- in United States
- within Insolvency/Bankruptcy/Re-Structuring topic(s)
The Department of Defense (DoD) has long been concerned about cybersecurity within the Defense Industrial Base (DIB) and been a leader within the U.S. Government for establishing cybersecurity standards. DoD was among the first agencies to require contractors to implement National Institute of Standards and Technology (NIST) security standards, including NIST Special Publication (SP) 800-171, and to report cyber incidents. In recent years, DoD (and the Government more broadly) has become concerned about contractor compliance with those requirements. Enter the Cybersecurity Maturity Model Certification (CMMC), which is, at its core, a cybersecurity compliance certification and verification program. This BRIEFING PAPER discusses (1) the history and underpinnings of CMMC, (2) CMMC requirements, (3) enforcement risks, (4) key takeaways for defense contractors, and (4) practical guidelines.
The Development Of CMMC
The underpinnings of CMMC date back to when the Federal Acquisition Regulation (FAR) Council issued FAR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems," and DoD issued Defense FAR Supplement (DFARS) 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." Those clauses establish the foundational substantive cybersecurity requirements for CMMC.
In May 2016, the FAR Council created FAR 52.204-21.1 That clause applies to all "solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system" except for contracts for commercially available off-the-shelf (COTS) items.2 Information qualifies as federal contract information (FCI) if it is (1) "not intended for public release"; (2) "is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government"; and (3) is not "simple transactional information, such as [information] necessary to process payments."3 This definition is intentionally broad, and there are no markings for FCI, meaning if there is any possibility that a contractor information system will store, process, or transmit FCI, the contractor should implement FAR 52.204-21.4 To implement FAR 52.204-21, prime contractors and subcontractors with covered contractor information systems must implement 15 security controls, which include information system and facility security controls.5
In November 2013, DoD issued DFARS 252.204- 7012, which imposes information system security and cyber incident reporting requirements.6 Most relevant to CMMC, DFARS 252.204-7012 requires contractors that will store, process, or transmit covered defense information (CDI),7 which includes controlled unclassified information (CUI) that is "[c]ollected, developed, received, transmitted, used, or stored by or on behalf of the contractor in performance of the contract," to "provide adequate security on all covered contractor information systems."8 For unclassified contractor information systems, that means complying with NIST SP 800-171.9 Although NIST has issued Revision 3 of NIST SP 800-171, DoD requires compliance with Revision 2 for purposes of DFARS 252.204-7012 (and now for CMMC).10 For external cloud service providers that store, process, or transmit CDI in connection with contract performance, adequate security means meeting the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.11 DFARS 252.204-7012 also requires contractors to report cyber incidents.12
Based on concerns about contractor compliance with cybersecurity requirements, DoD issued an interim rule effective November 30, 2020, establishing DoD NIST SP 800-171 assessment and reporting requirements and the initial CMMC program (CMMC 1.0).13 DoD implemented those requirements through three new clauses: DFARS 252.204-7019, "Notice of NIST SP 800-171 DoD Assessment Requirements"; DFARS 252.204-7020, "NIST SP 800-171 DoD Assessment Requirements"; and DFARS 252.204-7021, "Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement."
DFARS 252.204-7019 and DFARS 252.204-7020, which remain in effect today, require defense contractors (both prime contractors and subcontractors) to meet DoD NIST SP 800-171 assessment requirements for covered contractor information systems. Specifically, defense contractors must use the NIST SP 800-171 DoD Assessment Methodology to measure the extent to which they have implemented NIST SP 800-171 security controls for covered contractor information systems. There are three assessment levels: Basic, Medium, and High. For a Basic Assessment, the contractor reviews its system security plans (SSPs) for covered contractor information systems.14 DoD has "low confidence" in a Basic Assessment's accuracy because it is performed by the contractor. For a Medium Assessment, DoD attempts to verify a contractor's Basic Assessment by reviewing the contractor's Basic Assessment and related documents and seeking clarification as needed.15 A Medium Assessment results in a Medium level of confidence. A High Assessment requires DoD to conduct its own thorough assessment of the contractor's covered information systems, SSP, and other documents, and a High Assessment results in a High level of confidence.16 Each assessment results in a score between -203 (no NIST SP 800-171 controls implemented) to 110 (full implementation of NIST SP 800-171 controls), and contractors must enter that score into the Supplier Performance Risk System (SPRS). An assessment is current if it is no more than three years old.17
In that same interim rule, DoD issued DFARS 252.204- 7021 to implement CMMC 1.0. DoD subsequently suspended CMMC 1.0 and began a years-long effort to create CMMC 2.0.
