Cybersecurity Maturity Model Certification 2.0

The  DoD implemented DFARS 252.204-7012 in 2017 with an expectation that NIST SP 800-171 would be rolled down through the covered Defence Industry Base (DIB).  As a result of issues identified by the US Government Accountability Office (GAO) and the security of Controlled Unclassified Information (CUI) by the DIB, the DoD has introduced DFARS 252.204-7021, also known as CMMC, ultimately requiring covered Defence Contractors to provide a certificate of cybersecurity compliance to the DoD before contract solicitation, and contract award, applied to both new contracts and options.  The DoD will make a decision as the level of cybersecurity compliance, either Level 1, Level 2 or Level 3. 

The Phased Approach For CMMC Implementation

CMMC Implementation Plan: In accordance with 41 U.S.C. § 1707, the DFARS Rule takes effect on November 10, 2025. 

The Phased Approach For CMMC Implementation

DFARS 252.204-7021, known as CMMC on the 10th September 2025, completing the Cybersecurity Maturity Model Certification (CMMC) rulemaking process. CMMC comprises two parts. 32 C.F.R. Part 170 establishes the requirements for the CMMC program.  The second part is the final rule, which amends the Defence Federal Acquisition Regulation Supplement (DFARS) and establishes DFARS policies, contract clauses, and other provisions to implement the Program Rule.

The DoD has confirmed in the ruling that it expects the National and International DIB to comply with the ruling.  Confirming that the DIB has since 2017 to implementing NIST SP 800-171 and that CMMC is an assurance over the implementation.  

The DoD is implementing CMMC through a four-phase process.

CMMC Phased Implementation https://dodcio.defense.gov/cmmc/About/

Phase 1: Begins on the 10th November, 2025, the effective date of the 48 CRR ruling.

  • CMMC Level 1 and Level 2 self-assessment requirements will be included in applicable DoD solicitations and new contracts as a condition of contract award.
  • The DoD has the discretion to include CMMC Level 2 Certified Third-Party Assessment Organization (C3PAO) certification assessment requirements.
  • The DoD has the discretion to require CMMC Level 1 and Level 2 self-assessments for applicable contracts issued before November 10, 2025 if the contract includes an option.

Phase 2: Begins 12 months after Phase 1 Start.

  • Phase 1 requirements + DoD includes CMMC Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and new contracts as a condition of contract award.
  • DoD has the discretion to delay CMMC Level 2 C3PAO certification assessment requirements to an option period.

Phase 3: Begins 24 months after Phase 1 Start.

  • Phase 1 and Phase 2 Requirements + DoD includes CMMC Level 2 C3PAO certification assessment requirements for applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after November 10, 2025.
  • DoD includes CMMC Level 3 certification assessment requirements in applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay CMMC Level 3 certification assessment requirements to an option period.

Phase 4 – Full Implementation: Begins 36 months after Phase 1 Start.

  • Full implementation of CMMC: DoD incorporates CMMC requirements into all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.

The Tiered Approach for CMMC Compliance

The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for non-federal systems processing controlled unclassified information.

A Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. 

The program also outlines the process for requiring the protection of information flowing down to subcontractors.  The tiering comprises 3 levels of compliance: Level 1, Level 2 and Level 3.

CMMC Tiered Model https://dodcio.defense.gov/cmmc/About/

Level 1: Basic Safeguarding of Federal Contract Information (FCI)

  1. Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of Controlled Unclassified Information (CUI).

  1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation. Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
  2. Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats.

  1. Achieve CMMC Status of Final Level 2.
  2. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  3. Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

CMMC Level Requirements: DoD requirements for the three CMMC levels.  Level 1, Level 2 and Level 3.

CMMC Requirements defined by the US DoD - https://dodcio.defense.gov/cmmc/About/