Countdown to CMMC: Why SAP-Centric Defense Contractors Must Act Now

As the U.S. Department of Defense (DoD) finalizes the enforcement of Cybersecurity Maturity Model Certification (CMMC) 2.0, SAP customers within the Defense Industrial Base (DIB) face important decisions. The phased rollout of CMMC requires companies to meet increasingly strict cybersecurity goals.

In a recent Protiviti-led webinar, experts highlighted the organizational, technical, and legal challenges that businesses face today as compliance deadlines loom. “You need to start early,” said David Taylor, Managing Director at Protiviti.

The Compliance Clock Is Ticking

CMMC’s three-tier model distinguishes between basic cyber hygiene (Level 1), advanced security (Level 2), and expert security (Level 3). Many contractors who have previously performed self-certification (Level 1) will be required to attain Level 2 certification in the next few years. According to Protiviti’s John DiDuro, this process can take 18 months or longer and involves meeting up to 110 control objectives.

Failure to comply could disqualify businesses from participating in DoD procurements. “Companies must determine how much revenue is at stake,” said DiDuro. “If they don’t have certifications, they can’t participate in procurement. But some companies don’t sell enough to DoD to justify the costs of CCMC compliance.”

Technical hurdles are significant. Robert Server, Field Chief Technology Officer at Experion, emphasized that automation tools for data scanning and discovery are crucial: “You must use a tool [to aid in CCMC compliance]. It’s impossible otherwise.” He highlighted the importance of automation in inspecting data assets across multiple locations, automating reporting, and making the information meaningful to executives.

The panelists also agreed that using LLMs to generate data poses significant risks for CCMC compliance and should be avoided. Although facts may evolve over time, third-party auditors are currently likely to view LLM-generated data as suspicious.

For SAP users, these technical controls are even more intricate. Role-based access control, segregation of duties, audit logging, encryption, and change management must be carefully aligned with CMMC requirements. Many organizations are relying on consulting firms like Protiviti, a Registered Practitioner Organization (RPO), to interpret requirements and map control frameworks to ERP landscapes.

Tools, Testing, and Third-Party Validation

Legal risk is increasing along with technical risk. Under the False Claims Act, companies may face fines if they incorrectly self-attest to CMMC compliance. Before starting remediation, companies are recommended to perform a detailed Security Performance Rating System (SPRS) self-assessment. “If your SPRS score is below 88, you’re not ready,” warned DiDuro.

The best practice, as advised by Protiviti, is a phased approach:

1. Discovery – Identify sensitive data, access controls, and metadata.
2. Validation – Share findings across teams and identify gaps.
3. Remediation – Implement and document mitigating controls with leadership approval.

Ultimately, CMMC readiness must be a cross-functional effort between IT, legal, compliance, and HR. Organizations that treat it as only an IT task are much more likely to fall short.

What This Means for SAPinsiders

CMMC is transforming how SAP organizations handle cybersecurity. For many technology leaders, this involves adjusting their ERP systems to align with the NIST SP 800-171 framework. Successful SAP Governance, Risk, and Compliance (GRC) customers integrate control frameworks within SAP GRC modules and coordinate security policies to achieve compliance while minimizing business disruptions.

The market for CMMC compliance tools and services is expanding quickly. Several industry analysts have forecasted that the compliance automation market will grow at a double-digit rate through 2030. Vendors like Protiviti compete based on their ability to provide audit-ready documentation, ERP-specific controls, and integrated advisory services. SAP customers evaluating providers should focus on experience with SAP landscapes, understanding of CMMC processes, and ability to utilize effective automated tools.

Expect cultural and process change to pose a significant challenge. Protiviti states that their clients who succeeded most quickly had strong leadership support, a culture of regulatory compliance, and well-documented governance processes across departments. Companies that failed often lacked clear scopes, faced internal communication issues, or underestimated how difficult it is to turn legal language into actionable technical controls.