Beyond Defense: How CMMC is Redefining Cybersecurity Standards Across Industries

Christopher Souza | CEO

The Cybersecurity Maturity Model Certification (CMMC) has been the pivotal certification in strengthening cybersecurity within the Defense Industrial Base (DIB), but its impact won’t stop there and is expected to extend far beyond defense. With the Federal Acquisition Regulation (FAR) Controlled Unclassified Information (CUI) rule proposed on January 15, 2025, the handling of CUI across all federal contractors will be standardized meaning that contractors within industries that engage with federal agencies such as the General Services Administration (GSA), Department of Energy (DOE), Department of Homeland Security (DHS), NASA, and others will need to implement very similar and equally stringent requirements. In anticipation of these updates and to help prepare your organization, we’ve put together this article to help you understand which industries will be affected and how these changes could impact businesses like yours.

The FAR CUI Rule: A New Era of Cybersecurity Compliance

The FAR CUI rule seeks to establish uniform requirements for the protection of CUI across all executive agencies. Prior to this rule, varied and sometimes inadequate protection measures for CUI were common among contractors, which heightened the risk of unauthorized access and potential data breaches. The proposed rule mandates that all federal contractors and subcontractors comply with the 110 security controls outlined in the NIST 800-171 Revision 2, in addition to the DFARS contractual requirements to report cyber incidents and mislabeling within eight. This distinction signifies the broader application of cybersecurity reporting obligations to all federal contractors handling CUI and failing to report these incidents could lead to serious consequences such as:

• Contract Violations – Noncompliance with the reporting requirement could result in a breach of contract, potentially leading to penalties, loss of current contracts, or disqualification from future federal contracts.
• Increased Scrutiny & Audits – Investigations, audits, or increased oversight from federal agencies.
• Legal & Financial Penalties – Depending on the severity of the breach and noncompliance, companies could face fines or legal actions.

These measures are aimed at enhancing the safeguarding of sensitive information across various industries, including but not limited to CUI, Federal Contract Information (FCI), Personally Identifiable Information (PII), and Export-Controlled Information.

Industries Impacted by the FAR CUI Rule

While defense contractors have been accustomed to stringent cybersecurity requirements, industries beyond defense, like healthcare, finance, energy, and technology, will now be required to implement stricter cybersecurity measures. Organizations contracting with federal agencies will eventually need to meet the same security standards as defense contractors today to ensure CUI is properly protected with the exception of businesses that deal solely in commercially available off-the-shelf (COTS) products which are exempt from these requirements because these products are widely available to the general public and, therefore, do not involve CUI. For the organizations within these specific sectors that will be subjected to these new compliance expectations, they will need to strengthen their cybersecurity and compliance postures to avoid penalties and maintain federal contracts.

Broader Implications for Compliance Across Other Industries

As the FAR CUI rule extends cybersecurity requirements to sectors beyond defense, businesses that are already familiar with other regulatory standards—such as PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and GSA (General Services Administration) Agency Changes—will be finding themselves in a very similar situation. Although these frameworks have long required businesses to implement basic cybersecurity measures to protect sensitive data, all have introduced additional, much more strict and stringent standards.  

PCI: Companies in the financial services and retail sectors, along with any e-commerce websites that handle payment card data, must comply with PCI DSS to secure payment card information. While PCI DSS and FAR CUI requirements come from different regulatory bodies, they both require similar cybersecurity practices, such as data encryption, access controls, and incident response protocols. These shared requirements can help streamline compliance efforts for organizations subject to both frameworks. However, compliance with each standard is still mandatory separately. One significant change is the introduction of requiring a SIEM (Security Information and Event Management) system and a SOC (Security Operations Center) for certain organizations. This was not previously required for all PCI levels but is now mandatory for many organizations to improve incident detection and response (PCI Security Standards Council).

HIPAA: Healthcare organizations such as hospitals, doctors’ offices, urgent care centers, and pharmacies must continue to meet the privacy and security standards outlined by HIPAA. Healthcare providers may find opportunities to enhance their cybersecurity posture by adopting best practices from both HIPAA and FAR CUI. Under HIPAA’s Omnibus Rule, healthcare organizations must now implement more stringent access control policies, including stronger authentication and audit trail requirements. These are aligned with the NIST 800-171 standards and the NIST CyberSecurity Framework, CSF 2.0, ensuring that sensitive data is protected across both frameworks.

