On December 16, the U.S. Department of Defense’s Cybersecurity Maturity Model Certification Program (CMMC) final rule (the “CMMC Program Rule”) will become effective, to codify the CMMC requirements and assessment processes. Published in October, the rule allows contractors to get a jump start on developing compliance programs prior to enforcement of the CMMC, and permits CMMC Certified Third-Party Assessment Organizations (C3PAOs) to begin assessing contractor compliance against the CMMC framework. Note, however, that the CMMC Program Rule does not require the DoD to mandate a specific CMMC level in a solicitation or contract. This will be triggered when the final CMMC Acquisition Rule, which addresses CMMC procurement-related considerations, gets finalized sometime in 2025.
If you are a government contractor that handles sensitive unclassified information, now is a good time to develop your CMMC compliance program, which may entail an assessment that will require significant preparation. Once the CMMC Acquisition Rule is finalized, DoD contracting officers will not make an award, exercise an option, or extend the period of performance on a contract, if the contractor does not have: (1) the passing results of a current certification assessment or self-assessment for the required CMMC level; and (2) an affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit sensitive unclassified information during contract performance. Accordingly, when the CMMC Acquisition Rule becomes finalized, you may lose DoD contracts if you do not have a passing, current certification assessment or self-assessment and the affirmation of compliance.
Background: What is the CMMC Program?
The CMMC Program is designed to strengthen cybersecurity for the defense industrial base by enforcing the protection of sensitive unclassified information shared by DoD. It will apply to all DoD solicitations and contracts for which contractors or subcontractors process, store, or transmit Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) during contract performance. It requires all companies, as a condition of a DoD contract award, to:
-
- Conduct a self-assessment or undergo an assessment, depending on the sensitivity of the data on the contractor’s or subcontractor’s information systems as described below.
- Complete annual affirmation of continued compliance in DoD’s Supplier Performance Risk System (SPRS), an action subject to the False Claims Act; and
- Flow down the CMMC requirements to subcontractors, as necessary.
The CMMC’s three levels of cybersecurity standards incorporate security requirements from existing regulations and guidelines as follows:
Level | Assessment requirements | Cybersecurity Standards |
Level 1: Basic Safeguarding of FCI
|
Annual self-assessment
|
15 security requirements in FAR 52.204-21 |
Level 2: Broad Protection of CUI
|
Every 3 years, either (i) a self-assessment or (ii) an assessment by a CMMC Third-Party Assessor Organization (C3PAO) | 110 security requirements in NIST SP 800-171 Revision 2 |
Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
|
Every 3 years, a Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Assessment | 110 security requirements in NIST SP 800-171 Revision 2
AND 24 identified requirements from NIST SP 800-172 |
What’s the timeline for CMMC Implementation?
You should start to develop your CMMC compliance program promptly to meet the CMMC requirements to be fully implemented over the next four years. The CMMC Program Rule sets up a four-phase schedule, tied to the final CMMC Acquisition Rule, whereby the DoD’s ability to integrate the CMMC requirements in applicable DoD solicitations and contracts will escalate. For example, for Phase 1, which starts when the CMMC Acquisition Rule becomes effective (likely sometime in 2025), the DoD can begin to include requirements for self-assessments in DoD solicitations and contracts as a condition of contract award and in options to exercise active DoD contracts. By phase 4, which will commence three years after the effective date of the CMMC Acquisition Rule, the DoD will begin to include CMMC Program requirements in all applicable DoD solicitations and contracts, such as option periods on contracts awarded previously.
Though it will take a few years for the CMMC program to become fully implemented, contractors should act now. The effort and resources necessary to meet the requisite cybersecurity standards, and the time it will take to arrange and complete the assessment, may easily be underestimated. We expect many contractors will face compliance challenges due to shortages in cybersecurity skills and increased demand across all industries.
If you are a DoD Contractor, how can you prepare?
-
- Assess your current cybersecurity posture. Conduct a self-assessment to map current practices against the CMMC requirements, and identify any gaps. Consider working with C3PAOs for pre-assessments and to start official certification.
- Implement required security controls. Strengthen your security practices by adopting controls outlined in NIST SP 800-171 and other relevant standards. Develop and document policies, procedures, and practices that align with CMMC levels.
- Train your staff. Ensure employees understand their role in cybersecurity. Provide specific training on handling and protecting FCI and CUI.
- Develop or review your incident response plan. No information security program is complete without an Incident Response Plan for identifying, responding to, containing, and recovering from cybersecurity incidents. Regularly test and update your plan.
- Budget and plan for compliance and certification plans. Allocate resources for (i) the cybersecurity measures necessary to achieve and maintain the appropriate level of compliance and (ii) the certification processes. Factor in potential investments in tools, training, legal guidance, and consulting that may prove essential.
- Stay on top of CMMC developments. Keep track of CMMC updates and changes, and anticipate finalization of the CMMC Acquisition Rule, which will establish the dates for the four phases of CMMC implementation.
Remember, CMMC self-assessments and affirmations are subject to the False Claims Act (FCA). The Department of Justice (DoJ) has demonstrated that cybersecurity-related fraud is a top priority through a number of actions, and we expect this area of enforcement will only grow as the CMMC program ramps up. In 2021, the DoJ launched its Civil Cyber-Fraud Initiative, which uses the FCA to combat new and emerging cyber threats to the security of sensitive information and critical systems. Through this initiative, the DoJ has been actively enforcing the FCA for alleged cybersecurity violations. In 2024 alone, the agency has settled such allegations against a variety of government contractors for millions of dollars (see here, here, and here).
If you are just getting started on your CMMC journey, talk to an attorney. You may benefit from legal counsel as you start preparations, prioritize resources, and develop your compliance program.
This article summarizes aspects of the law and opinions that are solely those of the authors. This article does not constitute legal advice. For legal advice regarding your situation, you should contact an attorney.
Sign up