If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of your contractual work with the Department of Defense (DoD), you will be required to demonstrate compliance with the CMMC 2.0 cybersecurity framework in order to maintain your ability to bid on DoD work. This is Fact 1.
Fact 2. If you are currently operating in full compliance with National Institute of Standards and Technology Special Publication 800-171, your hardest work is already done. For CMMC 2.0 compliance and certification, the new Level 2 and Level 3 are based on this widely adopted security standard.
Fact 3. CMMC 2.0 is fast approaching the go-live point. A few milestones have shifted recently, and the compliance timeline has been updated accordingly. All organizations governed by CMMC 2.0 should be aware of the updated timeline and where they stand in relation to it.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 Proposed Rule continues its progress through the methodical federal rulemaking process. The milestones below are taken from recent federal updates.
An update posted June 28, 2024 by the CMCC Information Institute, based on input from the DoD, states “the final version of 32 CFR 170, the rules implementing CMMC 2.0, should be published in the Federal Register no later than October 25, 2024.”
Earlier in this timeline, the DoD adopted a three-year phased approach to CMMC 2.0 implementation, and that has not changed. The date has shifted, however, and the three-year implementation period now covers 2025, 2026, and 2027, with final compliance required by 2028.
In the meantime, DoD contractors, subs, and suppliers are currently in compliance with CMMC 1.0 in varying degrees. One of the goals of CMMC 2.0 is to further strengthen cybersecurity throughout the supply chain by making compliance more consistent and “enforcing the protection of sensitive unclassified information,” according to the DoD website.
The required level of CMMC compliance depends on the type of information a contractor, subcontractor, or supplier is responsible for in their work with DoD. Two categories of information are required to be protected by the provisions of CMMC 2.0: FCI and CUI.
Federal Contract Information. FCI is “provided by or created for the DoD under a contract to develop or deliver a product or service to DoD. It is not intended for public release.”
Controlled Unclassified Information. CUI is defined as very sensitive information deemed to be “pertinent to our national interests, or pertinent to the important interests of entities beyond the federal government.”
All contractors will be required to comply with and be certified at one of the three new levels of CMMC 2.0, based on which category of information they are responsible for, as outlined below.
Level 1: Foundational Security, Annual Self-Assessments
This level of compliance is required for all who handle FCI—which is essentially all contractors, subs, and suppliers. Organizations at this level must demonstrate compliance with the 17 security practices outlined in Federal Acquisition Regulation (FAR) 52.204-21. Annual self-assessments are required to demonstrate sustained compliance.
Level 1 is likely to be the only level of compliance required of the smallest suppliers and subs, who comprise nearly three-quarters of the defense supply chain.
Level 2: Advanced Security, Authorized Third-Party Assessments
This level of security is based on the 110 security practices required by NIST SP 800-171. Level 2 contractors must pass a compliance assessment conducted by an authorized CMMC Third-Party Assessment Organization. Third-party assessments are required every three years, with annual self-assessments permitted in select cases.
Level 3: Expert Security, Government-Led Assessments
Contractors who handle CUI that is used in the DoD’s highest priority programs must meet Level 3 security. Like Level 2, this level is based on NIST SP 800-171 with its 110 security practices. However, Level 3 also requires compliance with 35 additional, enhanced security practices delineated in NIST SP 800-172.
Because organizations at this highest level require the most stringent security, assessments must be conducted every three years and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must be engaged.
Assistance is available to help you understand the requirements for CMMC 2.0 implementation in your organization. In addition, Registered Provider Organizations (RPOs) have been authorized by Cyber AB, on behalf of the DoD, to assist you in preparing for the mandatory CMMC 2.0 assessments.
It is important to recognize that the NIST standards that form the foundation of CMMC 2.0 are not new. NIST SP 800-171 was first introduced in 2015, updated in 2021, and updated again in 2024. This standard describes the security requirements for protecting the confidentiality of CUI that resides in nonfederal systems, networks, and organizations (i.e., the DoD supply chain). The requirements apply to nonfederal systems, networks, and organizations that process, store, or transmit CUI or provide protection for them. The security requirements are designed for use by federal agencies in contracts with their supply chain organizations.
Defense contractors who do not currently meet the NIST SP 800-171 standard in its entirety should take immediate action to bring their organizations into full compliance.
The CMMC Information Institute urges contractors to move toward adopting CMMC 2.0 if they have been postponing compliance, because the core requirements of CMMC 2.0, specifically NIST SP 800-171, “will not change for most contractors no matter what happens with CMMC.”
At Level 3, CMMC 2.0 is based on NIST SP 800-171, as well as NIST SP 800-172. The latter was introduced in 2021 as a supplement to NIST SP 800-171 to strengthen the supply chain's ability to resist more sophisticated cybersecurity attacks and its overall cyber resilience. The 35 security enhancements of NIST SP 800-172 include requirements for damage-limiting operations (DLO), penetration-resistant architecture (PRA), and designing for cyber resilience and survivability, as three examples.
Determine CMMC 2.0 Compliance Level
Review the three levels of CMMC 2.0 compliance and determine which applies to your organization. This decision will identify the level of assessment and certification you need based on the type of information you handle (FCI, CUI, or CUI for high-priority projects). It will also determine what resources you are required to use in seeking certification.
Conduct a security assessment to identify the current gaps in your security program that prevent you from being compliant with CMMC 2.0 requirements at your level (i.e., FAR 52.204-21, NIST SP 800-171, or NIST SP 800-172). To conduct these assessments, Level 1 and 2 will need to engage a Registered Provider Organization (RPO). Level 3 will work with the DIB Cybersecurity Assessment Center.
Remediate Gaps
Prepare a remediation plan to address the gaps and execute that plan to bring your security program into compliance. Create a Plan of Action & Milestones (POA&M) to document remediation actions to be taken, identify resources required, and schedule completion dates for the tasks. This step will likely include vulnerability assessments and penetration testing, development of compliant policies and procedures, and other activities. Depending on your compliance level, you may be required to develop a System Security Plan (SSP).
Officially Assess Compliance
After remediating the security gaps identified, your security program should comply with the requirements applicable at your CMMC 2.0 level. This positions you to conduct an official assessment for certification when CMMC 2.0 goes live. Once you are certified, your organization will be able to continue performing contract work for the DoD, including bidding on new work.
Maintain Compliant Security
Never forget that CMMC 2.0 compliance is about strengthening DoD supply chain security by continuing to protect the FCI and CUI in your care. Between assessments, ongoing compliance requires that you continue to monitor your systems, networks, and security safeguards to maintain robust security. You should also maintain cybersecurity awareness by staying abreast of cybersecurity trends, new information security tools and technologies, and emerging threats.
To guard against data breaches and better protect sensitive unclassified information, the DoD requires its sprawling supply chain to achieve Cybersecurity Maturity Model Certification (CMMC). Version 2.0 is expected to become law by the end of 2024, after which a three-year implementation period will run through 2027, with full compliance required by that time. Until then, organizations must ensure they are in full compliance with NIST SP 800-171, which constitutes the core of CMMC 2.0 at Levels 2 and 3. All three levels can take immediate action to prepare for CMMC 2.0 compliance, and Registered Provider Organizations are ready now to assist contractors, subs, and suppliers on the path to CMMC 2.0.