October 15, 2024, became a historic date in the cybersecurity sector after the United States Department of Defense (DoD) published the final rule for the latest CMMC iteration. Unsurprisingly, this announcement triggered mixed reactions across the global cybersecurity community.  

While many pundits immediately embraced the Final Rule as the ultimate solution for emerging cybersecurity threats across the Defense Industrial Bases (DIBs), some DoD contractors took issue with the relatively tight compliance deadline. With only months left to comply with the Final Rule, DIBs must move swiftly to understand the revamped CMMC rule and align with its various components.  

Here’s the latest news from the CMMC Accreditation Body (CMMC AB), focusing on the recently unveiled Final Rule and what the road to compliance looks like.  

Unpacking the CMMC Final Rule 

The Cybersecurity Maturity Model Certification (CMMC) program was developed to boost cybersecurity across the defense industrial base. The DIB is a vast network of organizations and facilities that handle sensitive data shared through defense contracts, including controlled unclassified information (CUI) and federal contract information (FCI).  

As with similar cybersecurity frameworks, the CMMC’s goal is to prevent sensitive government information from being accessed by malicious actors.  

Now, the recently updated CMMC Final Rule establishes CMMC as the official cybersecurity program the DoD will deploy to ensure compliance across all systems handling CUI and FCI. The CMMC Rule sets out the conditions that organizations must fulfill to be eligible for DoD contracts. Besides, it provides a solid mechanism for DIBs to strengthen their cybersecurity posture.   

What Is the Role of CMMC AB in Enforcing CMMC? 

The CMMC Accreditation Body is a non-profit organization mandated by the DoD to ensure DIBs meet the necessary cybersecurity protocols for safeguarding CUI and FCI.  

Although it operates independently, the CMMC AB falls under the DoD’s guidance and oversight. 

Who Must Comply With CMMC? 

According to the CMMC AB, compliance with the Cybersecurity Maturity Model Certification will be mandatory for all defense industrial bases. These include contractors engaging directly with the DoD, as well as third-party subcontractors spread throughout the DoD supply chain.  

Simply put, any organization that handles CUI or FCI will be obligated to comply with the new CMMC cybersecurity framework.  

It’s also important to note that December 16, 2024, would be the initial compliance date. However, full implementation of the CMMC program will take place upon enforcing another related rule -the  Defense Federal Acquisition Regulation Supplement (“DFARS”). 

How Will the CMMC Rule Impact DIBs? 

The CMMC Final Rule mandates defense contractors and subcontractors to adopt more advanced cybersecurity practices compared to the program’s previous iterations. Unlike the earlier versions, the restructured CMMC framework strongly emphasizes an organization’s cloud service providers (CSP) and external service providers (ESPs).  

DoD contractors will not only strive to achieve CMMC 2.0 compliance within their internal cybersecurity systems. They’ll be mandated to ensure their third-party partners – suppliers, distributors, and clients – are equally compliant.  

Notably, CSPs will be required to conform to FedRAMP Moderate for baseline cybersecurity, while ESPs must meet the specific CMMC level based on the contractor they support.  

What Are The Key Benefits Of CMMC Compliance? 

Compliance with CMMC is now a minimum eligibility criterion for securing defense tenders.  

CMMC non-compliance will be a valid reason to knock aspiring DoD contractors off the merit list. Besides, the agency will reserve the right to terminate existing contracts and prescribe additional penalties if it deems a contractor non-compliant.  

Under The False Claim Act, penalties will be even more stringent for contractors who purposefully lie or misrepresent their compliance status to either win a DoD bid or retain their existing tenders. If convicted, such entities will be subjected to fines, civil penalties, and exclusion from future federal contracts.  

However, achieving CMMC compliance will confer more benefits to federal contractors besides helping their bottom line.  

Organizations that conform to CMMC’s standards will be able to bolster their cybersecurity posture and protect sensitive information, both public and private. Compliance will also improve brand credibility and reputation in the competitive DoD landscape.  

Is CMMC Similar To NIST? 

Although not identical, CMMC draws heavily from the National Institute of Standards and Technology (NIST). Notably, CMMC level 2 incorporates NIST SP 800-171 and NIST SP 800-53, specifically addressing the protection of FCI and CUI.  

The only key distinction between CMMC and NIST 800-171 is that the NIST framework spells out the cybersecurity protocols that DIBs must satisfy. At the same time, CMMC focuses on the different maturity levels needed to attain those standards.   

How Does the Final Rule Empower the DoD? 

The CMMC Final Rule authorizes the Department of Defense to establish that all defense contractors and subcontractors have implemented the security protocols specified under the various CMMC levels.  

