On Dec. 26, 2023, more than two years after announcing its plans for Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense (DoD) finally unveiled its plan for changing the original CMMC requirements to its new approach, “CMMC 2.0.” The new plan came in a proposed rule that will redefine how the DoD expects defense contractors and subcontractors to satisfy their cybersecurity requirements. Like the original, CMMC 2.0 still requires contractors to meet the requirements of a particular CMMC level associated with their procurement. However, it does so in a more streamlined manner using Levels 1, 2, and 3 to demonstrate escalating system maturity.

Despite its references, the proposed rule does not address “CMMC-related contractual processes.”  Those processes will instead be addressed in separate rulemaking as part of the DoD’s DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements. The latest report on forthcoming DFARS updates reveals that the DoD has not yet drafted that separate rule. So how soon contractors may see details on those “contractual processes” remains an open question. But the proposed rule confirms – as many have suggested before this release – that compliance with CMMC remains a significant undertaking. From its perspective, the DoD views CMMC 2.0 as entailing mostly the same cybersecurity requirements that contractors and applicable subcontractors are often “already required to implement” under existing clauses, such as FAR 52.204-21 and DFARS 252.204-7012.

Companies already supporting the DoD, or those considering providing such support, should review the proposed rule and their information technology (IT) staff to understand where they stand in implementing those requirements. Below are some of the most significant features of the new CMMC program that the rule describes.

Applicability

The CMMC 2.0 requirements will apply to “all DoD contract and subcontract awardees that will process, store, or transmit information that meets the standards for Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems.”¹ The requirements will also apply to “any Private-sector businesses or other entities comprising the CMMC Assessment and Certification Ecosystem,” such as “CMMC Third-Party Assessment Organizations (C3PAOs)” or “CMMC Certified Assessors (CCA).”

The rule delves into some detail regarding whether these requirements will apply to certain contractors, such as internet service providers or other telecommunications service providers (i.e., common carriers), joint ventures, those performing “fundamental research,” and foreign entities and international contractors.

Requirements 

Tiers of Assessment. The rule simplifies the initial CMMC framework to three CMMC levels with some new and modified requirements. Defense contractors or subcontractors that only handle FCI, must meet the minimum requirements for CMMC Level 1. Any entities that handle CUI must meet the requirements for CMMC Level 2 or higher, depending on the sensitivity of the information associated with a program or technology being developed.

CMMC Level 1 (Self-Assessment). To obtain a certification of CMMC Level 1, entities must show compliance with the 15 basic safeguarding requirements to protect FCI that are “already required” by FAR clause 52.204-21.

Entities seeking CMMC Level 1 must show their ability to satisfy those requirements through annual self-assessments. Although an entity may perform the annual self-assessment internally or engage a third party to evaluate its Level 1 compliance, using a third party to assist with the assessment process is still considered a self-assessment and does not result in a CMMC certification.

Upon completion of the assessment, entities will have to submit the following information in the Supplier Performance Risk System (SPRS) before the award of any prime contract or subcontract and annually thereafter:

1. The results of a self-assessment associated with the covered contractor information system(s) used in the performance of the contract.
2. An initial affirmation of compliance from a senior entity official, and then annually thereafter, an affirmation of continued compliance.

CMMC Level 2 (Some Self-Assessment / Some Certification Assessment). To obtain a certification of CMMC Level 2, entities must comply with the 110 security requirements “already required” by the DFARS clause 252.204-7012 and aligned with NIST SP 800-171 Rev 2.

Some entities seeking a CMMC Level 2 may be allowed to demonstrate compliance through self-assessment. If they fall into that category, much like with Level 1, entities seeking certification at CMMC Level 2 will have to perform an assessment and submit the following information in SPRS before the award of any prime contract or subcontract:

1. The results of a self-assessment associated with the covered contractor information system(s) used in the performance of the contract.
2. An initial affirmation of compliance from a senior entity official, and, if applicable, a Plan of Action & Milestones (POA&M) closeout affirmation, and then annually thereafter, an affirmation of continued compliance.

Other contractors seeking a CMMC Level 2 will be required to undergo CMMC Level 2 third-party assessments. The FAQs provided by the DoD regarding the CMMC program state that those higher-level assessments will apply to “contractors managing information critical to national security.” Upon their satisfaction of the requirements, those specific entities will have to undergo an assessment of applicable contractor information system(s) provided by an authorized or accredited² third-party entity, known as C3PAOs, which must validate the implementation of the requirements before award of any prime contract or subcontract and exercise of the option.

Upon the C3PAO’s completion of the assessment, each C3PAO will upload the CMMC Level 2 results into a government system called eMASS, which will feed the information into SPRS. The entity seeking certification, however, will still need to submit its initial affirmation of compliance into SPRS, and, if necessary, a POA&M closeout affirmation, and then annually thereafter, an affirmation of continued compliance.

