The Cybersecurity Maturity Model Certification (CMMC) represents the Department of Defense’s (DoD) strategic response to the escalating frequency and sophistication of cyberattacks, safeguarding American innovation and national security information. Designed as a comprehensive framework, the CMMC aims to enhance the cyber-readiness of the vast network of contractors and subcontractors within the Defense Industrial Base (DIB). This initiative is crucial in ensuring that entities dealing with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) maintain robust cybersecurity standards.
In light of the recent December 2023 release of the proposed rule, the anticipated implementation of the CMMC program is now projected for early 2025. This revised timeline offers organizations additional preparation time to align with the upcoming requirements. However, given the complexity and breadth of the CMMC framework, beginning the compliance journey sooner rather than later is advisable for all entities in the DIB.
The anticipated implementation of the CMMC program is now projected for early 2025
This complete guide provides a thorough overview of the CMMC, delving into its structure, specific requirements, and the certification process. It is designed to equip defense contractors with the essential knowledge and insights needed to navigate the CMMC landscape effectively and to prepare for compliance in anticipation of the 2025 implementation.
At its foundation, three guiding principles define cybersecurity maturity model certification compliance:
The most recent version of the CMMC framework consists of three progressively advanced levels: (1) Foundational, (2) Advanced, and (3) Expert. Each level requires contractors to adhere to a series of security controls and either prove compliance independently or be certified triennially via a third-party or government-led assessment.
Each CMMC level requires contractors to adhere to a set of security controls and prove compliance.
In limited cases, the Department of Defense will allow uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a specific date. Additionally, in even rarer cases, the DoD will allow contractors to ask for a waiver of all requirements. The DoD has yet to release full details regarding POAMs and waivers.
Contractors who handle FCI will be required to meet Level 1 CMMC compliance. These contractors will need to align with 17 basic cyber hygiene practices. These controls can be found in the Federal Acquisition Regulation (FAR) 52.204.21 and are further defined in NIST SP 800-171.
Contractors who handle FCI will be required to meet Level 1 CMMC compliance.
Because FCI is not sensitive information, the Department of Defense will allow Level 1 contractors to assess their cybersecurity. It will require them to submit scores and other documentation to the Supplier Performance Risk Systems (SPRS) yearly. Level 1 compliance does not require third-party or government-led assessments.
Contractors who handle CUI will be required to meet Level 2 CMMC compliance. These contractors must align with the initial 17 practices from Level 1 and an additional 93 practices in NIST 800-171. As with Level 1 compliance, the DoD will require these contractors to assess their cybersecurity yearly and submit scores and other documentation to the SPRS.
Contractors who handle CUI will be required to meet Level 2 CMMC compliance.
For “prioritized acquisitions,” the DoD will require these contractors to be certified by a CMMC Third Party Assessment Organization (C3PAO) every three years.
The Cyber Accreditation Body (AB), the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC conformance regime, released the CMMC Assessment Process (CAP), which provides helpful guidance for contractors that are beginning to prepare for their CMMC Level 2 assessment.
Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance. These contractors need to align with all 110 NIST 800-171 controls and an additional number of controls (yet to be specified) from NIST 800-172.
Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance.
Unlike Level 1 and Level 2 compliance, the DoD will require contractors at this maturity level to be certified via a government-led assessment. As of February 2023, the DoD has yet to release further details on the complete enhanced security requirements for this level.
In 2015, the Department of Defense (DoD) initiated the Defense Federal Acquisition Regulation Supplement (DFARS), setting cybersecurity and information security requirements for defense industrial base contractors and subcontractors. This included adherence to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171.
Facing escalating cyber threats and lagging adoption by the defense industrial base, the DoD launched the CMMC 1.0 in 2019. This version emphasized a third-party certification process and introduced the DFARS Interim Rule, mandating NIST 800-171 compliance ahead of full CMMC certification.
The shift to CMMC 2.0 occurred in 2021, prompted by substantial feedback and confusion surrounding the initial version. Key changes in CMMC 2.0 focused on simplifying the program and reducing its scope for easier adoption and clearer understanding.
By 2023, the DoD had yet to finalize the CMMC 2.0 rulemaking process, with a proposed rule announced in May 2023. Anticipations were set for CMMC assessments to potentially appear in contracts as early as 2024.
