Phone: (202) 296-5505 Email: info@winvale.com

New Call-to-action

 Back to all posts

Department of Defense (DoD) Releases Final CMMC Rule Blog Feature
Stephanie Hagan

By: Stephanie Hagan on December 20th, 2024

Print/Save as PDF

Department of Defense (DoD) Releases Final CMMC Rule

Government | Technology | 3 Min Read

The day has arrived—after over 5 years of development and delays, the Department of Defense (DoD) has released the final rule for Cybersecurity Maturity Model Certification (CMMC). It was released for public comment in October, and went into effect on December 16, 2024, establishing the CMMC program and process into law. No updates were made during the public comment period. Let’s dive into what this rule entails and the timeline for implementation so you can be prepared for this new requirement.

The Purpose of CMMC

The Cybersecurity Maturity Model Certification (CMMC) program was created by the DoD to ensure defense contractors and subcontractors are taking the right measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Currently, all contractors no matter what level of information they are handling, have to self-attest they are taking the appropriate steps to safeguard the sensitive information they deal with as contractors. CMMC will establish the levels of security necessary for each contract and verify contractors are maintaining their status throughout the period for performance.

CMMC aligns with cybersecurity controls in National Institute of Standard and Technology (NIST) Special Publication 800-171 for protecting CUI.

Who Does CMMC Apply to?

CMMC applies to contractors and subcontractors in the Defense Industrial Base (DIB) who will process, store, or transmit FCI or CUI in performance of a DoD contract. This rule does not apply to federal information systems operated by contractors and subcontractors in support of the government. In a reply to a public comment, the DoD clarified that whether an entity is part of a Joint Venture (JV) or other teaming agreement, doesn't impact the applicability. If FCI and CUI is dealt with in the contract, CMMC must be addressed. 

Contractors outside the DIB aren’t required to follow the CMMC program currently, but there could be solicitations in the future that will implement certain aspects of CMMC.

The Three Key Features of CMMC

The revised CMMC program has 3 key features that are outlined in the Final Rule. They are:

  • Tiered Model: Cybersecurity standards are implemented at progressively advanced levels depending on the type and sensitivity of the information (3 levels of CMMC we’ll explain below).
  • Assessment requirement: The DoD can verify the implementation of CMMC
  • Phased implementation: Once CMMC rules become effective, certain DoD contractors handling FCI and CUI will be required to achieve a particular CMMC level as part of contract award. CMMC requirements will be implemented using a 4-phase implementation plan over a three-year period.

The Three Levels of CMMC

The CMMC Final Rule establishes three levels of CMMC. The first two levels have a component of self-attestation but still require annual affirmation that the minimum requirements are being met. Level 2 introduces a CMMC Third Party Assessment Organization (C3PAO) that some contractors will need to bring in every 3 years to ensure all controls are being met. Level 3 requires a level 2 certification and an assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every 3 years.

Here's a breakdown on the three levels:

cmmc 2

The rule allows DoD program officers to grant Plans of Action and Milestones (POA&M) for contractors who are not fully complying with NIST requirements and can receive a conditional certification for 180 while they work to meet the standards.

CMMC Timeline and Preparation

This Final Rule, which went into effect December 16, 2024, signs the CMMC program and processes into law, meaning time is running out to prepare for the requirements to start appearing in solicitations. There’s a separate acquisition rule the Pentagon proposed this summer that dictates how CMMC will be implemented into solicitations and contracts. The final acquisition rule is anticipated to be published early-to-mid 2025, and once that rule is effective, the DoD can officially begin including CMMC requirements. The DoD plans to have a phased roll-out of CMMC over a period of 3 years. The idea of this timeframe is to allow small businesses to overcome any hurdles obtaining any of the certification levels.

Now that the CMMC Final Rule is published, it's important to start preparing for CMMC to appear in future contracts if you haven’t already. To stay updated on future CMMC rule changes or other government requirements, subscribe to our blog and monthly newsletter. If you need help figuring out how to meet these requirements, or you need help prepping your GSA Schedule for future solicitations, we can help.

New call-to-action

 

About Stephanie Hagan

Stephanie Hagan is the Training and Communications Manager for Winvale. Stephanie grew up in Sarasota, Florida, and earned her Bachelor's of Arts in Journalism and Rhetoric/Communications from the University of Richmond.