Securing the Supply Chain: Addressing CMMC 2.0 Implementation Barriers Through the BDSLCCI Framework
Keywords:
CMMC 2.0, BDSLCCI, Supply Chain Security, Small and Medium Business (SMB), CybersecurityAbstract
Implementing Cybersecurity Maturity Model Certification (CMMC) 2.0 is facing a few challenges for organizations all over the world, especially those involved in supply chains for critical infrastructure and defense. Many small and medium-sized businesses (SMBs) find it difficult to achieve the intricate, resource-intensive criteria of CMMC 2.0 as cybersecurity threats increase and regulatory expectations change. This study examines the systemic obstacles to adoption, such as audit preparedness, ongoing compliance, and third-party monitoring, and suggests the BDSLCCI Framework as a multilingual, scalable, and governance-integrated substitute. The study shows how global stakeholders can improve cybersecurity maturity, lessen compliance fatigue, and promote resilient supply ecosystems by mapping CMMC 2.0 criteria to BDSLCCI's layered architecture. In order to democratize cybersecurity and promote inclusive, cross-border compliance tactics, the findings urge the wider worldwide adoption of flexible frameworks such as BDSLCCI.
Downloads
References
A. Asti, Cyber defense challenges from the small and medium sized business perspective, GIAC Certi cations, SANS Inst., 2017, p. 16, Art. no. 38160. [Online], Available: https://www.giac.org/researchpapers/38160/
Chief Information Officer U.S. Department of War. “CMMC Resources & Documentation.” Defense.gov, 2021, dodcio.defense.gov/cmmc/Resources-Documentation/.
Cummings, Jarret. “CMMC Program Rule Finalized.” Proquest.com, 11 Dec. 2024, www.proquest.com/docview/3225403625.
De Queiroz, H., Malka, S.C. and Sahoo, S., 2025. Small Business and Cybersecurity Readiness: Unpacking Action Driven Framework and Model. Available at SSRN 5381511.
DefenseScoop. “Pentagon Begins Enforcing CMMC Compliance, but Readiness Gaps Remain.” DefenseScoop, 10 Nov. 2025, defensescoop.com/2025/11/10/cmmc-compliance-dod-enforcement-defense-industry-readiness-gaps/.
Department of Defense Office of Inspector General. “Press Release: Audit of the DoD’s Process for Authorizing Third Party Organizations to Per.” DODIG, Department of Defense Office of Inspector General, 14 Jan. 2025, www.dodig.mil/In-the-Spotlight/Article/4028197/press-release-audit-of-the-dods-process-for-authorizing-third-party-organizatio/. Accessed 25 Oct. 2025.
Department of Defense. Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041). 10 Sept. 2025, public-inspection.federalregister.gov/2025-17359.pdf.
DoD CIO. Cybersecurity Maturity Model Certification (CMMC) Model Overview. Sept. 2024, dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview.pdf.
Garba, A.A., Siraj, M.M. and Othman, S.H., 2020. An explanatory review on cybersecurity capability maturity models. Adv. sci. technol. eng. syst. j, 5(4), pp.762-769.
Igboko, U.A., 2025. Investigating The Factors and Impact of Cybercrime on Small-To Medium-Sized Business (SMBs): Analysing risks, factors, and solutions.
Kaur, J., Kumar, S., Narkhede, B.E., Dabić, M., Rathore, A.P.S. and Joshi, R., 2024. Barriers to blockchain adoption for supply chain finance: the case of Indian SMEs: J. Kaur et al. Electronic Commerce Research, 24(1), pp.303-340.
Kezron, I.E., 2024. A cybersecurity resilience framework for underserved rural SMEs in critical infrastructure supply chains: Strengthening operational continuity and threat response in digitally vulnerable sectors. World Journal of Advanced Research and Reviews, 24(3), pp.3464-3477.
Kezron, I.E., 2024. Cybersecurity strategies for resource constrained SMEs and health providers. Iconic Research And Engineering Journals, 8(5), pp.1215-1224.
Latsiou, Aikaterina C., et al. “Never Trust - Always Verify: Assessing the Cybersecurity Trustworthiness of Suppliers in the Digital Supply Chain.” Procedia Computer Science, vol. 254, 5 Mar. 2025, pp. 98–107, www.sciencedirect.com/science/article/pii/S1877050925004181, https://doi.org/10.1016/j.procs.2025.02.068.
Lee, C. S., & Wang, Y. (2022). Typology of Cybercrime Victimization in Europe: A Multilevel Latent Class Analysis. Crime & Delinquency, 70(4), 1196-1223. https://doi.org/10.1177/00111287221118880 (Original work published 2024).
Office of Small Business Programs, Department of Defense. “CMMC 2.0 Details and Links to Key Resources.” Business.defense.gov, 10 Sept. 2025, business.defense.gov/Programs/Cyber-Security-Resources/CMMC-20/.
