DoD Publishes CMMC Final Rule

On October 15, the Department of Defense (DoD) published its final rule for its Cybersecurity Maturity Model Certification (CMMC) version 2.0 framework, almost five years after it published the first version in early 2020. During the intervening four years, the DoD solicited comments and suggestions multiple times from industry, streamlined the CMMC model, and in the end re-established the same set of controls for protection controlled unclassified information (CUI) that the government specified back in 2015 in the initial version of NIST Special Publication 800-171. For organizations participating in the defense industrial base (DIB), CMMC v2.0 requires compliance with Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) clauses covering basic safeguarding of contractor information systems and safeguarding covered defense information (i.e., CUI) that have long been included in defense agency contracts. Similarly, contractors and vendors doing business with defense agencies remain obligated to report their compliance to the government using the Supplier Performance Risk System (SPRS). The big change under CMMC is that contractors will no longer be able to simple self-attest their compliance, but will now have to undergo independent assessment of their compliance in order to obtain certification of their compliance.

Over the next three to five years, which is the timeframe during which the government expects all affected organizations will work through the process of achieving CMMC certification, an increasing proportion of DoD contract opportunities are expected to explicitly require CMMC certification. Companies that have never done business with the DoD but want to at least have the option to do so will likely need to proactively attain certification to be able to respond to requests for proposals or quotes from DoD component agencies. CMMC requirements apply across the board to DIB participants, even those that hold facility clearances allowing them to work with classified data. The need for all such organizations to get certified will also, at least for a few years, provide a significant market opportunity for service providers accredited to perform independent assessments. Given the large number of entities needing certification (some estimates put the count over 100,000 organizations) and the relatively small number of accredited CMMC third-party assessment organizations (C3PAOs), there will either be a significant expansion in the number of C3PAOs to handle the volume of certification assessment work or it will take longer than the government’s three-to-five year target timeline for organizations to get certified. It’s premature to speculate with any accuracy how much it will cost certification-seeking organizations for their assessments, but it seems likely that such assessment engagements will be priced similarly to ISO/IEC 27001 audits. As noted in many comments submitted to the DoD in response to the draft notice of proposed rulemaking, the cost burden may be especially challenging for smaller organizations, for whom an expected outlay of 20 to 50 thousand could present a real barrier to entry.

One potential benefit of the multi-year delay in rolling out the CMMC program is that affected organizations have had quite a while to prepare. The DoD in 2020 instructed contractor and vendor organizations to document their control implementation details and compliance information in system security plans and to self-assess their compliance and report the results to the government. What sounds like a simple request is a little trickier in reality, because the DoD’s guidance for self-assessment and reporting only gives organizations six months to close any gaps they may have acknowledged in their compliance scores. For companies that had never worked with the DoD, this provided a bit of an unintended incentive to hold off reporting scores for the first time until achieving full or almost-full compliance. DoD contracting officers where also apparently instructed to refrain from inserting CMMC compliance language into new contract solicitations until the CMMC program was formally implemented, so once the final rule goes into effect on December 16, it seems likely that these requirements will appear more prominently in RFPs and RFQs, and potentially in substantially all solicitations beginning in the 2026 federal fiscal year that begins next October 1.