If you're a government contractor, a public sector IT leader, or an educational institution working with federal data, the compliance landscape has gotten more complex, and more consequential, over the past two years.
CMMC 2.0 is moving from framework to enforcement. FedRAMP continues to evolve. And state-level regulations are adding additional layers. For organizations in Utah's growing technology and defense sectors, understanding these requirements isn't optional. It's a condition of doing business.
CMMC 2.0: What's actually happening
The Cybersecurity Maturity Model Certification has been through several iterations, and the uncertainty has caused many contractors to adopt a wait-and-see approach. That approach is running out of runway.
What you need to know:
- Level 1 (Foundational) requires 17 security practices and allows self-assessment. This covers contracts involving Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI).
- Level 2 (Advanced) requires implementation of all 110 NIST SP 800-171 controls and will require third-party assessment for critical contracts. This is where most defense contractors will need to be.
- Level 3 (Expert) adds NIST SP 800-172 controls and requires government-led assessment. This applies to the most sensitive programs.
The Department of Defense is phasing CMMC requirements into contracts. If you're a defense contractor or subcontractor, you need to be actively working toward compliance, not planning to start someday.
FedRAMP and StateRAMP
For organizations providing cloud services to government, FedRAMP authorization remains the gold standard. The FedRAMP Modernization Act codified the program into law and is driving updates to streamline the authorization process.
StateRAMP is gaining traction as a parallel framework for state and local government cloud procurement. For companies selling to Utah state agencies and municipalities, StateRAMP authorization can be a significant competitive advantage.
Both frameworks are built on NIST 800-53, so organizations that invest in NIST-aligned security controls are building toward both simultaneously.
State-level requirements
Utah has been active in cybersecurity legislation. The Utah Cyber Center, established by HB 243, coordinates cybersecurity efforts across state government and provides resources to local governments. Organizations working with Utah state and local government should be aware of:
- State data classification and protection requirements
- Incident notification obligations for government data
- Security assessment requirements for government vendors
Practical compliance guidance
1. Start with a gap assessment against NIST 800-171. Whether you need CMMC Level 2, FedRAMP, or StateRAMP, NIST 800-171 is the common foundation. Assess your current state against all 110 controls. Be honest about gaps. A gap assessment that shows everything green is a gap assessment that wasn't done properly.
2. Build a Plan of Action and Milestones (POA&M). You don't need to be fully compliant tomorrow. You need a credible plan for getting there, with specific milestones and deadlines. Assessors want to see that you understand your gaps and are actively addressing them.
3. Focus on the high-impact controls first. Not all 110 NIST 800-171 controls carry equal weight. Access control, incident response, system and communications protection, and audit and accountability are areas where gaps create the most risk and where assessors focus the most attention.
4. Document everything. Compliance frameworks require evidence. If you implemented MFA but didn't document the policy, the configuration, and the enforcement, it's as if you didn't do it. Build documentation into your implementation process, not as an afterthought.
5. Don't confuse compliance with security. Compliance frameworks establish minimums. An organization can be technically compliant and still have significant security gaps. Use compliance as a framework for building your security program, but don't stop at the checkboxes.
The business case
Compliance has a direct revenue impact. Government contracts increasingly require demonstrated security maturity. Organizations that achieve CMMC certification or FedRAMP authorization have access to a market that competitors without those credentials cannot serve.
For Utah-based technology and defense companies, the investment in compliance isn't just a cost of doing business. It's a market differentiator. The organizations that move early will be positioned to capture contracts while competitors are still working through their gap assessments.