The Cybersecurity Maturity Model Certification (CMMC), a comprehensive set of guidelines for security adherence throughout the Defense Industrial Base, was unveiled by the Department of Defense (DoD) in 2019. The CMMC government contracting rule was finally put into effect last December under an “interim rule” that provides defense industry groups time to abide while the DoD gets ready to enforce it thoroughly.

The National Institute of Standards and Technology’s (NIST) special publication (SP) 800-171 has been in force since 2017 and must be complied with by companies doing business with the legislative branch. To address contemporary risks, CMMC has incorporated and replaced the 110 security practices mentioned in NIST 800-171 with new regulations. How much does this alter things for defense contractors, though?

What is CMMC?

Due to various circumstances, such as an increase in cyber actors, the rise of remote jobs, and the Internet of Things, the volume of cybersecurity incidents to federal agencies and vendors has risen in recent years (IoT). By addressing the growing cybersecurity risks, CMMC is committed to preventing Controlled Unclassified Information (CUI) from getting into the hands of adversaries.

Although NIST 800-171 had the same goal, its function was limited by a self-certification method that occasionally led to subpar compliance levels among DIB businesses. The DoD has determined that tighter standards must be upheld in the face of increased cyber incidents.

To be eligible to qualify for sensitive defense contracts, firms must first undertake a third-party evaluation under the CMMC, which is seen as the next stage in federal security compliance. Despite having stronger requirements, the CMMC also offers more flexibility thanks to its five stages, which acknowledge various degrees of cybersecurity maturity.

The Temporary Rule

The DoD announced an “interim rule” in November of last year, allowing for a transitional time until CMMC is completely adopted. An update to DFARS contains information about this transition’s specifics (DFARS 7019).

Until CMMC is fully implemented, Rule 7019 – defense contractors that handle, store, or create CUI are still obliged to submit a NIST 800-171 self-assessment and report their score.

Rule 7020 states that defense contractors must allow access to their premises, systems, and personnel if the government determines that a more thorough evaluation is required.

Defense Department policy is currently Rule 7021 – the CMMC. This guideline outlines a timeframe for compliance; up to October 1st, 2025, an expanding number of agreements will expressly demand CMMC compliance before it becomes a requirement by default for all DoD contracts.

In the interim, the CMMC Accreditation Body must verify certified third-party assessment organizations (C3PAOs) (AB). It might take some time since there are currently just two of these groups, and only 360 are anticipated by the end of 2021.

What You Need to Know Immediately About CMMC?

Most firms won’t currently obtain the third-party evaluation necessary for CMMC certification due to the absence of C3PAOs. Organizations should become familiar with the CMMC standards under the interim rule and prepare to file for accreditation until that situation changes.

Believe But Check

The Defense Department is implementing a “trust but verify” strategy about CMMC. Checking boxes won’t be sufficient in the future; firms that wish to be CMMC-certified must demonstrate a genuine commitment to cybersecurity.

To ensure that the appropriate safeguards have been put in place, workers will be questioned, premises will be examined, and systems will be examined. Being ready entails developing a cybersecurity mentality and coordinating organizational objectives with DFARS vs CMMC objectives.

Required Self-Verification

Organizations will still need to carry out NIST 800-171 self-assessments to ensure they comply with minimum standards until CMMC is completely implemented. To be eligible for a contract award, contractors must complete this assessment in accordance with DFARS 7019 every three years.

In NIST Handbook 162, instructions for doing a NIST 800-171 assessment are provided. Results must be reported to the Supplier Performance Risk System and recorded for training. On October 1st, 2025, when CMMC becomes a prerequisite for all defense contracts, this requirement will expire.

Maturity of Cybersecurity

Five certification tiers that reflect the “maturity” component of CMMC consider that various firms have more developed cybersecurity programs than others. Below is a summary of these levels:

Currently, only Levels 1 through 3 have certification requirements that are completely understood. In terms of “cyber hygiene,” they are Basic, Intermediate, and Good. Level 3 offers a level of cybersecurity that is generally equivalent to NIST 800-171 and consists of 130 security measures.

For a “Proactive” security program, Level 4 incorporates “increased” security criteria. Organizations should be ready for advanced persistent threat (APT) teams and their strategies by Level 4.

For an “advanced” security program, Level 5 requires highly optimized cybersecurity procedures. Businesses must be able to protect sensitive data from sophisticated cyber adversaries at this level.

All contractors handling CUI will be expected to reach level 3 once CMMC is wholly implemented, just as all are presently obliged to fulfill NIST 800-171 regulations. With levels 4 and 5 designated for susceptible applications, level 3 will continue to be the most general accreditation level on DoD contracts.


Learn More