Preparing for CMMC in 2025

After years of anticipation and a series of delays, implementation of the U.S. Department of Defense’s Cyber Maturity Model Certification Program (CMMC) is rapidly approaching. Though CMMC is not expected to enter into effect until early-to- mid 2025, DOD contactors can start taking steps now to ensure a smooth transition into this new regulatory era.

On October 15, 2024, DOD published a final rule, which builds on prior CMMC rulemaking and crystalizes its requirements ahead of CMMC’s phased rollout to DOD contractors and subcontractors.

Importantly, publication of the Final Program Rule does not immediately implement the DOD’s CMMC contract requirements. Instead, the trigger for CMMC’s implementation for contractors is tied to a separate CMMC rule, known as the “CMMC Clause Rule,” which is currently at the proposed rule stage and will likely not be finalized until sometime in 2025. However,

the release of the Final Program Rule allows CMMC Certified Third-Party Assessment Organizations (C3PAOs) to begin assessing contractor compliance against the CMMC framework, enabling contractors to get a head start on developing compliance programs prior to enforcement.

Below is a brief overview of the CMMC program, followed by a summary of four impactful CMMC changes introduced by DOD in the Final Program Rule.

What is CMMC?

CMMC is a forthcoming DOD regulatory framework designed to ensure that DOD contractors and subcontractors adequately safeguard sensitive government information, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

DOD contractors that handle CUI are currently subject to the security requirements in Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012. 252.204-7019, and 252.204-1020. CMMC builds on these DFARS requirements by requiring all contractors and subcontractors who handle CUI and FCI during contract performance to confirm their compliance with CMMC security controls via mandatory assessments and affirmations of compliance. The type of assessment and security controls that apply to a contractor will be informed by the type of data (i.e. CUI or FCI) and the sensitivity of the contract work being performed.

Prime contractors will be required to flow down CMMC requirements to their subcontractors who handle CUI and/or FCI in the course of performance.

CMMC Model Overview

The CMMC framework consists of three tiers, CMMC Levels 1, 2, and 3. DOD will determine the applicable Level for each contract. To be eligible for a contract or subcontract award, contractors will need to obtain assessments and provide affirmations showing that they meet the requirements of the Level specified in their contract or subcontract.

• CMMC Level 1 will apply to contractors and subcontractors who store, process, or transmit Level 1 includes 15 requirements from Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). Contractors at Level 1 will need to provide an annual self-assessment demonstrating their compliance with all 15 requirements.
• CMMC Level 2 will apply to contractors and subcontractors who store, process, or transmit CUI. Level 2 includes 110 requirements from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2, and will require either a self-assessment or a C3PAO certification every three years. A C3PAO certification is a third-party certification from a private entity that is accredited or authorized by the CMMC Accreditation Body to conduct Level 2 assessments.
• CMMC Level 3 will apply to contractors that DOD determines store, process, or transmit high-value Level 3 includes 24 select requirements from NIST SP 800- 172, as well as all Level 2 requirements. For Level 3 certification, contractors must submit to DOD-conducted assessments every three years.

In addition to assessments, contractors at all Levels will be required to provide annual affirmations from a senior official within the contractor’s organization confirming their compliance with all applicable CMMC requirements.

Four Significant Changes in the Final Program Rule

While the Final Program Rule is mostly aligned with the CMMC requirements from the Proposed Program Rule that DOD released in December 2023, the DOD has made several notable revisions, including the following.

• A 6-month extension for CMMC implementation Phase 2. The Final Program Rule maintains the same structure as the Proposed Program Rule for the phased 7-year rollout of CMMC to contractors, but the start of Phase 2—the Phase at which Level 2 requirements will begin to be included in contracts—was pushed back six months. In practice, this change will likely mean that contractors and subcontractors subject to Level 2 will have one year from the finalization of the CMMC Clause Rule to obtain assessments and implement CMMC requirements, instead of the 6-month period included in the Proposed Program Rule.

• Reduced requirements for External Service Providers. Under the Final Program Rule, External Service Providers (ESPs) for contractors involved in handling or securing CUI are no longer required to obtain their own CMMC certification as the December 2023 Proposed Rule prescribed. However, ESPs will likely need to work closely with contractors as they navigate the CMMC assessment process, as ESPs’ services may be assessed as a part of a contractor’s overall compliance with the CMMC requirements, depending on the data the ESP handle and whether it handles such data in the cloud or not.

• Six-year artifact retention period extended to cover all assessments. Contractors are now required to retain artifacts from all CMMC assessments, whether self-assessed or conducted by a third party, for six years following the date of certification. In response to public comments on the Final Proposed Rule, DOD noted that DOJ suggested the six-year retention period. Significantly, the statute of limitations for the False Claims Act is six years, suggesting that the artifact retention period was deliberately chosen to aid future DOJ investigations into CMMC compliance.
• DIBCAC Authority to Audit Assessment The Final Program Rule expands on the Defense Industrial Base Cybersecurity Assessment Center’s (DIBCAC) ability to audit contractors despite their CMMC status. If a DIBCAC audit is conducted and its results are different from the contractor’s previously reported CMMC status, DOD will rely on the DIBCAC audit over the contractor’s self- or C3PAO-reported CMMC compliance status and can independently update DOD’s Supplier Performance Risk System (SPRS) to indicate that the contractor does not meet CMMC requirements. The rule notes that contractors could face contractual penalties if DIBCAC finds them noncompliant.

Next Steps for DOD Contractors and Subcontractors

Contractors and subcontractors who expect to be subject to CMMC requirements should act now to ensure that they have a compliance plan in place and are prepared for their assessments, including by:

• Reviewing active DOD contracts to determine their likely CMMC Level.
• Developing and refining a System Security Plan (SSP) documenting their CMMC assessment scope and compliance with CMMC controls.
• Defining roles and responsibilities and engaging key internal stakeholders across relevant business units.
• Conducting a CMMC readiness assessment under attorney-client privilege. 
• Developing and tailoring corporate policies to align with CMMC control requirements.
• Engaging with C3PAOs to discuss assessment approach and scheduling.