The day has arrived—after over 5 years of development and delays, the Department of Defense (DoD) has released the final rule for Cybersecurity Maturity Model Certification (CMMC). It was released for public comment in October, and went into effect on December 16, 2024, establishing the CMMC program and process into law. No updates were made during the public comment period. Let’s dive into what this rule entails and the timeline for implementation so you can be prepared for this new requirement.
The Cybersecurity Maturity Model Certification (CMMC) program was created by the DoD to ensure defense contractors and subcontractors are taking the right measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Currently, all contractors no matter what level of information they are handling, have to self-attest they are taking the appropriate steps to safeguard the sensitive information they deal with as contractors. CMMC will establish the levels of security necessary for each contract and verify contractors are maintaining their status throughout the period for performance.
CMMC aligns with cybersecurity controls in National Institute of Standard and Technology (NIST) Special Publication 800-171 for protecting CUI.
CMMC applies to contractors and subcontractors in the Defense Industrial Base (DIB) who will process, store, or transmit FCI or CUI in performance of a DoD contract. This rule does not apply to federal information systems operated by contractors and subcontractors in support of the government. In a reply to a public comment, the DoD clarified that whether an entity is part of a Joint Venture (JV) or other teaming agreement, doesn't impact the applicability. If FCI and CUI is dealt with in the contract, CMMC must be addressed.
Contractors outside the DIB aren’t required to follow the CMMC program currently, but there could be solicitations in the future that will implement certain aspects of CMMC.
The revised CMMC program has 3 key features that are outlined in the Final Rule. They are:
The CMMC Final Rule establishes three levels of CMMC. The first two levels have a component of self-attestation but still require annual affirmation that the minimum requirements are being met. Level 2 introduces a CMMC Third Party Assessment Organization (C3PAO) that some contractors will need to bring in every 3 years to ensure all controls are being met. Level 3 requires a level 2 certification and an assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every 3 years.
Here's a breakdown on the three levels:
The rule allows DoD program officers to grant Plans of Action and Milestones (POA&M) for contractors who are not fully complying with NIST requirements and can receive a conditional certification for 180 while they work to meet the standards.
This Final Rule, which went into effect December 16, 2024, signs the CMMC program and processes into law, meaning time is running out to prepare for the requirements to start appearing in solicitations. There’s a separate acquisition rule the Pentagon proposed this summer that dictates how CMMC will be implemented into solicitations and contracts. The final acquisition rule is anticipated to be published early-to-mid 2025, and once that rule is effective, the DoD can officially begin including CMMC requirements. The DoD plans to have a phased roll-out of CMMC over a period of 3 years. The idea of this timeframe is to allow small businesses to overcome any hurdles obtaining any of the certification levels.
Now that the CMMC Final Rule is published, it's important to start preparing for CMMC to appear in future contracts if you haven’t already. To stay updated on future CMMC rule changes or other government requirements, subscribe to our blog and monthly newsletter. If you need help figuring out how to meet these requirements, or you need help prepping your GSA Schedule for future solicitations, we can help.