Final rule for CMMC cybersecurity program goes into effect for defense contractors
The final rule for the Pentagon’s Cybersecurity Maturity Model Certification 2.0 (CMMC) initiative went into effect Monday, and the clock is ticking for companies to meet the requirements to be eligible to win Defense Department contracts.
The CMMC program is intended to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with National Institute of Standards and Technology security controls.
The final rule will require defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the info they’re handling.
The journey toward CMMC implementation — a controversial initiative that has raised concerns among some contractors about the costs involved and other regulatory burdens — has been a long one. After receiving feedback from companies, the department moved away from its original CMMC framework toward a more streamlined version that officials have dubbed CMMC 2.0, which has also entailed a lengthy rulemaking process.
The final rule was released for inspection in October on the Federal Register and was scheduled to go into effect Dec. 16. A follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC program was slated for publication in early to mid-2025.
“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon said in a press release in October.
“With the publication of this updated … rule, DoD will allow businesses to self-assess their compliance when appropriate. Basic protection of FCI will require self-assessment at CMMC Level 1. General protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2.A higher level of protection against risk from advanced persistent threats will be required for some CUI. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center led assessment at CMMC Level 3,” per the release.
According to a notice in the Federal Register, the Pentagon estimates that 8,350 medium and large entities will be required to meet Level 2 CMMC third-party assessment organization (C3PAO) assessment requirements as a condition of contract award.
Much fewer companies are expected to be required to meet the more stringent Level 3 requirements.
“It’s Official! #CMMC 2.0 completed its 60-day Congressional Review period without any changes. Rulemaking is now complete and the new program is in effect. Companies should now begin working towards their CMMC certifications and C3PAOs can begin assessments in accordance with the guidance in the rule,” the Office of the DOD Chief Information Officer wrote in a LinkedIn post on Monday, noting that CMMC requirements won’t be included in DOD contracts until the DFARS is revised through a 48 CFR rule change is complete and effective. “At that time we will begin a 3-year phased implementation.”
The rollout of CMMC comes as the the Pentagon is taking a variety of other measures to try to improve the digital defenses of contractors.
For example, earlier this year the department released a new Defense Industrial Base Cybersecurity Strategy.
Officials plan to routinely evaluate contractor compliance with the CMMC program, the document noted.
The “increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets. Future rulemaking efforts will expand existing information safeguarding requirements for these companies by implementing supplemental guidelines defined in NIST SP 800-172,” the strategy states. “While DFARS specifies the minimum DIB cybersecurity requirements for companies that process, transmit, and store CUI, the Department must also support efforts by the DIB to make risk-informed decisions to exceed these requirements.”
The department also launched a new official program that allows for independent white-hat hackers to find and analyze vulnerabilities in contractors’ systems.
The Defense Department’s Cyber Crime Center (DC3) is partnering with the Defense Counterintelligence and Security Agency on the Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP), and participation is free and voluntary for companies.
“Most of the DIB, some 200,000 companies, are small and medium-sized businesses. They are not equipped to defend themselves against advanced adversaries. And so the question becomes, how can we help them defend themselves? What can we provide to them? … And the answer is some form of cybersecurity as a service, usually focused on small to medium-sized companies, again, to provide capabilities that they would not be able to work with themselves,” Terry Kalka, director of the defense industrial base collaborative information sharing environment at DC3, said at CyberTalks in October.
Officials are working to counter a variety of malicious cyber activities.
“Phishing is always a constant threat, but I think we’re seeing phishing more as an interrupter to operations, like part of ransomware. The more prevalent threats in the last year have to do with actual exploitation and exfiltration of data. And what that indicates to me is that phishing is still effective but it’s not necessarily the most effective attack vector anymore. And so we really need to work on closing vulnerabilities, patching systems and through CISA’s leadership, secure by design, because that’s how we’re going to block adversarial attacks,” Kalka told DefenseScoop.