The Department of Defense (DoD) recently published the final rule for the Cybersecurity Maturity Model Certification (CMMC) on October 15, 2024, marking a significant milestone for cybersecurity requirements across the defense sector. This rule is intended to protect sensitive data within the Defense Industrial Base (DIB), ensuring contractors adopt consistent cybersecurity standards. Here, we cover the most essential takeaways from the final CMMC rule and what they mean for contractors.
The final rule introduces a rollout across four phases, easing contractors into compliance and allowing the CyberAB ecosystem to staff up and get prepared for phase 2.
Phase 1: Self-assessments for Levels 1 and 2 are required on the effective date of the updated DFARS rule, expected in early 2025.
Companies should not be misled by the self-assessment of this phase—the DOD significantly increased their ability to address whistleblowers claims and enforcement of the false claims act.
With the new rule extending the time retention requirement to store assessment evidence artifacts to six years, a company can quickly become subject to legal jeopardy if they use this self-assessment stage to falsely claim compliance.
Also, it should be noted that this phase also raises the bar for vendors that previously aligned with self-assessments under the DFARS interim rules released in November of 2020. While those assessments only required that contractors had scores in the SPRS system, the final rule in phase 1 now requires that the SPRS score be at least 80% or more of the NIST SP 800-171 r2 assessment.
Phase 2: One year later, contractors at Level 2 must undergo third-party assessments for a CMMC status of Level 2 by Certified Third-Party Assessment Organizations (C3PAOs).
The phased implementation allows contractors time to prepare while ensuring CUI remains protected. At this phase, the contractor or subcontractor is expected to undergo the scrutiny of the CMMC L2 Assessment through the examination of a third party assessment organization. If the contractor has not used any third parties in preparation for this assessment, it could spell doom for the contractor. In actual practice, we find that many contractors that assess themselves with no other assistance are way out of alignment.
Phase 3: This begins one calendar year following the start date of phase 2. In addition to all phase 2 requirements, Phase 3 adds CMMC status of Level 3 with DIBCAC for all applicable DoD solicitations. As a prerequisite, CMMC L3 will require CMMC L2 assessed by a third party assessment organization (C3PAO)
Phase 4: Full implementation begins one calendar year following the start date of phase 3. DoD will include CMMC program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of phase 4.
Level 2 and Level 3 contractors must engage C3PAOs for their cybersecurity assessments. Should any disagreements arise during these assessments, the contractor can appeal within the C3PAO, with additional recourse to the Accreditation Body if needed. However, the DoD does not provide a right of appeal, so contractors should engage qualified assessors and thoroughly document cybersecurity practices.
The DoD allows contractors to leverage Plans of Actions and Milestones (POA&Ms) to address certain cybersecurity gaps while maintaining CMMC certification. This provision allows companies to achieve conditional certification, provided they have addressed 80% of required controls. Any outstanding controls must be completed within 180 days and verified by a C3PAO.
Certified contractors must annually affirm their compliance with CMMC standards, filed by an “Affirming Official” responsible for the organization’s cybersecurity compliance. The official must confirm continued adherence to cybersecurity requirements, making annual affirmations an essential aspect of long-term compliance.
Significant organizational changes such as mergers and acquisitions may trigger new assessment requirements. If network expansions or structural changes alter the original security architecture, the contractor must seek a new assessment to confirm compliance with CMMC requirements. This could be a weak spot in the new ruling, as much more clarity is needed on what constitutes a change that requires reassessment. Until it is well defined for all members of the DIB, this lack of clarity could be the source of much contention.
The DoD’s rule enforces CMMC compliance universally, impacting both small businesses and foreign contractors. This includes contracts beyond the micro-purchase threshold of $10,000. The DoD anticipates a low relative cost of compliance and emphasizes the importance of securing sensitive information against foreign actors, meaning small and foreign businesses must adhere to the same cybersecurity standards as larger firms.
While the DoD removed the requirement for certain external service providers (ESPs), such as managed service providers, to have Level 2 certification, contractors using ESPs will still be assessed on the security of their outsourced services. Furthermore, cloud service providers (CSPs) must meet the Federal Risk and Authorization Management Program (FedRAMP) moderate level or an equivalent standard.
Prime contractors or subcontractors may adopt CMMC 2.0 requirements earlier than the mandated dates, especially if handling sensitive information. This proactive approach could give contractors a competitive edge, as early certification showcases a commitment to cybersecurity, potentially benefiting prime-subcontractor relationships. We also feel this could catch some contractors off guard if they are expecting the requirements to only be levied when the appropriate phase is rolled out. It's possible that the prime contractors will facilitate a lot of subcontractor alignment.
Contractors who disagree with the assigned CMMC level on a solicitation can file a pre-award protest, but only during the initial stages of the request for proposal (RFP). This allows contractors to challenge the level designation but requires prompt action, underscoring the importance of reviewing RFP requirements carefully.
The final rule solidifies CMMC as a cornerstone of the DoD’s cybersecurity strategy, impacting defense contractors across the board. With a clear structure, phased implementation, and universal application, the CMMC framework provides an essential pathway for strengthening cybersecurity across the defense sector. Contractors should prepare by reaching out to Registered Practitioner organizations and undergoing mock assessments to ensure they can withstand the scrutiny of a third party while also implementing any needed controls that may not be part of their current information system. This proactive approach will protect sensitive information and foster a more secure Defense Industrial Base.
If you're looking for more cybersecurity tips, All Covered has you covered with our Cybersecurity Essentials Tool Kit and more. Not sure where to get started? Reach out to All Covered for a free consultation today!