The Pentagon has officially released the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0, setting the stage for full implementation by mid-2025. This new standard will require U.S. Department of Defense (DoD) contractors to meet specific cybersecurity requirements to better protect sensitive data and defense information.
Public inspection of the rule began last Friday, and formal publication is expected by today, October 15, according to the DoD. The certification is part of the Pentagon's broader effort to enhance cybersecurity practices across its supply chain.
For contractors, CMMC 2.0 introduces a streamlined model, combining self-assessments for lower-risk contractors and third-party assessments for higher-risk contractors. The goal is to ensure strong cybersecurity protections without overburdening smaller organizations.
"This rule streamlines and simplifies the process for small- and medium-sized businesses by reducing the number of assessment levels from the five in the original program to three under the new program," the Pentagon said in an October 11 press release.
The development represents a significant step in the DoD's plan to defend against growing cyber threats, and will impact thousands of contractors in the defense industrial base. Contractors should prepare now by reviewing their cybersecurity frameworks and preparing for compliance with the new standards.
"CMMC 2.0 is a fundamental shift in how the U.S. government is approaching the protection of unclassified information," said Max Shier, CISO at Optiv. "The standardization of cybersecurity requirements in how defense contractors and the supply chain supporting government contracts protect controlled unclassified information (CUI) was necessary because the defense industry was having information leakage at unprecedented levels, and there were no guarantees they were delivering uncompromised products. CMMC 2.0 addresses those concerns with a minimum acceptable standard in how the supply chain protects the government data entrusted to them.
"Companies first need to do an assessment to understand what is contractually going to be required," Shier added. "It doesn't make sense to prepare for Level 3 compliance, the highest, when the company isn't going to be required to be certified at that level. Second, a roadmap needs to be developed to cover the gaps in compliance for what the organization is required to meet. Furthermore, the organization needs to ensure they are ready to sustain the level of compliance they are required to meet."
More from the U.S. Department of Defense press release:
"CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company's cybersecurity status.
With this revised CMMC Program, the Department also introduces Plans of Action and Milestones (POA&Ms). POA&Ms will be granted for specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.
The benefits of CMMC include:
"New regulations often introduce compliance costs that favor larger players, leaving smaller contractors struggling to meet requirements," said to Narayana Pappu, CEO at ZenData. "It's encouraging to see the CMMC address this challenge by offering accredited Third-Party Assessment Organizations (C3PAOs) to provide expert guidance, helping contractors manage cybersecurity risks effectively. Additionally, the resources available on the DCMA/DIBCAC website support contractors in understanding and implementing necessary controls. The use of intermediary devices and specialized assets further offers flexible, cost-effective solutions for managing risks, making compliance more accessible for smaller businesses."
The DoD's follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid 2025. Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.
"There is a lot of confusion still as to the requirements for cloud-based services and FedRAMP equivalency," Shier said. "One of the first tasks an organization needs to accomplish when developing their CMMC strategy is to do a scoping exercise to determine what is in scope of a CMMC assessment and to determine where FedRAMP equivalency requirements apply to cloud-based assets or services. Second, an organization needs to ensure they have the proper documentation to support the external connection and service, including a controls responsibility matrix, data flow diagrams and any policies that apply to the service or capability. Lastly, an organization needs to ensure everything is documented in the system security plan or SSP."