Understanding the Cybersecurity Maturity Model Certification (CMMC) Program: Essential Steps for Defense Contractors

By: Sheila Armstrong, Corey Bieber, Guillermo Christensen, J.D. Koesters

The Department of Defense (DoD) published the updated Cybersecurity Maturity Model Certification (CMMC) Program to enforce existing cybersecurity standards across the defense industrial base. This program is designed to ensure the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from growing cyber threats. CMMC requirements will be phased into contracts starting in 2025, marking a shift in accountability for safeguarding non-public information throughout the Defense Industrial Base (DIB).

Key Aspects of the CMMC Program

The CMMC framework includes three certification levels, each with progressively more stringent requirements based on the sensitivity of the information handled. Level 1 requires contractors to complete a self-assessment covering 15 basic safeguards outlined in FAR 52.204-21. Level 2 necessitates contractors implement 110 requirements under NIST SP 800-171 and adds a third-party assessment for some contracts. Level 3 adds 24 additional requirements from NIST SP 800-172 with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducting assessments every three years.

Certification Process and Compliance Steps

Each certification level requires specific accountability measures. Level 1 and certain Level 2 contractors conduct self-assessments and report their scores to DoD’s Supplier Performance Risk System (SPRS). For some Level 2 and all Level 3 certifications, contractors must undergo a third-party assessment by a certified C3PAO or DIBCAC. Contractors may use a Plan of Action and Milestones (POA&M) for up to 180 days to address gaps in requirements.

Contractors must submit an annual affirmation to maintain certification, while periodic reassessments ensure ongoing compliance. If requirements cannot be implemented, contractors may request enduring exceptions, particularly if specific technologies lack compatibility with a requirement.

Integration of CMMC Requirements in DoD Contracts

DoD will roll out CMMC requirements across contracts gradually, with full implementation expected by 2028. Initially, CMMC requirements will apply only to contracts requiring Level 1 or Level 2 self-assessments, but all contracts involving FCI and CUI will include CMMC requirements by 2028. This phased approach gives contractors time to comply yet underscores the need for prompt action.

Implications for the Defense Supply Chain

CMMC requirements extend beyond prime contractors to subcontractors handling FCI or CUI. Prime contractors must ensure their subcontractors meet the necessary certification level, creating accountability across the supply chain.

Preparing for CMMC Certification

To prepare for certification, contractors should conduct a thorough internal cybersecurity review under privilege to identify gaps. Contractors who handle CUI must develop a System Security Plan (SSP) to document compliance strategies. Engaging a C3PAO for higher-level certifications and reviewing subcontractor compliance are key steps. Acting early allows contractors to align cybersecurity practices with CMMC requirements.

Conclusion

The CMMC Program shows the DoD’s commitment to securing its supply chain. Contractors who fail to comply with CMMC requirements risk losing DoD contracts and/or facing government enforcement actions. Defense contractors who plan ahead and take necessary actions will maintain contract eligibility and safeguard sensitive information effectively.