SEC Cybersecurity Rules (SEC Rule 10b5-1): One of the biggest regulatory shifts impacting cybersecurity compliance is the U.S. Securities and Exchange Commission (SEC) Cybersecurity Rules. These rules place direct accountability on organizations to enforce security standards across the entire supply chain. They require companies to disclose material cybersecurity incidents within four business days and mandate transparency in risk management. SEC Rule 10b5-1 now mandates companies to disclose material cybersecurity risks and incidents and requires real-time reporting of certain breaches, making it a major change in how financial organizations report cybersecurity incidents.

GSA: While not a regulatory framework itself, the GSA oversees federal procurement and is aligning its cybersecurity requirements with the FAR CUI rule to ensure uniform standards across the federal government. As GSA agencies will need to follow these cybersecurity standards for handling sensitive government data, this extends compliance responsibilities beyond defense contractors to other sectors. GSA’s cybersecurity controls are informed by the FAR CUI rule, which “establishes a uniform approach to safeguarding CUI across the Federal Government” (Federal Register, 2025).

Timeline for Finalization

The public comment period for the proposed CUI rule closed on March 17, 2025 and the FAR Council is now reviewing industry feedback to make the necessary changes and revisions before issuing the final rule. While the exact timeline for finalization depends on the review process, contractors are both advised and encouraged to begin preparations as soon as possible. Based on previous timelines, it’s estimated that the final rule may be issued in mid-late 2025 or early 2026, but from our experience with CMMC, it takes anywhere from 8-16 months just to become compliant. With enforcement on the horizon and the rule being up for finalization any day now, ensuring compliance is of the essence to avoid the risk of lost contracts, penalties, or last-minute scrambles.

Steps to Prepare for Compliance

To align with the forthcoming FAR CUI rule to avoid compliance issues that could jeopardize your ability to keep or pursue contract opportunities, we’ve developed a list of recommendations to consider:

1. Evaluate Your Current Cybersecurity Posture: Conduct a thorough assessment of your existing cybersecurity measures to identify gaps relative to NIST SP 800-171 Revision 2 —or even Revision 3—requirements. Many contractors will need to significantly upgrade their security to meet these requirements, and our assessment helps to clarify those gaps. As part of the assessment, we produce a roadmap outlining the most cost-effective and efficient way to address an organization’s respective compliance or contractual obligations.
2. Develop a System Security Plan (SSP): Create a detailed SSP outlining how your organization addresses each compliance control or requirement. This document is critical for proving compliance and serves as a roadmap for addressing security gaps, which are in turn tracked and followed on a Plan of Actions & Milestones (POA&M).
3. Implement Missing Security Controls: Strengthen access controls, enhance data encryption, refine incident response protocols, and ensure multi-factor authentication is in place wherever possible.
4. Establish Incident Reporting Protocols: Develop procedures to ensure that any security incidents involving sensitive federal information are promptly reported to the contracting officer within the mandated eight-hour timeframe.
5. Implement and Test an Incident Response Plan:  Take the procedures developed in step 4 and test them in either a Table Top exercise or Business Continuity (BC) / Disaster Recovery (DR) test.  These can be tailored to organizations of any size and simulations applicable to current events and the organization’s mission.
6. Provide Employee Training: Ensure that all employees handling CUI complete the mandatory training specified in the Standard Form (SF), which will be included in relevant contracts. This training is crucial, and agencies may require contractors and subcontractors to provide evidence of this training to verify adherence to the necessary protocols.
7. Engage with Contracting Officers: Open communication with contracting officers is essential and helps clarify specific CUI requirements and contractual obligations so that your organization fully understands its obligations.
8. Establish Relationships with Key Stakeholders: These can include both internal and external stakeholders.  For external, consider developing a relationship with local Law Enforcement, your local FBI Field Office, or any other applicable stakeholders.  Having those relationships in place before they are needed can save valuable time during a real world event.
9. Monitor Subcontractor Compliance: Cybersecurity does not stop at your organization. Ensure that subcontractors comply with CUI regulations with flow-down requirements and verify their security measures. A weak link in the supply chain can put everyone at risk.

TSI Helps You to Prepare:

By proactively addressing these key areas, contractors across multiple industries can stay ahead of evolving regulations, protect sensitive data, and secure federal contracts. Compliance isn’t just a requirement—it’s an opportunity to strengthen cybersecurity practices and build trust with government agencies. Contact TSI today and start preparing now before it’s too late. Our compliance team is readily available and eager to help you ready your organization for compliance today.

About Technical Support International

TSI is 35-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.