The landscape took a significant turn on December 26, 2023, when the DoD issued the proposed rule for the CMMC program. Under the new structure, the CMMC encompasses three levels of increasing cybersecurity requirements. Compliance now involves either a self-assessment or a third-party certification assessment, depending on the CMMC Level applicable to the contract.
The DoD detailed a phased rollout over two and a half years, beginning with the finalization of the CMMC rule (amendment of DFARS 252.204–7021):
If hypothetically, the final CMMC rule is effective from December 26, 2024, the rollout would follow this timeline: Phase 1 begins on December 26, 2024; Phase 2 on June 26, 2025; Phase 3 on June 26, 2026; and full implementation (Phase 4) on June 26, 2027. Although the two and a half year period may appear extensive, contractors should immediately start assessing their compliance, particularly those aiming for third-party certifications at Levels 2 or 3. Non-compliance risks missing out on new contract opportunities or potentially losing existing DoD contracts if option periods are not exercised.
Although many contractors are not yet required to obtain CMMC assessments, they are required to follow cybersecurity standards. When the rulemaking is final, all contractors and subcontractors in the DIB must comply with the CMMC program at the level designated in their contract. This includes:
CMMC requirements will affect over 300,000 organizations.
According to the DoD, forthcoming CMMC requirements stand to affect over 300,000 organizations. In the meantime, contractors must comply with the Interim DFARS Rule, which requires a NIST SP 800-171 Basic Assessment.
Prime contractors who work with subcontractors will need to manage their subcontractor supply chain network and keep track of data flow. If a prime contractor shares or discloses CUI, the subcontractor must be Level 2 CMMC compliant. If the prime contractor shares or discloses FCI, the subcontractor must be Level 1 CMMC compliant.
There are no subcontractor compliance requirements if the prime contractor does not share or disclose CUI or FCI. Prime contractors will require a CMMC subcontractor risk management platform to ensure compliance.
The path to finalizing the CMMC has been more prolonged and complex than initially anticipated. While the original projections by the Pentagon in 2019 suggested the start of certifying Department of Defense (DoD) contractors as early as 2020, the actual progress has seen significant delays.
Contrary to earlier expectations that the final rule would take effect in May 2023, the reality has shifted. The DoD only released the proposed rule in December 2023. This delay indicates a more extended timeline for the CMMC implementation than previously thought.
Currently, the period for submitting comments on the proposed rule is open until February 26, suggesting that the regulatory process is still in a stage of gathering and considering stakeholder feedback. This essential phase of rulemaking typically precedes the finalization of any new regulation.
The final rule for the CMMC might not be effective until early 2025
Given these developments, it’s reasonable to project that the final rule for the CMMC might not be effective until early 2025. This adjusted timeline means that contractors have additional time to prepare for compliance, but it also implies that they need to stay informed and adaptable to upcoming changes.
Once the notice of proposed rulemaking is published, the program’s requirements will likely take place as part of a phased rollout. Any contractors that don’t comply with the CMMC framework will lose any existing DoD contracts, won’t be able to bid for any new contracts, and won’t be able to get a contract award until they can demonstrate compliance with the required level in the contract. More details on implementation will be available following the forthcoming rulemaking.
CMMC compliance readiness will be a critical differentiator once the rules take effect.
Recent reports indicate that many contractors aren’t following the required NIST cybersecurity controls, so CMMC compliance readiness will be a critical differentiator once the rules take effect.
The Department of Justice (DOJ) has also launched the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. That means contractors who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches will be held accountable.
As the proposed rulemaking date nears, preparation and confidence are essential for success. Contractors with the necessary IT staff and CMMC resources may opt to prepare in-house. To do so, contractors must scope their organization adequately, conduct a NIST 800-171 Self-Assessment, document gaps, remediate them, and collect evidence.
An automated assessment and evidence-collection platform will be necessary.
In most cases, having an automated assessment and evidence-collection platform will be helpful–if not necessary–for this process. Once contractors are confident in their compliance status, they can hire a C3PAO to conduct a certification assessment.
Contractors can expect a C3PAO assessment to consist of the following four phases:
The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in early 2025.
Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and automated solution that transcends outdated GRC platforms and tedious manual spreadsheets.
Isora empowers Information Security & Assurance teams to create a collaborative workspace where their Information Security Risk Management program can thrive.
By centering GRC around people, Isora not only facilitates risk reduction and regulatory compliance but also promotes program adoption, participation, and, most significantly, a risk-aware culture.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.
Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.
Learn MoreThis guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.
This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.
This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data