Note that the CMMC levels were reviewed down to three. They now include;

1. Level 1 (Self-assessment)

Level 1 mandates DIBs to safeguard CUI by complying with 15 basic cybersecurity practices. Organizations must conduct annual self-assessments to ensure all 15 protocols are adhered to.  

As this is CMMC’s most basic level, the DoD will prohibit non-compliant contractors from implementing Plans of Action & Milestones (POA&Ms).  

Instead, organizations must affirm their compliance status directly in the Supplier Performance Risk System (SPRS). 

2. Level 2 (Self-assessment and C3PAO Evaluations)

The DoD CMMC Level 2 establishes a more advanced protection for CUI. This level aligns with NIST SP 800-171 Rev 2, incorporating all its 110 security protocols.  

Level 2 also introduces a scoring system to determine to what extent a defense contractor adheres to the 110 security requirements. However, a significant point of distinction will be the option for self-assessment or undergoing third-party evaluations by an authorized C3PAO. Organizations can access accredited C3PAOs on the CMMC Accreditation Body marketplace.  

All scores will be recorded in the SPRS, detailing a contractor’s compliance levels across the assessment scope.  

While the DoD requires its contractors to have “MET” all CMMC Level 2 protocols, organizations may record a “NOT MET” score under certain circumstances. In the latter scenario, the entity will be at liberty to invoke POA&Ms. This will maintain the status quo as the affected contractor seeks to remedy the “NOT MET” protocols within 180 days to upgrade from conditional to full compliance. 

3. Level 3 (Government Assessment)

Level 3 is CMMC’s most advanced level. It mandates defense contractors to comply with all NIST 800-171 Rev 2 protocols and 24 additional controls from NIST SP 800-172.  

Level 3 seeks to enhance cybersecurity protection among a special segment of the DIB by thwarting advanced persistent threats (APTs). Its noteworthy feature is the insistence on CMMC assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to ensure maximum security against APTs.  

Note that DoD contractors must obtain CMMC Level 2 Final Certification Assessment before undertaking Level 3 Certificate Assessment.  

Phased Implementation 

The Department of Defense has taken on a phased implementation approach to the CMMC 2.0 requirements to foster a smoother implementation of the framework across DIBs.  

According to the agency, this strategy will allow defense contractors to seamlessly transition to the new framework while maintaining operational continuity.  

The implementation phases have been split into four components, as highlighted below;

1. Phase 1

Phase 1, or the initial rollout stage, is projected to take effect upon the DFARS 252.204-7021 finalization. It will run for up to six months.  

Under this phase, DoD contractors should endeavor to embrace essential CMMC protocols requiring self-assessment.

2. Phase 2

Also known as the requirement expansion phase, Phase 2 will focus on integrating Level 2 Certification Assessments into DoD contracts involving CUI to fortify defense security networks further against threats.  

This phase is expected to last 6 to 16 months.

3. Phase 3

During phase 3 (the scoping phase), the Department of Defense will mandate relevant contractors to obtain a Level 3 Certification Assessment to be deemed compliant.  

The phase will mark the enforcement of advanced cybersecurity measures as a safeguard against emerging threats across the DIB networks. It’s expected to last 18 – 30 months.

4. Phase 4

Phase 4 will signal the complete implementation of the CMMC 2.0.  

Expected to last over 30 months, the DoD will mandate its contractors to conform to the protocols at all CMMC levels. Those include any new requirements and adjustments the agency may introduce in the meantime.  

Will the phases overlap?  

According to the latest CMMC news, the four phases will not run consecutively. While the timelines won’t run concurrently either, significant overlaps exist between them.  

The implication is that Phase 2 begins at least six months after the start date of Phase 1, while Phase 3 starts at least one calendar year after the commencement date of Phase 2.  

But while the timelines for full implementation span three calendar years, it’s imperative for organizations to prepare ahead of time. Whether you’re a DoD contractor or an aspiring C3PAO, it’s best to familiarize yourself with the revamped CMMC framework as a significant step toward achieving compliance.  

Kick-Start Your Compliance With Accredited C3PAOs 

The Final Rule for the latest CMMC iteration may have been published on October 16, 2024, and the compliance deadline was initially set two months later. However, it’s exciting to know that compliance doesn’t technically end on December 16, 2024.  

The phased implementation of the new CMMC cybersecurity framework also implies that the DoD may refine certain CMMC components to align the model with emerging cyber threats. Therefore, the onus is on defense contractors to remain vigilant and receptive to additional CMMC reforms introduced during the implementation phase.  

You can kick-start your compliance journey today by enlisting Cybersec Investments’ assistance. As a verified C3PAO, we’ll bring our experience to bear in helping you attain CMMC compliance, boost your organization’s cybersecurity posture, and maintain resilience in the highly competitive defense contracting landscape.