The Cybersecurity Maturity Model Certification (CMMC) is a program the Department of Defense (DoD) is rolling out to make sure companies working with them have sufficient cybersecurity measures in place to protect sensitive information. Think about all the important data that defense contractors handle – plans, communications, project details. The DoD wants to make sure that this information is well-protected from cyber threats.
In 2019, the DoD started working on a framework to make sure contractors and subcontractors meet certain security standards. This framework builds on existing requirements from DFARS 252.204-7012 and adds a way to verify compliance through third–party certification. The proposed rule is basically the set of guidelines and requirements they’re putting in place to get everyone on the same page.
The development of CMMC has been a step-by-step process. For instance, CMMC 1.0 was introduced under an interim rule in 2020. In November 2021, the DoD announced CMMC 2.0, which is the foundation for the latest Proposed Final Rule, which was published on December 26, 2023.
The CMMC Proposed Final Rule introduces a framework with three levels of cybersecurity practices. Each level builds on the previous one, getting more advanced:
- Level 1: Foundational - Basic practices that everyone should be doing, like updating antivirus software and managing passwords.
- Level 2: Advanced - More comprehensive practices, aligned with NIST SP 800-171, like encryption and incident response plans.
- Level 3: Expert - For the most sensitive information, with advanced measures like continuous monitoring and proactive threat hunting.
Why three levels? Not every contractor handles the same type of information. Some might just handle basic contract details, while others might handle detailed plans or sensitive communications. The three levels let companies match their security efforts to the type of information they’re dealing with and allow DoD officials and contract owners the assurance that the organizations they’re working with are protecting their data according to a specific standard.
Who will need to comply with the CMMC Proposed Final Rule?
If you’re a contractor or subcontractor working with the DoD, you’ll need to get certified at one of these levels. The specific level you need depends on the type of contracts you’re bidding on and the sensitivity of the information involved.
For Levels 2 and 3, you’ll need to undergo an assessment by a third-party organization to make sure you’re actually following the required practices. Level 1 can often be self-assessed, but it still requires you to demonstrate compliance with the basic practices.
When does the CMMC Proposed Final Rule go into effect?
The DoD published the final rule, 32 CFR rule, in the Federal Register on October 15, 2024 and it is set to go in effect on December 16. This means that CMMC 2.0 program will be live and assessments will be available.
However, the timeline for implementing CMMC 2.0 is still ongoing and subject to change. That's because there are two rules that fully implement CMMC 2.0. There is the 32 CFR rule and the 48 CFR rule, which implements CMMC policies in DoD contracts and describes the language that will be used in CMMC contracts. So while the program will be live in December, it won’t actually be a requirement in DoD contracts until the 48 CFR rule is final.
The 48 CFR rule is expected to be final in Q2 2025. At that time, the CMMC phased rollout will begin.
The CMMC rules will be rolled out in stages, eventually making certification a requirement for winning federal contracts by 2028. Here’s the plan:
- Phase 1: Requires CMMC Level 1 or Level 2 self-assessments for certain contracts. The DoD does have discretion to include Level 2 certification assessment requirements into contracts at this time. Starts on the effective date of the 48 CFR rule.
- Phase 2: Requires official CMMC Level 2 certification assessments. Begins one year after Phase 1 starts.
- Phase 3: Includes CMMC Level 3 assessments. Begins one year after Phase 2 starts.
- Phase 4: Full implementation for all relevant contracts. Begins one year after Phase 3 starts.
This does not mean that organizations can delay CMMC implementation until 2028. They must be fully ready for each of the deadlines represented by these phases — and that means the time to start getting ready is now (if they haven't already).
This is particularly urgent for organizations that need Level 1 and Level 2 compliance, since the the DoD plans to include CMMC requirements for Levels 1 and 2 in all new contracts as soon as 2025. This is also particularly urgent for subcontractors, whose prime contracts will likely begin pressuring them to implement CMMC 2.0 before any of these phased deadlines.
That said, there are some dependencies that must be met before these phases can begin rolling out. Namely, the 48 CFR rule still needs to go before Congress so that it can be finalized.
Previously, the rule was expected to go before Congress by mid-October 2024 so that it could be finalized before the end of December 2024. This needed to happen because the congressional disapproval period can’t cross from one Congress to the next. Because 2024 is an election year, a new Congress will be instituted in early January 2025, which could potentially delay the process. If the rule got to Congress before the end of October, the 48 CFR rule would have become final by the end of December or very early in January 2025. However, since the rule is going to Congress after October, CMMC will not become final until sometime in March 2025.
FAQs
What is the proposed rule of the CMMC?
The proposed rule of the Cybersecurity Maturity Model Certification (CMMC) is a set of guidelines and requirements established by the Department of Defense (DoD) to ensure that defense contractors implement appropriate cybersecurity practices to protect sensitive information. It introduces a tiered framework with three levels of security, each with increasing complexity and rigor.
Is CMMC 2.0 rule-making complete?
As of September 2024, the rule-making process for CMMC 2.0 is not yet complete. The DoD is still finalizing the regulations and requirements. The rule-making process includes public comment periods and revisions before the final rules are officially published.
Is CMMC required yet?
As of September 2024, the CMMC 2.0 is not yet fully required for all defense contracts. The implementation of CMMC requirements is being phased in gradually, and specific timelines and requirements will be detailed in future DoD contracts as the rule-making process progresses.
What is the interim rule for CMMC?
The interim rule for CMMC is a temporary set of guidelines issued by the DoD to begin implementing CMMC requirements while the final rule-making process is still ongoing. This interim rule provides initial guidance and requirements for defense contractors to start preparing for CMMC compliance.
The CMMC interim rule is based on DFARS and established a five year phased approach for CMMC implementation, during which CMMC compliance is only required in select pilot contracts approved by the office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)).
The difference between a proposed rule and an interim rule is the timing of when changes go into effect with respect to the public comment period before a final rule is published. An interim rule is effective before the DoD responds to public comments, whereas a proposed rule is effective after the DoD responds to public comments. CMMC 1.0 was an interim rule, while CMMC 2.0 is a proposed rule.
The CMMC proposed rule establishes security requirements for FCI and CUI, included a period for public comment and review, and is still making its way through the final rulemaking process.
Has CMMC 2.0 been released?
CMMC 2.0 has been announced and is in the process of being finalized, but it has not been fully implemented as of September 2024. The DoD is working on the final details and regulations, and the official release and enforcement will follow the completion of the rule-making process.