It’s finally here!
On October 15, 2024, the U.S. Department of Defense (DoD) published the final rule for the Cybersecurity Maturity Model Certification Program (CMMC).
Considering its original announcement was back in 2020, we’ve been anticipating a CMMC final rule for quite some time. Unsurprisingly, there have been a lot of changes in a nearly five-year window. With the changes, there has come some general confusion around things like who is expected to comply, who should pursue certification, who says who needs certification, where to start, and what the requirements and timeline look like.
So, to demystify an admittedly jam-packed requirement, we will answer some key questions about the certification.
What is the Purpose of CMMC?
CMMC was established to create a standard for protecting, storing, and transmitting data within contracts for the Department of Defense (DOD) that contain Controlled Unclassified Information (CUI).
(We’ll get to CUI in detail later).
Previously covered by DFARS 252.204-7012, CMMC adds another layer of accountability by moving beyond self-assessments to a requirement for third-party validation.
A Brief History of CMMC
As mentioned, CMMC was established in 2020. The initial version (1.0) contained five levels of certification.
This was quickly adjusted in 2021 with CMMC 2.0 and consolidated the initial five levels into three.
It took until 2023 for the Office of Management and Business (OMB) to receive the proposal for the final rule, and it was published and released in October of 2024.
This final rule (32 CFR Part 170) took effect on December 16, 2024, after a Congressional review.
Updated CMMC Timeline: Key Dates to Prepare for With CMMC Final Rule In Place
The requirements are taking a phased approach, starting with the initial launch on December 16, 2024. Here is what to expect:
- Phase One—Initial Implementation: The standard allows for self-assessment during this phase. Organizations will be expected to meet 80% of 88 controls in this phase. Only controls valued at “1” can be left for resolution in the next 180 days.
- Phase Two (December 16, 2025): This phase will require a third-party assessment for CMMC Level 2.
- Phase Three (December 2026): Beginning 24 months after phase one initiation, this phase is for solicitations requiring CMMC Level 3.
- Phase Four (December 2027): All contracts will include the applicable CMMC level requirements in this phase. Being awarded any contract will be contingent on meeting level requirements.
In some instances, these timelines may be expedited. For instance:
- The DOD may simply choose to move the timeline ahead.
- Prime contractors may implement requirements sooner to determine which contractors will be able to bid on future projects. We’ve seen examples of this earlier this year
- Self-motivation. By achieving early third-party certification, contractors can potentially get preference in bidding and get ahead of the surge of contractors that are going to need to find a C3PAO. It also opens new markets that they have not had in the past.
Who Decides this Stuff, Anyway?
You may be wondering how to know which level and which requirements your organization may need to meet.
The short answer is the language in the contract ultimately defines it.
Under the contract, you may receive or create FCI or CUI. In either case, they must be safeguarded as defined in the language of the contract.
A Security Classification Guide (SCG) should define information that is created as CUI. If a customer receives information that they believe should not be marked as CUI, they can ask for the SCG or Law, Regulation, or Government-Wide Policy (LRGWP).
For a list of information that is typically considered CUI, you can refer to this resource:
A Flow Down Note
Much like how contractors are interconnected webs, so are the requirements.
If a prime contractor has CMMC requirements written into a contract and a subcontractor has access to CUI or FCI, they have the same contractual requirements to safeguard them.
Let’s Take a Deeper Look at What CUI Is
As far as government contractors are concerned, here is what is considered CUI:
It must be created by the contractor during the execution of the contract and received by the contractor from the Department of Defense (or upstream contractor as noted above) during the performance of a contract.
In addition, an LRGWP must require the information to be safeguarded/controlled (there are approximately 400 LRGWPs).
Finally, a federal agency must designate the information as CUI.
What Are the CMMC Level Requirements?
Now that you know how we got here, what information is expected to be protected, and who determines the requirements, here’s what is expected from organizations based on the requirement level:
- CMMC Level 1 requires an annual self-assessment to protect FCI (Federal Contract Information). 17 controls apply to FCI.
- CMMC Level 2 requires a C3PAO assessment every three years. On opposing years, a self-assessment is required (registered in SPRS). There are 110 controls – NIST SP 800-171 R2
- https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
- Based on the contract language and CUI discussion above, it’s estimated that 5% of CMMC Level 2 will not be required to have an independent third-party assessment.
- CMMC Level 3 requires contractors to undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). They’re also expected to provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
What Are the Ramifications for Not Meeting CMMC Requirements?
