On October 11, 2024, the Department of Defense (DoD) announced that the final rule for the Cybersecurity Maturity Model Certification (CCMC) Program had been made available for public review, and on October 15, 2024, the program was officially published on the Federal Register. This regulatory framework, aimed at ensuring that defense contractors adequately protect sensitive government information, is set to reshape compliance and operational protocols across the sector. With the rule set to take effect on December 16, 2024, the time for contractors to understand this framework and prepare for the road ahead is now.
Understanding CMMC
History
The history of the Cybersecurity Maturity Model Certification (CMMC) began with Executive Order 13556 in 2010, which sought to standardize the handling of Controlled Unclassified Information (CUI) across federal agencies, replacing a fragmented system that hindered both security and information-sharing. In 2019, the Department of Defense (DoD) introduced the CMMC to move away from self-attestation and ensure defense contractors met strict cybersecurity standards. The initial framework, outlined in a 2020 interim rule, aimed to protect Federal Contract Information (FCI) and CUI through tiered certification levels. After public feedback and an internal review, the DoD revised the CMMC in 2021 to enhance security, ensure accountability, and reduce compliance barriers. Now, after a lengthy series of revisions, the final rule has been released.
The 3 Key Features
The current CMMC system works to ensure companies working with the U.S. government (specifically defense contractors) have strong cybersecurity measures in place. It sets different levels of security standards, depending on the sensitivity of the information contractors handle, like FCI or CUI.
The program moves away from a “trust-based” model where contractors only promised they were secure and instead requires independent assessments to confirm that they meet certain security requirements.
Tiered Model:
The CMMC framework introduces a tiered approach to cybersecurity compliance, encompassing three distinct levels of certification based on the sensitivity of the information being handled:
- Level 1 (Foundational): Focused on contractors managing FCI, this level requires adherence to 15 basic cybersecurity practices outlined in Federal Acquisition Regulation (FAR) Clause 52.204-21.
- Level 2 (Advanced): Targeting organizations dealing with CUI, Level 2 mandates compliance with 110 practices derived from the National Institute of Standards and Technology (NIST) SP 800-171 R2.
- Level 3 (Expert): This level applies to contractors handling high-value CUI and incorporates additional practices from NIST SP 800-171 R2 and NIST SP 800-172.
Assessment Requirement
As seen above, the CMMC program requires contractors to meet different cybersecurity levels based on the sensitivity of the data they handle.
- Level 1 involves meeting 15 basic requirements through a self-assessment, with contractors needing to confirm compliance annually to maintain their status.
- Level 2 requires contractors handling CUI to meet 110 security requirements, either through self-assessment or third-party evaluation by Certified Third-Party Assessment Organizations (C3PAO). If contractors initially meet 80% of the requirements, they can receive a Conditional Status, but they must resolve all remaining issues within 180 days and pass a follow-up assessment to achieve final certification. Full assessments for Level 2 are required every three years, but contractors must reaffirm compliance annually.
- Level 3 applies to contractors handling highly sensitive data, requiring them to meet 24 additional requirements beyond Level 2. These assessments are conducted by the Defense Contract Management Agency (DIBCAC). Conditional Status can also be granted at this level, with a 180-day window to address any unmet requirements. Contractors must undergo both Level 2 and Level 3 assessments every three years, with annual compliance confirmations submitted to the Supplier Performance Risk System (SPRS). Subcontractors working with prime contractors must also meet the required CMMC levels to ensure consistent cybersecurity across all tiers of the supply chain.
Phased Implementation
The CMMC program rolls out in four phases over three years to help contractors gradually meet cybersecurity requirements and adjust to the new standards.
- Phase 1 begins in December 2024, focusing on Level 1 and Level 2 self-assessments for basic security practices, which can be included in new and existing DoD contracts.
- Phase 2 starts one year later, in 2025, when third-party assessments (C3PAO) become mandatory for Level 2 certifications, adding stricter security requirements for contractors handling Controlled Unclassified Information (CUI). During this phase, Level 3 assessments may also be required for contracts involving highly sensitive data.
- Phase 3 begins in 2026, expanding the use of Level 2 C3PAO assessments to active DoD contracts during option periods.
- Phase 4 kicks off in 2027, marking the full implementation of the CMMC program. At this point, all contractors working with DoD must meet the required CMMC levels to secure or renew contracts, ensuring continuous compliance throughout the supply chain.
The phased rollout provides companies with time to train assessors and align their practices with CMMC standards, but early preparation is critical to avoid disruptions.
Next Steps
The path to CMMC compliance may seem challenging, but it’s an important step for contractors looking to secure future DoD contracts and strengthen their cybersecurity posture. With cyber threats evolving, this is about more than meeting requirements–it’s about safeguarding your business, building resilience and staying competitive.
Now is the time to take proactive steps to align your operations with CMMC standards before the rollout. Start by reviewing your current DoD contracts and determine the likely CMMC level you’ll need to achieve. Develop a robust System Security Plan (SSP) that maps how your company secures its data to ensure everyone understands their roles in the compliance process. Conduct internal readiness assessments under legal privilege to identify and address potential gaps without unnecessary exposure.