Fresh from a cybersecurity briefing I provided to many of Sherman & Howard’s clients and industry partners, I returned to my desk to learn the Department of Defense (DoD) recently issued its final rule on the Cybersecurity Maturity Model Certification (CMMC). Located at 32 CFR Part 170, the CMMC final rule is a long-awaited development in an effort to secure the defense industrial base (DIB) against cyber threats. This rule is part of the broader initiative to ensure that contractors and subcontractors working with the DoD meet stringent cybersecurity requirements to protect sensitive defense information. Below is a summary of the key elements of this final rule and its implications.

Background of CMMC

The CMMC was introduced by the DoD to create a unified standard for implementing cybersecurity across the defense supply chain. The DIB, consisting of over 300,000 contractors, handles vast amounts of sensitive data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). As cyberattacks on the defense sector become more frequent and sophisticated, the DoD sought to create a standardized and enforceable cybersecurity model to protect national security.

Evolution & Phases

The CMMC framework has evolved over the past few years. Initially rolled out in 2020, it required defense contractors to meet certain cybersecurity standards depending on the nature of their work and the sensitivity of the data they handle. The framework introduced five levels of cybersecurity maturity, from basic cyber hygiene at Level 1 to advanced, progressive measures at Level 5.

In late 2021, the DoD revised the program under what is now referred to as “CMMC 2.0.” The updated model streamlined the framework from five levels down to three, reducing complexity for small and medium-sized businesses. The aim was to strike a balance between robust cybersecurity measures and a more manageable compliance process.

Key Highlights of the Final Rule

The final rule solidifies CMMC 2.0 and outlines specific requirements for defense contractors. These are the main components:

1. Three-Tier Certification Levels:

The CMMC level for a contract, which will also flow down to subcontractors, will be chosen by the government program manager based on the type and sensitivity of information to be utilized, according to the DoD. Senior officials will help determine which contracts warrant a Level 3 requirement, and the rule allows for waivers of CMMC inclusion by senior DoD acquisition executives within particular contracts.

Level 1 (Foundational): This level includes basic cybersecurity practices, aligned with 17 security controls from the National Institute of Standards and Technology (NIST) SP 800-171. Contractors at this level will conduct self-assessments annually. Contractors and subcontractors that process, store, or transfer (FCI) and CUI will need to comply with the 15 cybersecurity standards in the Federal Acquisition Regulation’s subpart 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems” and submit an annual self-assessment report of their CMMC compliance.

Level 2 (Advanced): Level 2 is for contractors handling CUI and is aligned with all 110 controls from NIST SP 800-171. Third-party assessments will be required for companies handling sensitive data, while others may continue to self-assess under specific conditions.

Level 3 (Expert): This level is reserved for companies working on the most critical DoD programs, and it includes additional controls beyond NIST SP 800-171, with assessments conducted by DoD’s internal Defense Industrial Base Cybersecurity Assessment Center, according to the rule. While these assessments will be valid for three years, the new rule will require contractors to file annual affirmations of compliance.

2. Assessment & Compliance:

Contractors will need to achieve the required CMMC level before bidding on or working on DoD contracts. Level 1 contractors can perform self-assessments, but Level 2 and Level 3 contractors handling more sensitive data will be required to undergo third-party assessments or government-led audits.

3. Phased Implementation:

The DoD plans to roll out the CMMC requirement in a phased approach over the next few years. Initially, only select contracts will include the CMMC mandate, allowing contractors to adjust to the new requirements without overwhelming the defense supply chain.

4. Public and Industry Input:

As part of the final rulemaking process, the DoD considered feedback from industry and the public, particularly concerns from small businesses regarding the costs of compliance. The final rule reflects an attempt to balance security with feasibility, particularly for small and medium-sized contractors that play a vital role in the defense supply chain.

Implications for Defense Contractors

The implementation of CMMC will have significant implications for contractors:

Increased Accountability: Contractors will now be directly responsible for meeting the appropriate cybersecurity standards before they can secure DoD contracts. Non-compliance could lead to a loss of business opportunities.

Supply Chain Responsibility: Prime contractors will need to ensure that their subcontractors and suppliers meet the appropriate CMMC levels, cascading cybersecurity responsibilities throughout the supply chain.

Cost Considerations: The costs of implementing the necessary cybersecurity measures, undergoing assessments, and maintaining compliance will vary depending on the contractor’s size and CMMC level. The final rule attempts to address concerns about cost, especially for smaller businesses, but compliance will nonetheless require investment. The DoD estimates compliance costs for the tens of thousands of companies to secure CMMC certification will be approximately $39 billion over 10 years.

Long-Term Benefits: While compliance may be challenging, companies that achieve CMMC certification will likely benefit from improved cybersecurity, a lower risk of cyberattacks, and enhanced trust with the DoD and other partners.

Conclusion

The final rule on CMMC is a critical step in securing the defense industrial base against increasing cyber threats. By establishing clear cybersecurity standards and an enforceable certification process, the DoD aims to ensure that all contractors—big or small—adhere to best practices in protecting sensitive defense data. As this rule is rolled out over the next several years, contractors should prepare by evaluating their current cybersecurity posture, determining the CMMC level required for their work, and investing in the necessary measures to achieve certification.