This article was updated to reflect the finalized Cybersecurity Maturity Model Certification (CMMC) acquisition rule under 48 CFR Parts 204, 212, 217, and 252. The rule was published in the Federal Register on September 10, 2025, and will go into effect 60 days later on November 10, 2025.
The Department of Defense (DoD) issued guidance in January, 2025 for implementing the Cybersecurity Maturity Model Certification (CMMC) program which aims to bolster the cybersecurity posture of the defense industrial base (DIB). This initiative is crucial in safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from increasingly sophisticated cyber threats.
Key Highlights of CMMC Guidance
- The CMMC program is designed to enhance the security of DoD information by requiring pre-award assessments of contractor information systems against prescribed cybersecurity standards.
- The CMMC Program final rule, published on October 15, 2024, is codified in Title 32 CFR Part 170 and outlines three levels of assessment.
- Defense contractors can seek a certification waiver using the process provided in the recently issued guidance.
- CMMC certifications will be integrated into contracts through phases of implementation, with the final stage in 2028.
CMMC Assessment Levels and Requirements for DoD Contractors
The guidance outlines the three CMMC assessment levels. These levels ensure the appropriate cybersecurity measures are in place based on the sensitivity and criticality of the information being handled.
CMMC Level 1 (Self-Assessment)
This level applies to contracts that involve only FCI. The security requirements are derived from FAR clause 52.204-21. The requirements focus on the basic safeguarding of FCI, excluding publicly available government-provided information and simple transactional data. Contractors are required to conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in the Supplier Performance Risk System (SPRS).
CMMC Level 2 (Self-Assessment or Certification)
This level applies to contracts involving CUI. Compliance may be demonstrated through either a self-assessment or certification by third-party assessors. The level of assessment will be determined by the DoD or prime Contracting Officers. Entities must implement all NIST 800-171 security requirements to receive a CMMC Status of Final. POA&Ms are allowed for self and third-party assessments, however, they must be remediated within 180 days of the CMMC Status Date.
CMMC Level 3 (Certification)
This level applies to contracts for the highest priority programs that require enhanced protections against Advanced Persistent Threats. CMMC certification is conducted by DoD officials against select controls in NIST SP 800-172. The requirements focus on implementing enhanced safeguards to protect CUI associated with breakthrough, unique or advanced technology, significant aggregation of CUI, or scenarios where the ubiquity of a system could result in widespread vulnerability if compromised. Contractors that require a CMMC Level 3 certificate are required to obtain a CMMC Status of Final Level 2 (C3PAO) certificate before the Level 3 government led assessment.
DoD CMMC Levels Implementation
Program managers and requiring activities must follow the CMMC program implementation phases outlined in Title 32 CFR § 170.3(e).
Implementation Timeline
The DoD has finalized the CMMC acquisition rule under 48 CFR Parts 204, 212, 217, and 252. The rule was published in the Federal Register on September 10, 2025, and will go into effect 60 days later, on November 10, 2025.
Beginning November 10, 2025, DoD contracting officers will be authorized to include CMMC Level 1 requirements in all procurement requests involving contracts with FCI.
One year after the DFARS rule’s publication, CMMC Level 2 certification assessments will be required, as applicable. CMMC Level 3 certification assessments must be implemented two years after the publication, as appropriate.
|
Phase 1 (Starts on November 10, 2025) |
CMMC Level I status requirements are included with applicable DoD contracts as a condition of the award. Contractors who want to make bids must meet the appropriate CMMC level requirements. |
|
Phase 2 |
After one year from the start of Phase 1, contractors will need to meet CMMC Level 2 certification requirements to be eligible for contract awards. |
|
Phase 3 |
A year after the start of Phase 2, CMMC Level 3 status requirements are included with applicable DoD contracts. |
|
Phase 4 (Completion by November 10, 2028) |
Phase 4 will start one year after Phase 3. The DoD will include CMMC level requirements in all application contracts. Contractors must satisfy the applicable CMMC level requirements. |
Responsibilities of Program Managers
Program managers and requiring activities are responsible for determining each contract's appropriate CMMC assessment level and ensuring compliance with the guidance. A CMMC Level 2 third-party assessment is expected to be the minimum assessment requirement when the planned contract will require the contractor (or subcontractor) to process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping.
Department of Defense CMMC Waiver Process
The Office of the Secretary of Defense memorandum published on January 15, 2025 provides a process for waiving CMMC assessment requirements under specific circumstances.
By following these guidelines, defense agencies can ensure that the waiver process is conducted in a structured and transparent manner while still maintaining the necessary cybersecurity protections for sensitive information.
Approval Authority
Waivers for CMMC assessment requirements must be approved by the service acquisition executive (SAE) or component acquisition executive (CAE). All waiver requests must be coordinated through the component chief information officer (CIO) before seeking SAE or CAE approval.
Coordination for Defense Acquisition Executive Oversight
For programs under DAE oversight, waiver requests must be coordinated through the component CIO, program executive officer, CAE or SAE, and the Office of the DoD CIO.
Scope of Waivers
Waivers can be requested and approved for individual procurements or a class of procurements. These waivers impact only whether CMMC assessments must be included in solicitation documents and resultant contracts.
Reporting Requirements
SAEs and CAEs are required to report CMMC waiver data quarterly to the Office of the Under Secretary of Defense (USD) for Acquisition and Sustainment, the USD for Intelligence and Security, the USD for Research and Development, and the Office of the DoD CIO.
Phase-In of CMMC Assessment Requirements
Program managers and requiring activities should identify information security requirements for the types of information most likely to be associated with the planned contract effort. If market research indicates that including a CMMC assessment requirement may impede the ability to generate robust competition or delay delivery of mission-critical capabilities, the SAE, CAE or DAE may approve requests to waive inclusion of CMMC assessment requirements.
Waiver Limitations
- CMMC Level 1: No circumstances are likely to warrant approval of requests to waive CMMC Level 1 requirements, as it is a self-assessment requirement designed to provide added insight into or assurance of the offeror's compliance with FAR clause 52.204-21.
- CMMC Level 2: Waivers for CMMC Level 2 self-assessment requirements are unlikely to be approved due to the pre-existing minimum requirement for a basic self-assessment under DFARS 252.204-7019. However, in rare circumstances, waivers for CMMC Level 2 third-party assessment requirements may be warranted, especially when seeking competition from non-traditional DoD sources.
- CMMC Level 3: Waivers for CMMC Level 3 third-party assessment requirements may be warranted in rare circumstances. However, such waivers are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information.
Conclusion
The DoD's new guidance on implementing CMMC requirements marks a significant step forward in protecting sensitive information within the defense industrial base. By adhering to these guidelines, defense agencies can better safeguard their information systems and maintain the integrity of their operations.
As a CMMC Third-Party Assessment Organization (C3PAO), Cherry Bekaert brings extensive experience navigating the complexities of CMMC requirements. Our Information Assurance & Cybersecurity and Government Contracting professionals are well equipped to support your organization's compliance initiatives. With a deep understanding of the evolving regulatory landscape, we provide tailored solutions to ensure the necessary requirements are met efficiently.
If you have any questions or need guidance on CMMC implementation or compliance initiatives, our CMMC advisors are available to discuss your unique situation and help you navigate the process with confidence.
Related Insights
