• GovBrew
  • Posts
  • CMMC Is Here - Now What?

CMMC Is Here - Now What?

Author

Jacob Hill
November 13, 2024

After years of waiting and speculation that it would never happen, CMMC is finally here!

The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) final program rule on October 15, 2024, and it will become effective on December 16, 2024.

I’m sure many of you have been overwhelmed by the amount of CMMC content in your LinkedIn feeds, but in this article, we’ll cut through all the noise and help you understand exactly what this means to you and your business.

How did we get here?

News stories of our adversaries compromising defense contractor networks and stealing information about critical DoD programs have been widely publicized.

To address this threat, the DoD created contractual clauses focused on the implementation of NIST 800-171’s security controls. NIST 800-171 outlines the controls necessary to protect Controlled Unclassified Information (CUI) on nonfederal systems.

DFARS 252.204-7012 required contractors to:

  • Implement NIST 800-171 no later than December 31, 2017

  • Report cyber incidents within 72 hours

  • Use FedRAMP moderate “equivalent” cloud service providers when they hold CUI

The DoD soon discovered that defense contractors were still not implementing the security controls, so the DoD created provision DFARS 252.204-7019 and contract clause DFARS 252.204-7020.

DFARS 252.204-7019 requires the contractor to submit a NIST 800-171 self-assessment score to DoD to be eligible for contract award.

DFARS 252.204-7020 requires the contractor to allow the government to perform third-party cyber assessments of the contractor’s covered network.

The government has been assessing contractor networks for years under DFARS 7020, and contractors have continued to demonstrate that self-attestation of cyber compliance does not work.

How does CMMC fit into the picture?

CMMC has three levels, and the requirements vary per level:

CMMC Level 1 

  • Implement 15 CMMC controls

  • Required for contracts with only Federal Contract Information (FCI) (no CUI)

  • Contractor is required to perform a self-assessment – no 3rd-party assessment is required

CMMC Level 2

  • Implement 110 CMMC controls

  • Required for contracts with CUI

  • Nearly all contracts will require a CMMC level 2 certification from a 3rd-party assessment by a C3PAO

CMMC Level 3

  • Implement 24 additional CMMC enhanced security controls

  • Required for DoD’s most critical CUI programs

  • All contracts will require a 3rd-party assessment by DIBCAC resulting in CMMC certification

    • CMMC level 2 certification is a prerequisite

With anywhere between 80,000 and 300,000 companies in the Defense Industrial Base (DIB), it is impossible for the government to assess that number of companies.

CMMC expands the independent assessment requirement and establishes an ecosystem of independent assessors called CMMC Third-Party Assessor Organizations (C3PAOs).

This is similar to a state’s car inspection program. The government can’t inspect all these vehicles and has outsourced the inspection and certification (the sticker) to authorized mechanics.

The government will require compliance or certification at a specific CMMC level and will not award a contract to a company that isn’t compliant.

From the beginning, the DoD has been focused on protecting their information. Similar to health data in a HIPAA context, or PII in a privacy law context, FCI and CUI are the regulated information that is in scope.

What’s next?

When the CMMC program rule is effective on December 16, 2024, companies can obtain CMMC certification, but the DoD will not include CMMC in contract solicitations for several months until the DFARS 252.204-7021 rule clears the regulatory rulemaking process.

DFARS 7021 is the contractual clause that will be included in contracts to require either CMMC compliance or certification at a specified CMMC level.

Once the DFARS 7021 rule is effective by the summer of 2025, the DoD will begin phasing CMMC into contracts over four years.

The CMMC timeline

Each phase of the CMMC rollout introduces progressively higher certification requirements, ultimately leading to full implementation by Phase 4. Here’s a breakdown of the timeline:

Phase 1: Initial Requirements

  • Start Date: Effective upon the DFARS 7021 CMMC rule's finalization (estimate – June 2025).

  • Requirements: contractors handling FCI and CUI will need to self-assess that they meet either CMMC level 1 or CMMC level 2 to qualify for applicable DoD contracts.

  • Optional: The DoD may require CMMC level 2 certification for specific contracts or option periods.

Phase 2: CMMC Level 2 Third-Party Assessments 

  • Start Date: One year after Phase 1 begins (estimate – June 2026).

  • Requirements: DoD will mandate CMMC level 2 certification requirements for contract awards, with the flexibility to require it only during option periods.

  • Optional: The DoD may begin to include CMMC level 3 certification requirements for contracts with higher security needs.

Phase 3: CMMC Level 3 Third-Party Assessments 

  • Start Date: One year after Phase 2 (estimate – June 2027).

  • Requirements: Both CMMC level 2 and CMMC level 3 certification will be required as conditions for new contracts and option periods.

  • Optional: The DoD may delay CMMC level 3 requirements to option periods for some contracts.

Phase 4: Full Implementation 

  • Start Date: One year after Phase 3 (estimate – June 2028).

  • Requirements: At this final stage, CMMC requirements will apply to all applicable contracts, including those awarded prior to Phase 4.

What contractors should do now

If your company hasn’t started working on NIST 800-171 and CMMC compliance, it is time to dive in before it is too late!

Large primes will apply downward pressure on their subcontractors to become certified, especially in December after the CMMC program rule is effective and CMMC assessments can begin.

Becoming CMMC certified will be a competitive advantage well before the DoD begins to require CMMC certification at scale in 2026. The prime contractors will be accountable for all tiers of their subcontractors, so they’ll be highly incentivized to work with certified companies.

Here are a few steps you should prioritize right now: 

1. Determine Your Certification Level 

Identify which CMMC level your organization needs based on the type of information you handle. This step will determine the CMMC level of assessment and resources required. Plan ahead and think of the contracts you want to go after in the next three years, because CMMC level 1 will be limiting. C3PAOs can be found on the CyberAB marketplace.

2. To insource or outsource? 

Does your team have the technical and cybersecurity skills to address the security controls? If not, consider hiring a Managed Service Provider (MSP) to manage your IT environment. Most MSPs are not focused on CMMC, so you will need to be selective in your hiring process in order to pass your assessment.

3. Begin preparing ASAP 

Estimates on how long it takes to go from 0% to 100% CMMC compliance range from 6 – 18 months. The duration varies based on the size and complexity of your organization and systems.

4. Engage with a C3PAO Early 

If CMMC certification is in your future, reserve your assessment spot with a C3PAO as soon as you can. There are only 58 C3PAOs as of the time of this writing, and many of them are already booked well into 2025.

5. Develop an Ongoing Compliance Strategy 

CMMC certification requires annual affirmations of compliance. Set up regular reviews and training to ensure ongoing compliance.

Resources 

CMMC may seem overwhelming. I remember encountering this firsthand when I began to research NIST 800-171 for my company many years ago. The good news is there are now excellent resources to help get you started quickly.

I created CMMC online training focused on Defense Contractors that will teach you everything you need to know to make informed decisions. I also created an online CMMC Awareness course that will educate your entire organization on CMMC so they can operate in a compliant manner.

The training has been extremely well received and is quite affordable. Mistakes can be extremely costly, so please take advantage of it.

Closing Thoughts 

NIST 800-171 is the federal standard to protect CUI.

Soon there will be a contractual clause in the FAR requiring the implementation of NIST 800-171 for federal (non-DoD) contracts. If you want to support the federal government, you will not be able to get away from these security controls.

For the sake of our nation’s security and your business’s survival, the time to comply is now.