CMMC Level 3 (Certification Assessment). To obtain a certification of CMMC Level 3, entities must demonstrate compliance with the CMMC Level 2 and then must meet an additional 24 requirements from NIST SP 800-172 identified by the DoD.

Entities seeking CMMC Level 3 may only obtain this certification after an assessment conducted by the government, i.e., the Defense Contract Management Agency (DCMA). The entity seeking such a certification may only schedule such an assessment after obtaining a CMMC Level 2 Final Certification.

Upon completing an assessment, DCMA will upload the CMMC Level 3 results into eMASS, which will populate the information into SPRS. The entity seeking certification, however, will still need to submit its initial affirmation of compliance into SPRS, and, if necessary, a POA&M closeout affirmation, and then annually thereafter, an affirmation of continued compliance.

Timeframe for Certification Validity. The certifications at CMMC Level 1 are valid for one year and at CMMC Levels 2 and 3 for three years. But for CMMC Levels 2 and 3, an affirmation must be submitted in SPRS annually for the triennial validity period and after any POA&M closeout assessments.

It is, however, possible for an organization to need a new assessment during the validity period. CMMC self-assessments and certifications are performed on a specific set of “assets” of an entity’s system. If those aspects of the system change, a new assessment may be required.

POA&M. Under certain circumstances, the rule permits contract awards to organizations with approved POA&M to satisfy specific cybersecurity requirements for CMMC Levels 2 and 3. POA&Ms are not allowed for entities seeking compliance with requirements for a CMMC Level 1. The rule delineates which requirements contractors may be able to satisfy with a POA&M and clarifies that any POA&Ms must be closed out within 180 days of the assessment.

Waivers. There is no process for an entity to request a waiver of CMMC solicitation requirements. However, the DoD will have internal policies, procedures, and approval requirements that may allow contracting officers some discretion regarding when the CMMC requirement will be incorporated into certain solicitations.

Subcontractors. CMMC Level requirements will be flowed down to subcontractors at all tiers; however, the specific CMMC Level required for a subcontractor to satisfy will be based on the type of unclassified information and the priority of the acquisition program and/or technology being developed. As before, subcontracts may have lower-level requirements than the prime or higher-tier subcontracts. CMMC Level may be negotiated between the prime and subcontractor but will likely need government program office approval based on the information used during performance.

Timing. The DoD envisions a staggered implementation of the CMMC Program requirements in solicitations and contracts. The implementation will take place in four phases that begin on the effective date of the CMMC revision to DFARS 252.204-7021, which is still forthcoming.

By Oct. 1, 2026, at the latest, the DoD intends CMMC requirements for Levels 1, 2, and 3 to be already incorporated in all solicitations that use FCI or CUI information during contract performance.

Cost. The rule states that the DOD “currently has no plans for separate reimbursement of costs to acquire cybersecurity capabilities or a required cybersecurity certification that may be incurred by an offeror on a DoD contract.” It adds, “Costs may be recouped via competitively set prices, as companies see fit.” In other words, this is a cost of doing business with the U.S. Government. As such, companies can include these compliance costs in their indirect pools.

It also does not establish any exclusions for small businesses. However, it reminds contractors that resources available through the DoD Office of Small Business Programs (OSBP) may help defray cybersecurity costs by helping companies stay updated with the latest cybersecurity policies and best practices.

Final thoughts

The current rule addressing CMMC 2.0 is only a proposed rule. As that rule acknowledges, the last time the DoD released details of its plan for the CMMC, it received approximately 750 public comments addressing the specifics of the program. Given the substantial changes, this rule will likely receive a similar reception and warrant significant new feedback from the industry. That feedback may well lead to further revisions. The DoD remains interested in hearing from the industry to get this right and ensure against vulnerable information security.

In addition, the rule promises a staggered implementation of the new requirements and for at least some further details (i.e., contractual processes) to be promulgated in a separate rule. Defense contractors and subcontractors should keep that incremental path forward in mind and note that the CMMC 2.0-specific obligations are not likely to hit their contracts immediately. However, given the DoD’s view that many of these requirements are “already” a part of the industry’s obligations under various already existing clauses and the government’s overall focus on contractors’ ability to satisfy their cybersecurity obligations – companies that delay implementing these cybersecurity measures do so at their own risk.

---

¹ The rule notes that the CMMC Program applies the definitions of FCI from FAR 4.1901 and CUI from 32 CFR 2002, which the rule cites as the definitive sources for these definitions.

² Accredited C3PAOs will be listed in a repository called The Cyber AB Marketplace.