Key Details: On December 26, 2023, the Department of Defense (DoD) published the highly anticipated proposed final rule for the Cybersecurity Maturity Model Certification (CMMC 2.0) program. The CMMC program aims to establish a comprehensive, scalable framework to protect sensitive information. As such, CMMC ensures defense contractors and subcontractors comply with information protection requirements relating to federal contract information (FCI) and controlled unclassified information (CUI). CMMC 2.0 is set to establish comprehensive cybersecurity requirements that will impact many defense contractors. Interested parties are encouraged to submit comments or concerns by February 26, 2024.
Ryan & Wetmore is committed to helping government contractors grow their business. Contact us today to learn more about our government contracting consulting services.
The Evolution of CMMC
CMMC began its journey in 2020 by issuing an interim rule that implemented the initial vision for the CMMC program (CMMC 1.0). The CMMC 1.0 interim rule was effective November 30, 2020, and established a 5-year phase-in. CMMC 1.0 consisted of 5 levels, with Level 5 requiring 171 practices, 5 processes, and a third-party assessment. The DoD initiated an internal review of CMMC 1.0 in March 2021 and refined the policy and program implementation after a review of over 850 public comments. In November 2021, CMMC 2.0 was announced and updated the program requirements to contain 3 maturity levels.
CMMC 2.0 Levels
CMMC 2.0 aims to achieve the following primary goals:
- Safeguard sensitive information.
- Meet evolving threats by enforcing cybersecurity standards.
- Lower barriers to compliance and ensure accountability.
- Create a culture of cyber resilience.
CMMC 2.0 replaces the 5 maturity levels of CMMC 1.0 with 3 levels:
Level 1
- 15 requirements from FAR (Federal Acquisition Regulation) 52.204-21.
- Annual self-assessment is required, and the contractor enters the information into SPRS (Supplier Performance Risk System).
- Annual affirmation required.
Level 2
- 110 requirements aligned with NIST SP 800-171
- Assessment type is determined at the contract level:
- Self-assessment: valid for 3 years, and the contractor enters information into SPRS. Affirmation is required after each assessment.
- Certification assessment: Valid for 3 years and the C3PAO enters the information into eMASS. Affirmation is required after each assessment.
Level 3
- 110+ requirements based on NIST Sf 800-171 & NIST 800-172
- Government assessment and certification that is valid for up to 3 years. DoD enters the assessment information into eMASS, and affirmation is required after each assessment.
Current Requirements
Currently, contracts involving FCI transfer to non-governmental organizations must follow FAR 52.204-21, which requires compliance with 15 security requirements. Defense contracts that transfer CUI to non-governmental organizations must also include applicable requirements under DFARS 252.204-7012. This clause requires implementing the 110 controls specified in the National Institue of Standards and Technology (NIST) Special Publication (SP) 800-171.
Applicability & Implementation Phases
CMMC 2.0 applies to DoD contractors. This includes both prime and covered subcontractors that provide commercial products and services that store, process, or transmit FCI or CUI on non-federal systems. As such, CMMC 2.0 does not apply to contractors operating federal systems on behalf of the government, contracts less than $10,000, and contracts for COTS items.
CMMC 2.0 will be implemented in 4 phases as outlined in the proposed rule and will require certifications before contract award:
- Phase 1: begins when the CMMC revision to DFARS is effective. CMMC Level 1 or Level 2 Self-Assessment will be included for all applicable DoD solicitations as a condition of contract
- Phase 2: begins 6 months after the start date of Phase 1. On top of Phase 1 requirements, the DoD intends to include Level 2 Certification Assessment for applicable contracts as a condition of award.
- Phase 3: begins 1 year after the start of Phase 2. Phase 1 and 2 requirements are still in place. Phase 3 includes Level 3 Certification Assessment.
- Phase 4: full implementation phase that begins one year after the start date of Phase 3. CMMC program requirements will be included in all applicable solicitations and contracts.
Defense contractors are encouraged to review their cybersecurity infrastructure now as the DoD plans to include CMMC in applicable solicitations beginning October 1, 2026.
Conclusion and Action Plan
Once the proposed rule becomes final, CMMC 2.0 requirements will be included in solicitations over 3 years. Defense contractors are encouraged to evaluate their cybersecurity infrastructure and utilize the following steps to establish gaps in compliance:
- Get started today! Perform a self-assessment and evaluate your current cybersecurity infrastructure. Are there significant internal controls in place to safeguard sensitive information?
- Identify gaps in defenses and invest in capabilities. This can include investing in employee training or service providers.
- Understand and provide training on the most common cybersecurity threats, such as phishing attempts, malware, viruses, ransomware, and spyware.
- Ensure your networks are secure and that you have updated antivirus software.
- Monitor any cloud service provider accounts and enable multi-factor authentication.
- Understand your company’s capture strategy and pipeline of future contracts. Identifying the requirements in the future will enable your company to prepare ahead of time.
- Establish written policies and procedures and ensure integration with current technology. Ensure employees understand these policies and procedures.
- Monitor compliance with NIST SP 800-171, identify areas that need extra attention, and create plans of actions and milestones to remain in full compliance.
- Review and understand the requirements applicable to your company under the CMMC 2.0 level and prepare your systems for assessment.
- Designate an internal employee to be the CMMC 2.0 liaison. This should be integrated with business development and IT groups.
- Meet with your law firm to review and discuss current and future contracts that have cybersecurity requirements. Contractors should also discuss with their lawyers whether the entire company must comply with CMMC requirements or if departmental compliance is satisfactory.
- Go through a security assessment with a firm or industry expert to identify the security gaps and infrastructure required for compliance.
Completing the above items will enable contractors to discover any holes in their security infrastructure and remediate as needed. Note that additional items and requirements may apply to varying contractors. Contractors are encouraged to monitor any changes to the requirements discussed above. As such, understanding and staying up to date on the requirements and performing self-evaluations will be key. For more information, contact Ryan & Wetmore today.
Today’s Thought Leaders
About Peter Ryan
Partner, Co-founder, & CPA
Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.
About Rosie Cheng
Finance Consultant
Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.