If a contract is signed indicating a CMMC requirement, but it is proven that the organization is not in compliance, the organization could be subject to prosecution by the Department of Justice.
Once prosecuted, they can no longer gain Department of Defense contracts.
And there’s an incentive to report noncompliance. Whistleblowers are eligible for up to 30% of the cost of the contract.
The CMMC Requirements are on a Path to Become More Difficult
Despite the existing level of difficulty for CMMC within this final rule, it’s anticipated that NIST 800-171 R3 will eventually become the standard set of controls for CMMC.
This is a notably more difficult set of controls, and they broaden in areas like supply chain management and spam control.
So, Should We Even Pursue Certification?
With all this in mind—knowing the breadth and timeline of the requirements and the potential ramifications of noncompliance—how do you know if pursuing CMMC is right for your organization?
Frankly, it’s a hard, expensive, and time-consuming endeavor to meet CMMC compliance.
Typical CMMC implementations exceed six figures. Assessments alone can run between $50,000 – $70,000. And this does not include the cost of additional technical and physical changes or the cost of guidance to achieve CMMC compliance.
We strongly recommend establishing an understanding of the profit lost on work that will require CMMC compliance and an estimate of the potential profit on additional work that can be gained before pursuing compliance.
If We Determine That We Want to Move Forward, How Do We Get Started?
All efforts are better with a plan. Start with first understanding where the protected data is in your system..
Within that plan:
- Understand what level to pursue based on your contractual requirements—ask your customers.
- Define where the FCI or CUI exists and how it moves throughout the organization.
- Brainstorm how to limit the scope and document those processes.
- Determine who the point person is within your organization. They will own the compliance and the necessary outside resources.
Limiting the scope will likely be key to efficiently implementing CMMC compliance.
Limit Scope: Enclave or Not?
Essentially, and admittedly oversimplified, limiting scope means that you separate compliance-pertinent information into a network that is segmented from the rest of the organization. This is called an enclave.
In doing so, you can aim your compliance efforts at the enclave and avoid needing to do so within the entire organization.
Utilizing enclaves doesn’t make sense for every organization, however.
A rule of thumb is that if over 60% of the business will be in scope, then an enclave is not the right way to proceed.
How Long Will It Take to Obtain CMMC Certification?
With all this in mind, you can expect to spend the following amount of time on implementation:
Level 1 takes roughly 6-8 months.
Level 2 and Level 3 require more runway and will take 18-24 months. They will also demand a culture change, process changes, and dedicated staff for the long term.
To Recap
Again, with the time it’s taken to come to fruition, the changes, and the breadth of the requirements, CMMC can pose more questions than answers. Here is a recap of what there is to know:
- CMMC aims to protect FCI and CUI received from the DOD from upstream contractors in the performance of contracts.
- Established originally in 2020, it became Final Rule in December 2024.
- This is a four-phased rollout with all contracts complying by 2027.
- There are three levels. Level 1 allows for self-assessments, and Level 2 and Level 3 both require a third-party assessment.
- Eventually, NIST 800-171 R3 will become the standard for the security requirements (controls) under CMMC.
- The language in the contract dictates if compliance is necessary.
- The ramifications for noncompliance are steep, and there are rewards for reporting.
- To start, create a plan with timelines.
- Use an enclave if less than 60% of your business is in scope.
- It will take roughly 6-8 months for Level 1 implementation and 18-24 months for Level 2 or Level 3 implementation.
We hope this helped you identify if you need to comply with CMMC requirements, and what the pursuit might look like. If you have any questions or would like assistance in preparing for compliance, please reach out to the FRSecure Team.
CMMC Terms to Know: A Glossary
- DOD: Department of Defense
- Prime Contractors: Those who work directly with the DOD
- SPRS: Supplier Performance Risk System
- The scoring of the 110 controls is on a 1, 3, or 5 basis. More significant controls get higher values.
- CUI: Controlled Unclassified Information
- FCI: Federal Contract Information
- SCG: Security Classification Guide
- LRGWP: Law, Regulation, or Government-Wide Policy
- DIBCAC: Defense Industrial Base Cybersecurity Assessment Center
- Cyber-AD: Non-profit that oversees CMMC
- C3PAO: Certified Third-Party Assessment Organization
- A private company that is authorized to do an assessment
- eMass: Where files are sent before the assessment for the C3PAO to get access to them