Last spring, we partnered with William Blair to release a report on a key piece of the investment opportunity presented by the forthcoming CMMC 2.0 regulatory requirement governing documentation of compliance with relevant cybersecurity standards by every company across the Defense Industrial Base (DIB).
At the time, CMMC 2.0, the successor to CMMC 1.0, was already 3 years in the making and faced significant opposition from industry, causing many who had been tracking the rule process to be skeptical that 2.0 would ever be finalized. Our assessment, however, was that the time had come for 2.0, and the publication of the first of two rules composing CMMC 2.0 in the Federal Register this past October seemed to mark the end of the debate around whether CMMC 2.0 would become a real requirement.
However, debate restarted mere weeks after the initial rule was published when, in the wake of the Presidential Election, investors and policymakers alike wondered whether CMMC 2.0 would stay on track in the new Administration.
While there remains some uncertainty as the process of changing leadership within the Department of Defense and reprioritization of funds Secretary Hegseth announced last week both unfold, we continue to believe that CMMC 2.0 remains on track for threat and policy reasons, reflected by recent relevant actions across the U.S. Government to reaffirm CMMC 2.0 will proceed.
Growing Threat and High Vulnerability Requires That CMMC 2.0 Proceed
The growing cybersecurity threat posed by China and other actors as well as the arduous process of designing and implementing the CMMC 2.0 regime are the primary policy drivers behind our view that CMMC 2.0 remains on track.
The new Administration has been clear about the threat that China’s cyberattacks pose and how it intends to respond. China’s attacks have infiltrated government, infrastructure, and consumer segments of the U.S. Today, China’s attacks pose perhaps “the biggest cyber challenge the U.S. has faced to date.”
China’s success is due both to the likely progression of the country’s cyberattack capabilities, as well as the vulnerability of U.S. networks and companies, including companies composing the DIB.
A 2022 study by CyberSheath, for example, noted that 87% of the DIB was failing to meet basic cybersecurity regulation requirements, an egregiously low compliance level that serves to entice, not deter, aggressors.
While the Administration plans a comprehensive approach to addressing China’s aggression, CMMC 2.0 represents the only mechanism for compelling companies across the DIB to play their part in securing the sensitive information they access and generate in their work for the Department of Defense.
CMMC 2.0 also represents years of investment by the Department of Defense and industry partners alike. Intended to be a more flexible approach to regulation than CMMC 1.0, CMMC 2.0 is designed so that the Department of Defense sets requirements, but industry has an ongoing role in designing and executing compliance.
As a matter of policy, it would be catastrophic to the overall goal of establishing a more secure DIB if CMMC 2.0 were abandoned at this juncture. The Department of Defense would likely endure crippling credibility issues if its efforts in overcoming sustained industry opposition to CMMC 2.0 were wasted. Emboldened by such a failure, elements of the DIB would no doubt resist any future regime even more aggressively if CMMC 2.0 is delayed or abandoned now.
Administration’s Early Moves Indicate That CMMC 2.0 Will Proceed
Beyond its clear alignment with the Administration’s focus on confronting China across all domains and better securing U.S. networks and data, CMMC 2.0 has also been supported by some of the Administration’s early actions:
One of the primary architects of CMMC 2.0, Katie Arrington, has been named the Chief Information Security Officer (CISO) for the Department of Defense, placing her in an excellent position to shepherd CMMC 2.0 and the DIB to maturity
In assessing the President’s Executive Order creating a regulatory freeze, Arrington pointed out that the order would not impact CMMC 2.0 (the rule is already published) as it has passed the hurdles noted in the order
Secretary Hegseth, in his announcement that 8% of Department of Defense funds would be repurposed away from non-lethal programs toward Administration priorities, noted that cybersecurity was one of the mission areas that will not have funds repurposed away
We assess that these moves, taken together, demonstrate a strong commitment to achieving better cybersecurity and to leveraging CMMC 2.0 to further this critical goal.
The CMMC 2.0 Opportunity
Managing the cost and complexity of implementing CMMC 2.0 is a shared goal across stakeholders. Delivering consistent audits and achieving the compliance scores required across the DIB under CMMC 2.0 at a manageable cost in labor and cash is critical to limiting departures from the DIB and producing the more cyber-resilient industry that the Department of Defense understands is necessary in the current and future threat landscape.
As we noted in our report with William Blair, we see a new, multi-billion-dollar market emerging due to CMMC 2.0. This new market has two primary segments: audits and compliance management. In both segments, we see the power and potential of software-based solutions in reducing the burden of CMMC 2.0, making audits cost-effective and both initial and ongoing compliance by the DIB a manageable process.
We continue to encourage investors interested in compliance solutions and in CMMC 2.0 to look closely at investment opportunities and to reach out to Arnovia for help in understanding the impact of CMMC 2.0 both on the DIB and on the broader cybersecurity landscape.