ARTICLE
21 November 2024

Understanding The Cybersecurity Maturity Model Certification (CMMC) Program: Essential Steps For Defense Contractors

KG
K&L Gates LLP

Contributor

At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
The Department of Defense (DoD) published the updated Cybersecurity Maturity Model Certification (CMMC) Program to enforce existing cybersecurity standards across the defense industrial base
United States Technology

The Department of Defense (DoD) published the updated Cybersecurity Maturity Model Certification (CMMC) Program to enforce existing cybersecurity standards across the defense industrial base. This program is designed to ensure the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from growing cyber threats. CMMC requirements will be phased into contracts starting in 2025, marking a shift in accountability for safeguarding non-public information throughout the Defense Industrial Base (DIB).

Key Aspects of the CMMC Program

The CMMC framework includes three certification levels, each with progressively more stringent requirements based on the sensitivity of the information handled. Level 1 requires contractors to complete a self-assessment covering 15 basic safeguards outlined in FAR 52.204-21. Level 2 necessitates contractors implement 110 requirements under NIST SP 800-171 and adds a third-party assessment for some contracts. Level 3 adds 24 additional requirements from NIST SP 800-172 with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducting assessments every three years.

Certification Process and Compliance Steps

Each certification level requires specific accountability measures. Level 1 and certain Level 2 contractors conduct self-assessments and report their scores to DoD's Supplier Performance Risk System (SPRS). For some Level 2 and all Level 3 certifications, contractors must undergo a third-party assessment by a certified C3PAO or DIBCAC. Contractors may use a Plan of Action and Milestones (POA&M) for up to 180 days to address gaps in requirements.

Contractors must submit an annual affirmation to maintain certification, while periodic reassessments ensure ongoing compliance. If requirements cannot be implemented, contractors may request enduring exceptions, particularly if specific technologies lack compatibility with a requirement.

Integration of CMMC Requirements in DoD Contracts

DoD will roll out CMMC requirements across contracts gradually, with full implementation expected by 2028. Initially, CMMC requirements will apply only to contracts requiring Level 1 or Level 2 self-assessments, but all contracts involving FCI and CUI will include CMMC requirements by 2028. This phased approach gives contractors time to comply yet underscores the need for prompt action.

Implications for the Defense Supply Chain

CMMC requirements extend beyond prime contractors to subcontractors handling FCI or CUI. Prime contractors must ensure their subcontractors meet the necessary certification level, creating accountability across the supply chain.

Preparing for CMMC Certification

To prepare for certification, contractors should conduct a thorough internal cybersecurity review under privilege to identify gaps. Contractors who handle CUI must develop a System Security Plan (SSP) to document compliance strategies. Engaging a C3PAO for higher-level certifications and reviewing subcontractor compliance are key steps. Acting early allows contractors to align cybersecurity practices with CMMC requirements.

Conclusion

The CMMC Program shows the DoD's commitment to securing its supply chain. Contractors who fail to comply with CMMC requirements risk losing DoD contracts and/or facing government enforcement actions. Defense contractors who plan ahead and take necessary actions will maintain contract eligibility and safeguard sensitive information effectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More