With a staggering loss of $3.5 billion in intellectual property through its contractors a year, the Department of Defense (DoD) needed a way to shore up cybersecurity in the Defense Industrial Base (DIB). From this need, the Cybersecurity Maturity Model Certification (CMMC) program was created with an initial release in 2020.

 

The entire purpose of CMMC is to verify whether or not contractors in the DIB have implemented contractually obligated levels of cybersecurity practices and processes in order to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that resides on the DIB’s networks.

 

In November 2021, the DoD announced a significant revamp of the program, known as CMMC 2.0, that reduced the number of controls, removed maturity practices from the model, introduced the Plan of Action and Milestone (POA&M) process, and dictated an independent assessment for certification of contractors. Updates to the program didn’t end there – publishing of the “final rule” laid down how CMMC is to be executed as law with many important changes to the original program.

 

The CMMC Rules

 

CMMC itself is implemented by two rules: 32 CFR part 2002 and the 48 CFR rule. 

 

32 CFR (or CFR Title 32) is the policy regulation that describes the details of the program, levels of CMMC, what requirements are being verified by CMMC, and roles and responsibilities of the ecosystem. This final 32 CFR rule was published in October of 2025, and officially goes into effect December 16, 2025, and is when contractors can begin getting commercially available assessments from C3PAOs for CMMC certification.

 

The 48 CFR Rule is an acquisition regulation that implements CMMC policy in defense contracts directly. This is the contract clause that directs contractors to go get a certain level of CMMC certification. 48 CFR is not yet finalized, but once it is, it will make CMMC a requirement in DoD contracts. Finalization is expected sometime in 2025.

 

Who must meet CMMC requirements?

 

Every organization or business that sells to or services the Department of Defense (DoD) must meet CMMC requirements if they handle CUI or FCI in the performance of the DoD contract.   Clauses contracting officers place into DoD contracts will dictate the level of CMMC certification required.

 

What are CMMC Levels?

 

The CMMC program requirements are tiered into three levels; what each company must do depends on whether they process FCI or CUI.

 

CMMC 2.0 Level 1

 

This level is for DIB companies that handle FCI but not CUI and requires compliance with 17 basic cyber hygiene practices. All DIB contractors will be required to self- assess annually to Level 1 requirements. This is equivalent to meeting the requirements in FAR 52.204-21.

 

Companies at Level 1 in CMMC 2.0 can perform an annual self-assessment in DoD’s Supplier Performance Risk System (SPRS) before they are awarded any CMMC Level 1 contracts or subcontracts.

 

Annual affirmation of compliance with the requirements of CMMC 2.0 Level 1 signed by a company officer that the answers provided in the annual self-assessment are accurate and complete is required. No POA&Ms are permitted at Level 1.

 

CMMC 2.0 Level 2

 

This level applies to DIB companies who will receive Controlled Unclassified Information (“CUI”) and aligns with the requirements under NIST SP 800-171revision 2 -- a set of safeguards and requirements for protecting the confidentiality of CUI. There are 110 controls for CMMC Level 2 with 320 assessment objectives that need to be satisfied. CMMC Level 2 is triggered by inclusion of the DFARS 252.204-7012 clause in a contract.

 

A Level 2 assessment by a C3PAO isn’t pass/fail according to the final 32 CFR rule; contractors will have a bit of wiggle room. DFARS 252.204-7020 has a scoring methodology used by assessors that results in a perfect (passing) score of 110.

 

The contractor’s leeway comes in the form of controls that are eligible for POA&Ms. With a minimum score of 88 out of 110 total points in the initial assessment, a contractor can receive a conditional certification status. Those controls not met in the initial assessment can be addressed with POA&Ms within 180 days and a subsequent close-out assessment to receive certification. However, not all controls are eligible for POA&Ms, so be aware of this when you are preparing for assessment. Reference the CMMC assessment guides to identify the non-POA&M controls.

 

Contractors and sub-contractors must have at least a conditional CMMC Level 2 certification at time of DoD contract award or they are ineligible for award.

 

The vast majority of DoD contractors will require CMMC Third-Party Assessment Organization (C3PAO) assessments, also called CMMC Level 2 Certification Assessments, every three years with a yearly SPRS update. Whether or not a contractor will be able to perform a CMMC level 2 self-assessment depends on the DoD’s determination and the sensitivity of the contract’s CUI, but very few self-certifications are expected and will likely only apply to 2% of contractors.

 

The CMMC Program will roll out with a phased implementation, and Level 2 certification assessments are not expected to be commonplace until a year after the start of implementation on December 16^th, 2024.

 

CMMC 2.0 Level 3

 

Level 3 companies will require a government-led certification by the Defense Contract Management Agency (DCMA) Defense Industrial Base Assessment Center (DIBCAC). This level will apply to only the most sensitive and high-risk DoD projects, and has an additional 24 requirements contractors must meet from NIST 800-172. Only 1% of the DIB are strong candidates for a Level 3 requirement.

 

Using Subcontractors and External Service Providers

 

DoD prime contractors must ensure that every subcontractor they propose on contracts meets the minimum required level of CMMC certification prior to contract award. Additionally, all contractors must consider use of External Service Providers (ESP), such as managed service providers (MSPs) and cloud service providers (CSPs), within their CUI environment.

 

If the third party has access to, processes, stores or transmits CUI, they must also hold a CMMC Level 2 certification. CSPs must have FedRAMP Moderate status.

 

Misrepresentations in CMMC Documentation and Implementation

 

The DoD intends to use the False Claims Act, among other civil and criminal laws, to pursue cybersecurity related fraud by government contractors and recipients.

 

The DOJ will hold accountable organizations or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Fines or breaches of contract may be levied, and if audited by the DoD and found non-compliant, the DoD will be within its rights to issue a stop-work order on the contract.

 

All DoD contractors, CMMC Level 1 to Level 3, will be required to attest annually through SPRS that their cybersecurity program is meeting CMMC requirements.

 

What you can do to prepare for CMMC

 

Below are some helpful steps your organization can take to become CMMC-ready:

 

1. Identify your organization’s expected CMMC level.
2. Fully scope the system expected to process, store and transmit FCI and CUI using the DoD’s CMMC Scoping Guide.
3. Identify your third-party vendors that process, store or transmit FCI and CUI and third-parties that may provide security services for CUI systems.
4. Using the DoD’s CMMC Assessment Guide, conduct an internal assessment to identify gaps-- remember to think like an auditor.
5. Plan how you will prove CMMC compliance and begin gathering the documentation.
6. Focus on corrective action with a resolution plan providing ownership, a timeline and resources assigned. It can take from eight to twelve months to get prepared for assessment.
7. Identify and contract a C3PAO to conduct an independent assessment. There are few C3PAOs for the 80,000 contractors in the DIB, so start this process early.

 

If your business faces challenges in meeting the CMMC requirements, it is best to seek outside help from a consultant that specializes in helping companies prepare for audits like CMMC. They can save your firm time and money by helping you minimize your scope, put your remediation efforts on a fast-track by implementing only what is necessary, and guiding you through the audit process in an efficient manner.

 

Paula Biggs, CMMC-CCP

GRC Cybersecurity Analyst