CMMC 2.0
CMMC 2.0 is the product of a two-part rulemaking. On October 15, 2024, DoD issued a final rule codifying regulations at 32 C.F.R. Part 170 to establish the fundamentals of the CMMC program (the "Program Rule"),18 and on September 10, 2025, DoD issued a final rule revising the DFARS to implement CMMC into DoD solicitations and contracts (the "DFARS Rule").19 The CMMC four-phase implementation process begins November 10, 2025, when the DFARS Final Rule takes effect.
Applicability
CMMC applies to all DoD prime contractors and subcontractors that will store, process, or transmit FCI or CUI on unclassified contractor information systems while performing a DoD contract, other than a contract exclusively for commercially available off-the-shelf (COTS) items.20 (The Program Rule refers to prime contractors and subcontractors subject to CMMC as Organizations Seeking Assessment (OSAs),21 and we use that term at certain points in this BRIEFING PAPER.) CMMC requirements are not limited to information systems owned by the contractor. External service providers (ESPs), including cloud service providers (CSPs),22 that will store, process, or transmit FCI or CUI for the contractor must also meet CMMC requirements.
CMMC Levels, Assessments, SPRS Data, And Affirmations
CMMC requirements are divided across three CMMC levels, and the security control and assessment requirements increase with the CMMC level. To be eligible for award in a DoD procurement, an offeror must achieve the CMMC level specified in the solicitation by the time of contract award. DoD contractors must maintain compliance throughout contract performance.
CMMC Level 1 applies where defense contractors will store, process, or transmit FCI (but not CUI) on their information systems. To achieve CMMC Level 1, contractors must implement each of the 15 security controls in FAR 52.204-21(b). Plans of action and milestones (POAMs) are not allowed for CMMC Level 1.23
CMMC Level 2 applies where defense contractors will store, process, or transmit CUI on their information systems. DoD will accept Conditional CMMC Level 2 status temporarily. To achieve Conditional CMMC Level 2 status, contractors must implement all critical requirements and at least 80% of the NIST SP 800-171 security controls overall.24 All non-critical security controls that are not met must be documented in a POAM, and the POAM must be closed out within 180 days of the Conditional CMMC Level 2 Status Date. If a contractor does not close out the POAM within 180 days and achieve Final CMMC Level 2 status, which is when the contractor has implemented all NIST SP 800-171 security controls, the Conditional CMMC Level 2 status lapses.25
There are two types of CMMC Level 2 assessments: self-assessments and certification assessments. For selfassessments, the contractor evaluates its own information system's compliance with NIST SP 800-171.26 Certification assessments are performed by CMMC Third-Party Assessment Organizations (C3PAOs).27 Solicitations and contracts will specify whether a self-assessment or a certification assessment is required. Assessments, whether self-assessments or certification assessments, are valid for three years, but the contractor's Affirming Official (i.e., "the senior level representative" who is responsible for and has authority to affirm continuous compliance with security requirements)28 must certify continuous compliance annually.29 Significantly, contractors should not assume that self-assessments will be sufficient. DoD stated in the DFARS Rule that it anticipates 35% of defense contractors will require a CMMC Level 2 certification assessment and only 2% of defense contractors will require a CMMC Level 2 self-assessment. (Another 62% of contractors will require only CMMC Level 1, and the remaining 1% of contractors will require CMMC Level 3.)30 This shows that when a solicitation or contract requires CMMC Level 2, contractors will almost always need a certification assessment rather than a selfassessment.
CMMC Level 3 is required for certain contracts where DoD determines that additional security controls are needed to protect CUI from Advanced Persistent Threats. To meet CMMC Level 3, contractors must achieve CMMC Levels 1 and 2 and implement 24 additional requirements from NIST SP 800-172.31 Contractors can achieve Conditional CMMC Level 3 status if they implement certain critical requirements and at least 80% of the 24 additional requirements overall.32 As with CMMC Level 2, contractors must document all controls that they have not met in a POAM and closeout the POAM within 180 days or the Conditional CMMC Level 3 status lapses.33 CMMC Level 3 assessments are performed by the Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).34 Similar to CMMC Level 2, a CMMC Level 3 status is valid for three years,35 and the Affirming Official must annually certify continuous compliance.36
Regardless of the level, CMMC data (CMMC Level, CMMC Status Date, CMMC Assessment Scope, applicable CAGE code(s), and the compliance result) must be entered into SPRS. For self-assessments, the OSA enters the data into SPRS.37 For CMMC Level 2 C3PAO assessments, the C3PAO reports the compliance results into eMASS, which transmits the data to SPRS.38 For CMMC Level 3, DIBCAC reports the compliance results into eMASS, which transmits the data to SPRS.39
CMMC Scoping
A critical element of CMMC compliance is identifying the information systems that will fall within the scope of the CMMC assessment. The scoping process depends on the CMMC level pursued.
