March 14, 2024

Last Updated on July 11, 2024

What’s the best approach for defense suppliers to prepare for Cybersecurity Maturity Model Certification (CMMC) compliance?

This blog post explains what’s changed with the recent CMMC proposed rule, what’s coming up with the CMMC Final Rule rollout, what questions remain unresolved, and how to prepare now for timely and successful CMMC compliance.


What’s changed with the CMMC proposed rule?

Based on feedback from the defense supply chain, the CMMC proposed rule introduces these important program changes:

  • The new CMMC timeline calls for a 2.5-year rollout in 4 phases. Further rulemaking will follow the proposed rule’s 60-day public comment period. This process is expected to take 9 to 12 months. The 4-phase implementation process starts from the date the final CMMC rule becomes effective around early 2025 and is expected to end in mid 2028.
  • Self-attestation will be possible for a subset of CMMC Level 2 compliance. Depending on the sensitivity of the data involved, a small percentage of defense contractors that handle controlled unclassified information (CUI) will be able to self-attest to compliance. Other firms will need third-party certification assessments every three years.
  • There is intensified focus on third-party risk and flow down of requirements. Many SaaS providers, managed security service providers (MSSPs), and other vendors that qualify as external service providers (ESPs) will be required to achieve CMMC certification at the same level as their defense clients. The key to CMMC compliance for defense industrial base (DIB) orgs will be to demonstrate proper assessment and quantification of third-party risk.
  • The CMMC framework will remain aligned with NIST 800-171 Revision 2 for now. Integration with the new NIST 800-171 Rev. 3 is probably some years away given the rule changes required.
  • CMMC Level 3 (Expert) has been significantly clarified. Certification will require compliance with the 110 controls in NIST 800-171 Rev. 2 plus the 24 additional controls in NIST 800-172, Enhanced Security Requirements for Protecting CUI. The proposed rule also specifies multiple Organization-Defined Parameters (ODPs) to be applied in specific situations. CMMC Level 3 assessment requirements have also been defined.


What will the CMMC rollout look like?

With the close of the comment period in late February 2024, CMMC will undergo final rulemaking. Once the final CMMC rule becomes effective in late 2024 or early 2025, the DoD will roll out CMMC in four phases over 2.5 years:

  1. Phase 1 begins on the date when the final CMMC rule goes into effect (that is, when the DFARS 7021 revisions become effective). During Phase 1, CMMC Level 1 or CMMC Level 2 self-assessments will be required for contract award. The DoD also reserves the right to mandate third-party CMMC Level 2 assessments as part of some contracts during Phase 1.
  2. Phase 2 will begin six months after Phase 1 began. During Phase 2, third-party assessments will be required for CMMC Level 2 certification. The DoD will also start requiring CMMC Level 3 certification on some contracts.
  3. Phase 3 will begin one year after Phase 2 began. The DoD will then extend CMMC Level 2 certification assessment requirements to contracts awarded prior to the start of Phase 1. Further, the DoD will not exercise options on pertinent current contracts where the contractor has not passed an independent CMMC Level 2 assessment. The DoD will also continue phasing in CMMC Level 3.
  4. Phase 4 will begin one year after Phase 3 began. Full CMMC program implementation begins in this final phase. The DoD will incorporate CMMC requirements into all its contracts and solicitations, including option periods on existing contracts.


What open issues remain with the CMMC Final Rule?

While the CMMC proposed rule answers many questions, open issues remain. These include:

  • How will the DoD deal with ESPs—which are not DIB companies—needing to be CMMC certified prior to the defense contractors they support? This conflict could further delay the CMMC program as it stands and will need to be resolved.
  • What happens if an ESP that supports many DIB orgs fails its CMMC Level 2 assessment? Will this lead to a “cascade failure” of contractor certifications and potentially derail critical contracts?
  • During Phase 2 of the CMMC rollout, the DoD will begin requiring CMMC Level 2 certification for contractors that may have been awarded contracts based on self-assessments in Phase 1. If such a contractor then fails its C3PAO assessment, how will the DoD terminate that contract without causing follow-on impacts and program delays?
  • While the CMMC proposed rule specifies compliance with NIST 800-171 Rev. 2, the current DFARS 7012 clause specifies compliance with the “current version” of NIST 800-171. A Final Public Draft of NIST 800-171 Rev. 3 was published in November 2023 and will soon become the current version. When and how will CMMC and DFARS language line up?
  • What financial support, if any, will the DoD offer to the thousands of SMBs in the DIB that will struggle to find the staff, money, and IT resources to achieve CMMC Level 2 compliance? Will CMMC certification costs be covered as “allowable” project costs, as the DoD has suggested in general terms? Will grants or other funding be available? Can public/private partnerships help offset costs?

The DoD recently released a video to help inform DIB orgs about the CMMC proposed rule and support preparing comments and other input.


How to prepare now for CMMC compliance?

The CMMC Final Rule isn’t final yet, but it is certainly coming. Meanwhile, the reason for CMMC—inadequate security across the defense supply chain—remains a serious problem.

Defense contractors that handle CUI should be doing all they can to reduce information security risk in line with the CMMC proposed rule and NIST 800-171 Rev. 2, which has been the DoD’s mandated compliance target since 2019. Key steps include:

  • Initiate or strengthen your third-party risk management (TPRM) program and identify your critical vendors to address upcoming requirements for ESP compliance.
  • Chart the flow of your federal contract information (FCI) and CUI through your systems as a foundation for CMMC scoping.
  • Ascertain what people, roles, and systems have access to CUI in your environment so you can begin limiting access.
  • Start training staff on CUI management.
  • Start researching/acquiring appropriate technology to protect CUI.
  • Perform a NIST 800-171 Rev. 2 gap assessment to identify weak areas and plan remediations.
  • Check your compliance with DFARS 7012, which is currently in effect.
  • Initiate or strengthen your compliance monitoring program as you move toward “continuous compliance” and continuous monitoring.
  • Establish or bolster your internal CMMC team, including appointing a “CMMC point person” or compliance lead.
  • Start checking out C3PAOs and Registered Provider Organizations (RPOs) to position your business to beat the CMMC Level 2 compliance rush.


What’s next?

For more guidance on this topic, listen to Episode 131 of The Virtual CISO Podcast with guests Jeff Carden and Warren Hylton, Federal Risk & Compliance Consultants at CBIZ Pivot Point Security