The eagerly awaited CMMC (Cybersecurity Maturity Model Certification) final rule has now been published in the Federal Register, and while it may not be an easy read, its importance cannot be overstated. This article, based on a recent joint webinar presented by FutureFeed, NeoSystems, and Holland & Knight, will distill the essentials of the final CMMC rule and what contractors need to know to navigate its complexities.

Why CMMC? A Brief Background

CMMC addresses The Department of Defense’s (DoD’s) pressing cybersecurity needs. DoD is establishing CMMC in part to ensure that sensitive information, such as Controlled Unclassified Information (CUI), is properly safeguarded. For years, the DoD has found that contractors often fall short of the required cybersecurity controls, which has led to escalating threats from cyber adversaries. The CMMC program seeks to mitigate these risks through a structured, certified approach.

Navigating the Final CMMC Rule

The final CMMC rule is extensive, with more than 470 pages of guidance and regulations. For contractors, the practical place to start is on page 384 of the rule, where the regulations themselves begin. Earlier sections offer context on regulatory necessities and responses to public comments. Although these can be very helpful, most contractors should focus on understanding the core requirements in the formal rule.

Program Structure and Rollout Phases

CMMC 2.0 has shifted from the original five levels to three. Level 1, which requires compliance with FAR 52.204-21 requirements for safeguarding Federal Contract Information (FCI), mandates an annual self-assessment. Level 2 is designed for contractors handling CUI, where 95% will need an independent assessment by a CMMC third-party assessment organization (C3PAO) every three years. Contractors at Level 2 are required to meet all applicable requirements in NIST SP 800-171 to earn their certification. Finally, Level 3, which applies to those handling the most sensitive information, combines 110 controls from NIST SP 800-171 with an additional 24 security controls from NIST SP 800-172.

Understanding the Certification Requirements

Certification is now a condition of award, which means that contractors must be certified by the time a contract is awarded, not during the bidding process. A new feature of the final rule is conditional certification, allowing contractors who score at least 80% on their initial assessment to receive a temporary certification. However, contractors must remedy any deficiencies within 180 days or they may be subject to contractual penalties including fines and contract termination.

In addition, a senior organizational official is now required to affirm that their organization meets, and has continued to meet, the applicable requirements. This affirmation also certifies the accuracy of information submitted. This adds another layer of accountability and could subject the affirming official to personal liability. It also creates additional exposure for the organization under the False Claims Act.

Timeline for Implementation

The DoD has set a four-phase rollout for CMMC, with the program anticipated to be in effect by March or April 2025. During Phase 1, Level 1 and Level 2 self-assessments will be required. By approximately March 2026, all new contracts will require a C3PAO certification. Phase 3 and Phase 4, set for approximately March 2027 and March 2028, respectively, will progressively apply the requirements to option periods of existing contracts. However, the DoD reserves the right to insert CMMC requirements earlier for specific contracts if necessary.

Clarifying the Scope: What’s In and What’s Out

Scope is a crucial aspect of CMMC compliance, especially at the higher levels. For foundational Level 1, only systems that handle FCI fall within the scope. For Level 2 and above, organizations must consider the systems that store, process, or transmit CUI, as well as those that help secure this data. Implementing virtual desktops is recommended to separate CUI from broader organizational networks, reducing the systems and devices that fall within the scope of an assessment.

What Constitutes CUI?

Controlled Unclassified Information (CUI) is roughly defined as information created or possessed for or on behalf of the government that is non-public and unclassified but requires safeguarding or dissemination controls. Contractors do not have the authority to designate information as CUI themselves; this is solely a government determination. To avoid scope confusion, contractors should clearly document CUI handling practices and consult with the DoD when in doubt.

The Role of External Service Providers (ESPs)

Many contractors rely on External Service Providers (ESPs), such as cloud service providers (CSPs) and managed service providers (MSPs), to handle various aspects of cybersecurity compliance. The CMMC rule requires that any ESP storing, processing, or transmitting CUI must meet FedRAMP Moderate Baseline standards. This ensures that ESPs uphold the same level of security expected from contractors. However, the rule has removed the previous requirement for MSPs and MSSPs to be CMMC-certified, placing the burden on contractors to verify that their ESPs can meet necessary security standards.

Planning and Budgeting for Assessments

The CMMC assessment process involves a rigorous evaluation through documentation, interviews, and testing. As outlined by James Goepel, FutureFeed’s General Counsel and Director of Education, organizations should have a well-documented cybersecurity program. Generally, a simple CMMC assessment was expected to cost between $50,000 to $60,000, though DoD’s updated assessment team requirements are likely to significantly increase those costs. Complex environments or additional travel requirements may also increase this amount. Contractors who proactively prepare and demonstrate a comprehensive understanding of CMMC requirements may find assessors willing to provide discounts.

The Path Forward: Practical Steps to Prepare

To prepare for CMMC assessments, contractors should prioritize three areas:

1. Documentation: Ensure policies, procedures, and evidence of compliance are well-documented.
2. Evidence Collection: Implement systems to collect and organize evidence of cybersecurity measures regularly.
3. Training: Prepare internal teams for assessments by training them on compliance protocols and practices.

Conclusion

The CMMC final rule represents a milestone in safeguarding U.S. government data. While compliance may require a substantial investment, it reinforces the importance of cybersecurity in national defense. FutureFeed and its partners stand ready to support organizations on this journey, from initial understanding to complete implementation.

As cyber threats evolve, the CMMC will serve as a robust framework to ensure that sensitive information within the defense industrial base is effectively protected. For contractors, adhering to these standards is not just about compliance but about embracing a culture of security that strengthens national resilience and supports technological leadership.

In closing, contractors should remember that navigating CMMC is a strategic investment, not just a requirement. As Goepel emphasizes, “We all have a responsibility to protect the sensitive information the government entrusts to us.” With CMMC, contractors can meet that responsibility, supporting national security while safeguarding their reputations and fostering resilience.