A contractor that is seeking only a CMMC Level 1 assessment must identify which information systems will store, process, or transmit FCI.40 The CMMC Level 2 scope is broader and includes CUI Assets, Security Protection Assets (SPAs), Contractor Risk Managed Assets (CRMAs), and Specialized Assets. CUI Assets (i.e., "[a]ssets that process, store, or transmit CUI") must be assessed against all NIST SP 800-171 security controls.41 SPAs (i.e.,"[a]ssets that provide security functions or capabilities to the OSA's CMMC Assessment Scope"), such as firewalls, must be assessed against all NIST SP 800-171 security controls "that are relevant to the capabilities provided."42 CRMAs (i.e.,"assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place") are subject to a more limited assessment. CRMAs are not assessed against all NIST SP 800-171 security controls, but CRMAs must be sufficiently documented in the SSP. If that documentation raises concerns, CRMAs can be subject to "a limited check to identify deficiencies."43 For Specialized Assets (i.e., "[a]ssets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment"), assessments are limited to reviewing SSP documentation.44 Assets that do not store, process, or transmit CUI; assets that do not qualify as SPAs; and assets that are separated (physically or logically) from CUI assets are out of scope.45
The CMMC Level 3 scope builds upon CMMC Level 2. CUI Assets, CRMAs, SPAs, and Specialized Assets are subject to a limited check against NIST SP 800-171 security controls (those assets had to meet those controls as part of CMMC Level 2) and are assessed against all applicable NIST SP 800-172 security controls.46 Similar to CMMC Level 2, assets that cannot store, process, or transmit CUI; assets that do not qualify as SPAs; and assets that are separated (physically or logically) from CUI assets are out of scope.47
Originally published by Thomson Reuters
To view the full article click here
Footnotes
1 81 Fed. Reg. 30439 (May 16, 2016).
2 FAR 4.1903; see FAR 4.1902.
3 FAR 52.204-21(a).
4 81 Fed. Reg. at 30441 ("The intent is that the scope and applicability of this rule be very broad, because this rule requires only the most basic level of safeguarding. . ..The focus of the final rule is shifted from the safeguarding of specific information to the basic safeguarding of certain contractor information systems. Therefore, it is not necessary to draw a fine line as to what information was 'generated for the Government,' when the information is received, or whether the information is marked.").
5 FAR 52.204-21(b)(1).
6 78 Fed. Reg. 69273 (Nov. 18, 2013).
7 DFARS 252.204-7012 defines CDI as CUI that is "(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract." DFARS 252.204-7012(a).
8 DFARS 252.204-7012(b).
9 DFARS 252.204-7012(b)(2)(i).
10 See Class Deviation 2024-O0013, Revision 1—Safeguarding Covered Defense Information and Cyber Incident Reporting (May 24, 2024), https://www.a cq.osd.mil/dpap/policy/policyvault/USA001074-24-DP C.pdf.
11 DFARS 252.204-7012(b)(2)(ii)(D).
12 DFARS 252.204-7012(c).
13 85 Fed. Reg. 61505 (Sept. 29, 2020).
14 DFARS 252.204-7020(a).
15 DFARS 252.204-7020(a).
16 DFARS 252.204-7020(a).
17 DFARS 252.204-7019(b) ("In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current ass essment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order."). 1889 Fed. Reg. 83092 (Oct. 15, 2024).
19 90 Fed. Reg. 43560 (Sept. 10, 2025).
20 32 C.F.R. § 170.3(a).
21 See 32 C.F.R. § 170.4(b) (definition of "Organization Seeking Assessment").
22 See 32 C.F.R. § 170.4(b) (definition of "Cloud Service Provider").
23 32 C.F.R. § 170.15(a)(1).
24 See 32 C.F.R. § 170.21(a)(2).
25 32 C.F.R. § 170.21(b).
26 32 C.F.R. § 170.16.
27 32 C.F.R. § 170.17; see 32 C.F.R. § 170.4(b) (definition of "CMMC Third-Party Assessment Organizations").
28 See 32 C.F.R. § 170.4(b) (definition of "Affirming Official"). 2932 C.F.R. § 170.22.
30 90 Fed. Reg. 43560, 43573 (Sept. 10, 2025).
31 32 C.F.R. § 170.18.
32 32 C.F.R. § 170.21(a)(3).
33 32 C.F.R. § 170.21(b).
34 32 C.F.R. § 170.21(b).
35 32 C.F.R. § 170.18(a)(1).
36 32 C.F.R. § 170.22.
37 32 C.F.R. §§ 170.15(a)(1), 17.16(a)(1).
38 32 C.F.R. § 170.17(a)(1).
39 32 C.F.R. § 170.18(a)(1).
40 32 C.F.R. § 170.19(b).
41 32 C.F.R. § 170.19(c).
42 32 C.F.R. § 170.19(c).
43 32 C.F.R. § 170.19(c).
44 32 C.F.R. § 170.19(c).
45 32 C.F.R. § 170.19(c).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
