Skip to Content

What Federal Contractors Need to Know About CMMC

What is CMMC 2.0?

The purpose of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program is to verify that contractors with the Department of Defense (DoD) are meeting their obligations to protect controlled unclassified information (CUI) by meeting standardized cybersecurity requirements. These requirements vary depending on the level of CMMC 2.0 certification required. The program has three tiers with escalating security requirements. DoD request for proposals (RFPs) will include a clause identifying the CMMC level required for a contractor (and its subcontractors) to receive an award.

Verification will take place by self-assessment or third-party assessment depending on the CMMC level requirement. Except for some newly introduced cybersecurity requirements in Level 3, DoD contractors should already be meeting CMMC 2.0’s security requirements when handling controlled unclassified information.

Note: The following information is based on the CMMC Program Final rule published 10/15/2023 and the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) proposed rule published 8/15/2024. The content in the proposed rule is subject to change in the final rule.

What are the requirements for each of the three proposed tiers?

  • Level 1: Contractors and applicable subcontractors must complete an annual self-assessment to verify their compliance with the 15 security requirements specified in Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” A senior official from each contractor and applicable subcontractors must annually affirm compliance via the Supplier Performance Risk System (SPRS).
  • Level 2: Contractors and applicable subcontractors must implement the 110 security requirements specified by DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which are based on the National Institute of Standards and Technology (NIST) standard for protecting controlled unclassified information, NIST SP 800-171 Rev. 2.
    • Level 2 comes in two versions: self-assessment and third-party certification (depending on whether the acquisition involves information critical to national security).Contractors and subcontractors that perform a self-assessment will be required to do so every three years and will affirm continuous compliance annually.
    • Level 2 contractors and subcontractors that must be assessed by a third party must be certified by a third-party assessment organization (C3PAO) every three years and affirm continuous compliance annually.
  • Level 3: Contractors must meet all Level 2 requirements as well as 24 select NIST SP 800–172 security requirements. Level 3 contractors must pass an assessment every three years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in addition to Level 2 reporting requirements.

What contracts will CMMC 2.0 apply to?

CMMC 2.0 requirements will be incorporated into DoD contracts above the micro-purchase threshold (MPT) where the contractor provides information systems that “process, store, or transmit” federal contract information (FCI) or controlled unclassified information (CUI). Contracts exclusively for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements. There is no exception for FAR Part 12 commercial product or commercial service contracts.

Who will be required to undergo a CMMC 2.0 self-assessment or third-party certification?

Again, the requirement to meet a certain CMMC level certification will be incorporated into DoD contracts where the contractor or subcontractor will process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) on unclassified contractor information systems:

  • Federal regulation defines FCI as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
  • Contracts where the contractor must handle FCI will require the contractor to meet Level 1 requirements and thus self-assessment.
  • CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
  • Level 2 or 3 requirements will apply to contracts where the contractor must handle CUI. The exact level required depends on the CUI’s sensitivity[AW1][GW2][GW3] *. Handling less sensitive CUI may only require a self-assessment as part of compliance with CMMC Level 2. For more sensitive CUI, third-party assessment by a C3PAO will be additionally required for level 2 compliance.
    • * According to the 32 CFR CMMC Final Rule, Program managers determine the appropriate CMMC level based on the following five factors:
      • Criticality of the associated mission capability.
      • Type of acquisition program or technology.
      • Threat of loss of the FCI or CUI to be shared or generated in relation to the effort.
      • Potential for and impacts from exploitation of information security deficiencies.
      • Other relevant policies and factors, including Milestone Decision Authority guidance.
  • Level 3 requirements, reserved for contracts handling the most sensitive CUI, include self-assessment, assessment by a C3PAO, and a DIBCAC assessment.

Does CMMC 2.0 flow down to subcontractors?

Yes—generally speaking, subcontracts will be subject to a CMMC 2.0 level that matches the sensitivity of the information they will handle in the performance of the subcontract. Prime contractors must ensure that their subcontractors have a current CMMC certificate or self-assessment at the required CMMC level appropriate to the information that is flowed down to the subcontractor.

What is the timeline for the rollout of CMMC 2.0?

CMMC 2.0 will be implemented in a three-phase approach over three years. Each phase will last one year. Phase one begins upon the finalization of Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

  • Phase 1: Upon the above rule’s finalization, CMMC Level 1 and 2 self-assessments will be a condition of award for new contracts that include a CMMC level requirement. A limited number of contracts may require Level 2 C3PAO assessments at DoD’s discretion.
  • Phase 2: One year later, DoD will start adding Level 2 certification requirements to applicable contracts. Level 3 certification requirements will be incorporated into a limited number of applicable contracts at DOD’s discretion.
  • Phase 3: One year after phase 2, DoD will extend Level 2 certification requirements to existing contracts, and Level 3 certification will be required on applicable contracts. DoD can begin to include Level 2 C3PAO assessment requirements in options to exercise active DoD contracts.
  • Phase 4: Starting one year after Phase 3, CMMC will apply to all DoD contracts above the MPT where a contractor handles FCI or CUI (except for purely COTS contracts). This will include options to exercise active contracts.*

*Applicable contracts that are not awarded or extended during the phased implementation will incorporate CMMC 2.0 requirements upon their award/extension


CMMC Law and Regulations:


Member Resources:

Rogers Joseph O’Donnell

Perkins Coie

Blank Rome

Morris Manning & Martin

Holland & Knight

Mayer Brown

Arnold & Porter

Covington

Crowell & Moring

Back to top