By: Scott Singer - CEO, CyberNINES

Navigating the requirements for Cybersecurity Maturity Model Certification (CMMC), not to mention the various players involved, can seem overwhelming to organizations relying on Department of Defense (DoD) contracts as a mainstay of their business, especially considering the risk of losing that business if not compliant. This article provides an overview of CMMC, the partners and providers you will work with as you become compliant, and important considerations when engaging these providers.

The CMMC Program and The Cyber AB

A good place to start is with the Cybersecurity Maturity Model Certification (CMMC) itself. The DoD created its CMMC program to protect its data, because much DoD project work is done by non-government contractors. CMMC is not a new idea. NIST SP 800-171 was released back in 2017 with the associated DoD acquisition regulation, DFARS 252.204-7012. Since that time Defense Contractors have been required to maintain a program of compliance and make progress towards meeting all 110 controls. The Cybersecurity Maturity Model Certification (CMMC) program was created when the government found that contractors were not making significant progress. CMMC requires contractors to have a third-party assessment similar to ISO 9001 and AS 9100.

CMMC incorporates two rules:

32 CFR Part 170 describes the program and authorizes organizations to do assessments. It became a final rule October 11, 2024, and is expected to take effect December 16, 2024.

48 CFR Subpart 204.75 creates the Defense Federal Acquisition Regulation Supplement (DFARS) that will show up in contracts as DFARS 252.204-7021. The effective date is expected to be mid-year 2025.

Click to enlarge

CMMC will be rolled out in phases. Ultimately it will be expected to be in all contracts, which could be required as early as 2027.

If your organization is, or aspires to be, a contractor or subcontractor on DoD projects, you will need CMMC to be eligible for any new DoD contracts after the 48 CFR rule goes into effect. While you pursue certification and until you achieve it, you are considered an Organization Seeking Certification (OSC). The level of certification required will depend on the type of government data you will be working with.

CMMC Level 1 is required when Federal Contract Information (FCI) is provided or generated as part of a product or service contract. Look for FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems in your contracts to see if it applies. Examples include contracts, financial information, performance reports, and process documentation. At this level, the OSC is self-assessed.

CMMC Level 2 is required for Controlled Unclassified Information (CUI), which could harm national security if leaked. Examples include technical drawings and inspection reports with military or space applications. This level requires assessment by a third party.