Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification is now a live compliance pressure point for defense-adjacent supply chains operating across Trade and Geopolitical Risk. The U.S. Department of Defense finalized CMMC 2.0 rulemaking in October 2024, and the U.S. Department of State's Directorate of Defense Trade Controls is watching contractor compliance status as part of broader ITAR authorization reviews. Firms sourcing from or exporting to high-risk jurisdictions are mapping vendor access controls against CMMC Level 2 requirements before contract renewals trigger formal self-attestation obligations.
Watch
- CMMC 2.0 final rule: phased contract clause insertion beginning mid-2025
- ITAR authorization reviews now cross-referencing contractor CMMC self-attestation status
- Third-party assessor (C3PAO) capacity constraints delaying Level 2 certifications
- Bureau of Industry and Security export license conditions referencing cybersecurity control standards
- DoD CMMC Program Office guidance on foreign ownership, control, or influence (FOCI) mitigation plans
Recent material activity in Trade & Geopolitical Risk
Active monitoring in place across Trade & Geopolitical Risk. Material developments related to cybersecurity maturity model certification will appear here as they are published.