The importance of safeguarding the hardware, software, and systems relied on by the Department of Defense (DoD) needs no explanation. Like state and local governments, the DoD relies on a diverse array of vendors, making the cybersecurity practices of third parties a critical concern. High-profile breaches, such as the Change Healthcare incident, demonstrate how entire industries can be impacted when even one vendor is compromised.
To address these risks, the DoD has long required compliance with standards like NIST SP 800-171 for protecting controlled unclassified information (CUI). The Cybersecurity Maturity Model Certification (CMMC) program builds on this by introducing a compliance framework that assesses whether vendors’ cybersecurity practices are sufficient to participate in DoD contracts. This formalized approach ensures that cybersecurity best practices are understood, met, and maintained.
Notably, it’s already clear that the requirements of the CMMC will not be limited to DoD contractors. A June 2025 executive order expanded many of CMMC’s core tenets to all federal agencies, signaling a broader shift toward rigorous cybersecurity accountability. Whether the CMMC will be transformed into a complementary state or local endeavor, only time will tell. But one thing is certain: Cybersecurity professionals in state and local government are well-served to educate themselves on the requirements of the CMMC and the core concepts within it — all of which are directly applicable to any organization that wants to protect itself from threats introduced by third parties. Even the very structure of the CMMC reflects an important best practice.
