- Details
- By Chez Oxendine
- Native Contracting
Two tribally owned firms have emerged as early adopters of the Department of Defense's Cybersecurity Maturity Model Certification 2.0, positioning themselves ahead of a sweeping federal requirement set to take effect in October 2025.
Cayuse Native Solutions of Pendleton, Ore., and Akiak Technology of Anchorage, Alaska both achieved Level 2 certification under the updated CMMC framework, which governs how contractors handle controlled-but-unclassified information on defense contracts. The certification is expected to become a mandatory condition for award on new and recompeted contracts involving such information, including those awarded through the Small Business Administration's 8(a) program.
“The opportunity for Native American tribes is that CMMC compliance can become a long-term differentiator and give businesses a competitive advantage,” said CMMC specialist Brian Rhodes of LRQA. “The sooner the process begins, the better placed they will be to capitalize on Defense Department opportunities.”
CMMC 2.0, published in October 2024 and effective December 2024, consolidates more than 100 cybersecurity practices from the National Institute of Standards and Technology's SP 800-171 publication, according to cybersecurity compliance consultancy LRQA Inc. Contractors seeking the certification must implement documented controls, migrate to secure cloud environments such as Microsoft's GCC High and undergo third-party assessments by accredited organizations.
Cayuse Native Solutions is an enterprise of the Confederated Tribes of the Umatilla Indian Reservation. The company began its certification process in 2020, migrating hundreds of employees to a cloud-based system and revamping its IT infrastructure to meet federal standards, Managing Director of Operations Craig Hartburg said. Cayuse Native Solutions earned a perfect score in its April 2024 assessment, placing it among "the top 0.1 percent" of more than 80,000 applying contractors.
“We decided to be an early adopter because it would show a competitive advantage for us,” Hartburg said. “We're very happy, we're very pleased with that accomplishment. We're going to continue to harden our posture and make ourselves a preferred partner.”
Akiak Technology, an 8(a)-certified and HUBZone firm owned by the Akiak Native Community, also reported a perfect score in its assessment. Chief Operating Officer Sharon Hamer said the company's small infrastructure team succeeded where many larger firms faltered.
“Many companies withdrew during the audit process this year because they were not prepared for the breadth and depth of the audit,” Hamer said. “I am extremely proud and gratified that our team was able to achieve certification while others are still struggling.”
Both firms cited the certification as a strategic move to strengthen their standing in federal procurement. While tribal 8(a) entities benefit from direct award authority, CMMC compliance is emerging as a baseline requirement for defense contracts involving sensitive data. Certification also expands opportunities with large prime contractors, who must ensure their subcontractors meet the same cybersecurity standards.
“Even amongst 8(a) competitors, I think we've got a very strong advantage,” Hartburg said. “It makes us a good partner for some of the larger prime contractors, and really an easy button choice for the federal agencies that want to utilize the SBA and the 8(a) program.”
The Department of Defense plans to begin inserting CMMC requirements into solicitations starting in October 2025, with full implementation expected by fiscal year 2026. Tribal enterprises that invest early in compliance may find themselves in a select pool of eligible vendors as the new rules take hold, Hartburg said.
In preparation for certification, LRQA's Rhodes recommends tribal and small-business contractors first identify which level of security applies to their current operations. Tribes should review existing contracts as well as potential solicitations and plan accordingly.
Rhodes also recommends working with expert firms to conduct gap analyses and mock assessments. Rhodes notes that implementing strong technical controls and training staff on cybersecurity protocols are essential to passing the third-party review and maintaining long-term compliance.
