are sufficient to participate in DoD contracts. This formalized approach ensures that cybersecurity best practices are understood, met and maintained.
Notably, it is already clear that the requirements of the CMMC will not be limited to DoD contractors. A June 2025 executive order expanded many of CMMC’s core tenets to all federal agencies, signaling a broader shift toward rigorous cybersecurity accountability. Whether the CMMC will be transformed into a complementary state or local endeavor, only time will tell. But one thing is certain: Cybersecurity professionals in state and local government are well-served to educate themselves on the requirements of the CMMC and the core concepts within it — all of which are directly applicable to any organization that wants to protect itself from threats introduced by third parties. Even the very structure of the CMMC reflects an important best practice.
DIVIDE YOUR CYBER ESTATE INTO TIERS
The structure of the CMMC recognizes that not all data, systems, hardware and software require the same level of security. Each successive tier introduces not only additional requirements, but also stricter controls for contractors. The process for demonstrating compliance also varies across tiers, making this approach highly relevant for state and local governments seeking to enhance their cybersecurity measures.
● Level 1: Designed for contractors handling federal contract information (FCI), this level involves a self-attestation of CMMC compliance.
● Level 2: Intended for vendors managing more sensitive CUI and FCI, this level includes 110 requirements and mandates an audit every three years by a Certified Third-Party Assessor Organization, which comprises certified professionals with LCCA, CCA and CCP designations.
● Level 3: Reserved for vendors working on the most critical systems, this level has the most stringent requirements, with audits and inspections conducted by the Defense Industrial Base Cybersecurity Assessment Center, whose experts hold the necessary security clearances.
All three CMMC levels require an annual affirmation, with penalties for providing inaccurate information enforced by the Department of Justice (DOJ) under the False Claims Act. State and local agencies can follow a similar approach, requiring all vendors to document their cybersecurity efforts. Those that are involved in more sensitive work, for example providing software for core systems, should be assessed by an unbiased, independent expert or team. For vendors working with the most sensitive systems and data — such as constituents' personal information or agencies' financial systems — thorough vetting should be conducted by the state or municipality's own cybersecurity experts.
CMMC LESSONS STATE AND LOCAL GOVERNMENTS CAN USE TODAY
The practical implications of the CMMC, both for DoD vendors and the department itself, are directly applicable to states and municipalities. Some of these include:
● Cybersecurity is nonnegotiable: Cybersecurity, once an afterthought, is now a priority. Government agencies and the vendors they work with will be required to demonstrate sound cybersecurity practices and processes. Importantly, the CMMC also imposes significant fines on contractors who fail to comply, with enforcement carried out by the DOJ under the False Claims Act. These fines serve as a strong deterrent that is only eclipsed by the very real threat of no longer being able to work with the DoD. This is another practice state and local governments can replicate and use to demonstrate that cybersecurity is mandatory.
● Readiness must be documented: The CMMC formalizes the process of demonstrating sound cybersecurity practices, not just once, but continually with regular assessments. Merely having logs and following accepted practices is no longer enough for the DoD or the vendors it works with. State and local governments can send a powerful message by taking a similar approach.
● Ownership is key: The sheer scope of the CMMC requires vendors to assign ownership of the compliance process. Just as the CMMC mandates that vendors assign ownership of compliance, governments must designate specific roles responsible for cybersecurity oversight. This ensures that cybersecurity is treated as a core responsibility, not an additional task for overburdened IT teams.
● Cost concerns are no longer an excuse: While some DoD vendors have raised concerns about the cost of compliance, the expense pales in comparison to that of a breach. Segmenting networks to confine CUI and FCI to specific assets is an effective cost containment strategy, and one even small rural municipalities can emulate with outlays that are nothing compared to losing the trust of constituents, stolen school budgets or depleted reserves.
In a world where cybersecurity threats are ever evolving, the writing is on the wall: Proactive investment in cybersecurity is no longer optional. The CMMC is more than a compliance framework — it’s a blueprint for resilience in an increasingly complex cybersecurity landscape. By embracing its principles, state and local governments can enhance trust, competitiveness and operational readiness.
Mike Lipinski is a partner in Plante Moran’s cybersecurity practice and has more than three decades of experience serving in consultative and C-suite roles overseeing cybersecurity practices and processes. His specialties include addressing the totality of organizations’ security, governance, risk and compliance efforts. As a former CIO and CISO, Mike understands the landscape and challenges facing IT and security leaders today.
Justin Heck is a cybersecurity manager in Plante Moran’s cybersecurity practice and has more than a decade of experience spanning information systems, cybersecurity and physical security augmented by significant expertise that spans the education, finance, government, health-care and nonprofit sectors. A veteran of the United States Marine Corps, Justin is one of fewer than 300 cybersecurity professionals to have obtained the Lead CMMC Certified Assessor certification.
