Listen to this post

On October 11, 2024, the United States Department of Defense (DOD) published a final rule implementing its Cybersecurity Maturity Model Certification (CMMC) program, which is designed to verify that defense contractors are adequately protecting sensitive information from cybersecurity threats. The CMMC applies to contractors who process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), which is most DOD contractors. The final rule is the culmination of a half-decade long process and part of the federal government’s response to recurrent and increasingly sophisticated cyberattacks targeting the defense industrial base. 

A Risk-Based, Three-Tiered System

The CMMC program identifies three levels of progressively more rigorous cybersecurity standards based on the criticality of the information handled by the contractor.  Each level is keyed to security requirements published by the National Institute of Standards and Technology (NIST) and permits either self-assessment, an assessment by a “Third-Party Assessor Organization” (C3PAO), or an assessment conducted by the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

  • Level-1: For defense contractors who process, store, or transfer FCI only, they can secure the most basic certification by complying with the 15 NIST cybersecurity standards in the Federal Acquisition Regulation’s (FAR) existing “Basic Safeguarding of Covered Contractor Information Systems” clause (see FAR 52.204-21). The contractor may conduct a self-assessment to achieve CMMC Level-1 certification. 
  • Level-2: For those defense contractors who handle CUI, the CMMC will require that they comply with the 110 controls in NIST Special Publication 800-171. Depending on certain factors, contractors requiring Level-2 certification will require either a self-assessment annually or a C3PAO assessment every three years. 
  • Level-3: For defense contractors who handle CUI associated with a “critical program or high value asset,” they will need to meet all the requirements of Level-2 certification plus an additional 24 security requirements from NIST’s more advanced Special Publication 800-172. Instead of outsourcing assessments to C3PAOs, all Level-3 certification requires assessments conducted every three years by the DIBCAC. 

Timing and Implementation

Although the DOD published the final rule describing the CMMC, the program won’t take effect likely until mid-2025 when a related Defense Federal Acquisition Regulation Supplement (DFARS) rule is finalized. The related DFARS rule will set out how the CMMC requirements will be incorporated into contracts and contract solicitations and, once final, will trigger a four-phased progressive implementation schedule over the course of three years. That said, the publication of the final rule gives defense contractors a head start developing and implementing CMMC-compliant programs.  

Notable Takeaways

  • A Disproportionate Impact to Small Business – Although arguably less complicated than previously proposed versions, industry groups are already highlighting the potential negative impact to small businesses in complying with the final rule. Approximately 70% of the defense industrial base are small businesses who do not have the same resources or expertise as prime contractors and large integrators but will still be required to meet the same cybersecurity standards depending on the nature of the contract. The final rule states that a lower CMMC level may apply to a subcontractor if the prime only flows down limited information. However, if a prime contractor requires a Level-3 certification, then every subcontractor must achieve at least a Level-2 certification. 
  • Contractors Need to Flip on a Light Switch to Their Data – As CMMC requirements are keyed to the category of data handled by the contractor, it is imperative that companies understand the nature and extent of the CUI and FCI in their holdings. Subcontractors should start communicating immediately with their prime contractors to assess the information category requirements of current and likely future DOD contracts to prepare for CMMC implementation. 
  • Begin Developing or Revising Corporate Cybersecurity Policies – Now is the time to begin preparing for the CMMC, not mid-2025. Defense contractors should be developing or revising internal cybersecurity policies to align with CMMC requirements, set forth clear roles and responsibilities within their organizations, and test incident response plans. Contractors subject to Level-2 certification should begin working with C3POAs to be postured to bid on CMMC-compliant contracts as soon as possible. 
  • Consider Privileged Assessments of Existing Cybersecurity Programs – By engaging with qualified legal counsel to assess cybersecurity policies and programs, companies can rely on the protection of attorney-client privilege to mitigate the risks of disclosing negative assessment results. 
  • Take Advantage of Government Resources – The DOD has a vested national interest in ensuring the defense industrial base is adequately protected from cyberattack. Federal agencies such as the Cybersecurity & Infrastructure Security Agency (CISA) offer free training and resources. Even the National Security Agency (NSA), known best for collecting foreign signals intelligence, offers free cybersecurity services, including Protective Domain Name Systems (PDNS) and Attack Surface Management, to any DOD contractor.