Organizations are now expecting their partners, suppliers, vendors, and professional service providers who access or store sensitive information to implement a cybersecurity compliance framework. The goal is to minimize the chances of data breaches and file exfiltration. This requirement is extending to companies providing products and services to both the federal government and the private sector.
On November 10, 2025, the United States Department of Defense introduced CMMC (Cybersecurity Maturity Model Certification) for bid solicitations and contract awards involving sensitive Controlled Unclassified Information (CUI). This applies to both primary defense contractors and subcontractors—with no exceptions. Achieving CMMC is a process based on the National Institute of Standards and Technology (NIST) 800-171 framework and requires certification from a Certified Third-Party Assessor Organization (C3PAO), as self-assessments are no longer permitted. The potential revenue opportunities for CMMC-compliant contractors are substantial:
- Estimated participants in the Defense Industrial Base (DIB) include roughly 37,000 direct primary contractors and between 100,000 and 300,000 subcontractors. Under new CMMC regulations, compliance is the only path to participating in contract awards.
- Department of Defense contract obligations totaled $445 billion in 2024—surpassing all other federal agencies combined.
- A new compliance standard for Controlled Unclassified Information (CUI) across all federal contracts is being developed, which could lead to broader adoption of NIST-based requirements for more federal agencies, even if it doesn't mirror CMMC exactly.
- Another consideration: If your firm declines to pursue CMMC compliance while holding non-defense contracts with a primary DoD contractor that has a commercial side to its business (such as Boeing), your business and revenue may be at risk. Should a primary DoD contractor choose a CMMC-compliant subcontractor to perform work similar to yours, they might shift non-defense work to your competitor, recognizing their commitment to cybersecurity compliance.
In the private sector, many companies are recommending or mandating their suppliers and vendors adopt a cybersecurity compliance framework such as NIST 800-171, ISO 27001, or others. Examples include JPMorgan Chase, Citibank, Boeing, 3M, Walmart, Amazon, and others. One reason for this: over the last few years, there have been data breaches not just from traditional targets such as healthcare and financial services firms, but from other targets such as CPAs and law firms that hold sensitive client data. Some of these recent breaches of CPAs and law firms involved those that were holding healthcare data.
Any organization managing or storing sensitive third-party data should seriously consider implementing a cybersecurity compliance framework. Customers and clients expect their partners, vendors, and suppliers to establish basic security controls to safeguard shared data.
Although no cybersecurity compliance framework can completely guarantee the prevention of a data breach, it does provide a foundational set of requirements, controls, and processes. These can be documented and presented to clients, demonstrating a meaningful and significant investment of time and resources dedicated to reducing risk.
A sustained commitment to implementing a cybersecurity compliance framework can distinguish an organization from its competitors, help retain current customer revenues, and create opportunities for new revenue growth.
A failure to recognize this as an opportunity could prove costly over time, resulting in lost business and lost revenue.