Pawar, S. and Palivela, H. (2025). NEED OF PARADIGM SHIFT IN CYBERSECURITY IMPLEMENTATION FOR SMALL AND MEDIUM ENTERPRISES (SMES). International Journal of Cybersecurity Intelligence & Cybercrime, [online] 8(1). doi:https://doi.org/10.52306/2578-3289.1184.
Pawar, S. and Pawar, P. (2024). BDSLCCI. [online] notionpress.com. Available at: https://notionpress.com/read/bdslcci.
Pawar, S., & Palivela, H. (2025). Review and Design of Business Domain-Specific Cybersecurity Controls Framework for Micro, Small, and Medium Enterprises (MSMEs). Archives of Advanced Engineering Science, 1-19. https://doi.org/10.47852/bonviewAAES52024438.
Pawar, S.A. and Palivela, H. (2023). Importance of Least Cybersecurity Controls for Small and Medium Enterprises (SMEs) for Better Global Digitalised Economy. Contemporary Studies in Economic and Financial Analysis, [online] 110B(978-1-83753-417-3), pp.21–53. Available at: https://ideas.repec.org/h/eme/csefzz/s1569-37592023000110b002.html.
Pawar, Shekhar, 2025, How BDSLCCI can Help SMEs to Achieve Data Protection Compliance, Such as EU GDPR and the DPDP Act of India, INTERNATIONAL JOURNAL OF ENGINEERING RESEARCH & TECHNOLOGY (IJERT) Volume 14, Issue 03 (March 2025). https://www.ijert.org/how-bdslcci-can-help-smes-to-achieve-data-protection-compliance-such-as-eu-gdpr-and-the-dpdp-act-of-india
Pawar, Shekhar, and Dr. Hemant Palivela. “LCCI: A Framework for Least Cybersecurity Controls to Be Implemented for Small and Medium Enterprises (SMEs).” International Journal of Information Management Data Insights, vol. 2, no. 1, 1 Apr. 2022, p. 100080, www.sciencedirect.com/science/article/pii/S2667096822000234, https://doi.org/10.1016/j.jjimei.2022.100080.
Pfeifer, M.R., 2021. IT security in SMEs—Threats and Chances for Supply Chains. J. Supply Chain. Cust. Relatsh. Manag, 2021, pp.1-8.
Ponemon-Institute. (2018). State of Cybersecurity in Small & Medium Sized Businesses (SMB). [Online]. Available: https://www.keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf
Ross, R., Pillitteri, V. and Dempsey, K., 2022. Assessing enhanced security requirements for controlled unclassified information. NIST Special Publication, 800, p.172A.
Strohmier, H., Stoker, G., Vanajakumari, M., Clark, U., Cummings, J. and Modaresnezhad, M., 2022. Cybersecurity maturity model certification initial impact on the defense industrial base. Journal of Information Systems Applied Research, 15(2), pp.17-29.
Sundar, A., 2025. Adapting Cybersecurity Maturity Models for Online Startups and Small Businesses https://ajosr.org/wp-content/uploads/journal/published_paper/volume-3/issue-4/ajsr2025_sDMFWp5x.pdf.
Tetteh, A.K., 2024. Cybersecurity needs for SMEs. Issues in Information Systems, 25(1).
U.S. Small Business Administration. (2024). United States Small Business Administration, Office of Advocacy, Frequently Asked Questions. 2024. https://cdn.advocacy.sba.gov/wpcontent/uploads/2019/09/24154243/Frequently-Asked-Questions-Small-Business-2019-12.pdf.
Wang, W., Sadjadi, S.M. and Rishe, N., 2024, May. A survey of major cybersecurity compliance frameworks. In 2024 IEEE 10th Conference on Big Data Security on Cloud (BigDataSecurity) (pp. 23-34). IEEE.
Wong, L.W., Lee, V.H., Tan, G.W.H., Ooi, K.B. and Sohal, A., 2022. The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, p.102520.
Ross R, Pillitteri V (2024) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-171r3. https://doi.org/10.6028/NIST.SP.800-171r3.
Wishart-Smith, Heather. “Cybersecurity Compliance: The Costs, Risks and Race to Certification.” Forbes, 7 July 2025, www.forbes.com/sites/heatherwishartsmith/2025/07/07/cybersecurity-compliance-the-costs-risks-and-race-to-certification/.
Sfoglia, P. (2023) 'CMMC 2.0:A Well-intentioned Misstep in Cybersecurity', National Defense, 108(837), 16+, available: https://link.gale.com/apps/doc/A762556446/AONE.
Barnir N, Gandal N, Moore T, Scott V (2025;), "A cost–benefit approach to optimizing security precaution adoption". Information and Computer Security, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/ICS-07-2024-0156.
Redspin . “Aware but Not Prepared CMMC Research.” Redspin, 14 Nov. 2025, redspin.com/aware-but-not-prepared-cmmc-research-report/.
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.
