The day has arrived—after over 5 years of development and delays, the Department of Defense (DoD) has released the final rule for Cybersecurity Maturity Model Certification (CMMC). It was released for public comment earlier this week and officially published in the Federal Register on October 15. The rule will take effect on December 16, 2024, and will establish the CMMC program and process into law. Let’s dive into what this rule entails and the timeline for implementation so you can be prepared for this new requirement.
The Purpose of CMMC
The Cybersecurity Maturity Model Certification (CMMC) program was created by the DoD to ensure defense contractors and subcontractors are taking the right measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Currently, all contractors no matter what level of information they are handling, have to self-attest they are taking the appropriate steps to safeguard the sensitive information they deal with as contractors. CMMC will establish the levels of security necessary for each contract and verify contractors are maintaining their status throughout the period for performance.
CMMC aligns with cybersecurity controls in National Institute of Standard and Technology (NIST) Special Publication 800-171 for protecting CUI.
Who Does CMMC Apply to?
CMMC applies to contractors in the Defense Industrial Base (DIB) who deal with FCI and CUI. This rule will apply to both contractors and subcontractors that work with the DoD. Contractors outside the DIB aren’t required to follow the CMMC program currently, but there could be solicitations in the future that will implement certain aspects of CMMC.
The Three Key Features of CMMC
The revised CMMC program has 3 key features that are outlined in the Final Rule. They are:
- Tiered Model: Cybersecurity standards are implemented at progressively advanced levels depending on the type and sensitivity of the information (3 levels of CMMC we’ll explain below).
- Assessment requirement: The DoD can verify the implementation of CMMC
- Phased implementation: Once CMMC rules become effective, certain DoD contractors handling FCI and CUI will be required to achieve a particular CMMC level as part of contract award. CMMC requirements will be implemented using a 4-phase implementation plan over a three-year period.
The Three Levels of CMMC
The CMMC Final Rule establishes three levels of CMMC. The first two levels have a component of self-attestation but still require annual affirmation that the minimum requirements are being met. Level 2 introduces a CMMC Third Party Assessment Organization (C3PAO) that some contractors will need to bring in every 3 years to ensure all controls are being met. Level 3 requires a level 2 certification and an assessment by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every 3 years.
Here's a breakdown on the three levels:
The rule allows DoD program officers to grant Plans of Action and Milestones (POA&M) for contractors who are not fully complying with NIST requirements and can receive a conditional certification for 180 while they work to meet the standards.
CMMC Timeline and Preparation
This Final Rule, which was published on October 15 and will go into effect on December 16, 2024, signs the CMMC program and processes into law. But there’s a separate acquisition rule the Pentagon proposed this summer that dictates how CMMC will be implemented into solicitations and contracts. The final acquisition rule is anticipated to be published early-to-mid 2025. Once that rule is effective, the DoD can officially begin including CMMC requirements. The DoD plans to have a phased roll-out of CMMC over a period of 3 years. The idea of this timeframe is to allow small businesses to overcome any hurdles obtaining any of the certification levels.
Now that the CMMC Final Rule is published, it's important to start preparing for CMMC to appear in future contracts if you haven’t already. To stay updated on future CMMC rule changes or other government requirements, subscribe to our blog and monthly newsletter. If you need help figuring out how to meet these requirements, or you need help prepping your GSA Schedule for future solicitations, we can help.
