CMMC Programmatic Final Rule Status: What It Means for Defense Contractors

Article

January 24, 2025

This article was updated to reflect the Cybersecurity Maturity Model Certification (CMMC) Programmatic final rule, which went into effect on December 16, 2024

The Cybersecurity Maturity Model Certification (CMMC) Programmatic Rule was published to the Federal Register on October 15, 2024 and went into effect on December 16, 2024. Contractors should begin taking steps to ensure compliance, as failure to comply with these standards can result in exclusion from Department of Defense (DoD) contracts, posing significant risks to business operations and financial stability.

The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI), and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs). It establishes prescribed cybersecurity standards that all contractors handling FCI and CUI must meet to qualify for DoD contracts.

Current Status of the CMMC Acquisition Rule (48 CFR)

The CMMC Acquisition Rule proposes amendments to Title 48 of the Code of Federal Regulations (CFR) to integrate CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). One of the key amendments from the proposed rule is the creation of DFARS 252.204-7021 which establishes requirements related to CMMC certification for contractors and subcontractors handling FCI and/or CUI data. Once finalized, the amendments will allow the DoD to incorporate CMMC requirements into DoD solicitations and contracts. The CMMC requirements will go into effect on the date of the revision to the DFARS. Several key milestones have marked the journey towards finalization:

Proposed Rule Publication: The DoD published the proposed rule to amend 48 CFR on August 15, 2024, detailing contract guidelines for DIB organizations concerning compliance with CMMC requirements.
Public Comment Period: The proposed rule was open for public comment for 60 days, ending on October 15, 2024. Stakeholders were invited to provide feedback on the proposed rule.
DoD Review and Adjudication of Public Comments: The DoD is in the process of reviewing all submitted comments, analyzing feedback to determine the impact and relevance of the concerns raised. The DoD will respond to significant comments, either by making adjustments to the proposed rule, providing clarifications or explaining why certain suggestions were not incorporated. After considering public input, the final rule will be sent to the Office of Information and Regulatory Affairs (OIRA) for review prior to being published to the Federal Register. Given the relatively modest number of comments, it is anticipated that the DoD may expedite the adjudication process and issue a final rule in early 2025.
OIRA Review and Clearance: Following review and adjudication of public comments by the DoD, OIRA will complete a review of the final rule. This review will ensure that the rule aligns with Executive Order 12866, which requires significant regulatory actions to be consistent with federal guidelines. OIRA’s clearance will signify that the rule has met all necessary regulatory standards, allowing it to advance to the next phase.
Final Rule Anticipation: Currently, the DoD is reviewing public comments and preparing the final rule. The final acquisition rule is expected to be published in early-to-mid 2025.
Phased Implementation: Once the final rule is effective, the DoD plans a phased approach to implement the CMMC requirements in contracts over a three-year period. During this time, program managers will have the discretion to include CMMC in contracts. See details in the next section regarding the phased implementation of the CMMC requirements.

Phased Implementation of CMMC Requirements

The DoD has adopted a phased approach to implementing the CMMC requirements to ensure contractors have sufficient time to achieve compliance while securing the DIB. This gradual rollout allows organizations to align their cybersecurity practices with federal requirements while avoiding disruptions to critical defense operations. Below is an overview of the key phases:

Phase	Summary	Timeline
Phase 1	DoD intends to include CMMC Level 1 or CMMC Level 2 Self-Assessments for all applicable DoD solicitations and contracts as a condition of contract award. The DoD may include: CMMC Level 1 or CMMC Level 2 Self-Assessments for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. CMMC Level 2 Certification Assessment (C3PAO) in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.	Begins on the effective date of 48 CFR 252.204-7021, the CMMC Acquisition final rule.
Phase 2	The DoD intends to include CMMC Level 2 Certification Assessment (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award. The DoD may: Delay the inclusion of CMMC Level 2 Certification Assessment (C3PAO) to an option period instead of as a condition of contract award. Include CMMC Level 3 Certification Assessment (DIBCAC) for applicable DoD solicitations and contracts.	Begins one calendar year following the start date of Phase 1.
Phase 3	CMMC Level 2 Certification Assessment (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. CMMC Level 3 Certification Assessment (DIBCAC) requirements included for all applicable DoD solicitations and contracts as a condition of contract award. The DoD may: Delay the inclusion of requirement for CMMC Level 3 Certification Assessment (DIBCAC) to an option period instead of as a condition of contract award.	Begins one calendar year following the start of Phase 2.
Phase 4	Full Implementation. The DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.	Begins one calendar year following the start date of Phase 3.

Structure and Requirements of the Final CMMC Programmatic Rule (CFR 32)

The finalized CMMC Programmatic Rule introduces a framework (“CMMC Model”) to ensure that contractors in the DIB implement robust cybersecurity practices to protect sensitive information such as FCI and CUI. The CMMC Model incorporates the security requirements from: 1) FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, 2) NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and 3) a subset of the requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800—171. The CMMC Model consists of domains that map to the Security Requirement Families defined in NIST SP 800-171 Rev 2. There are three levels within CMMC, Level 1, Level 2, and Level 3, as described below:

Level 1: Level 1 focuses on the protection of FCI and consists of the security requirements that correspond to the 15 basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.
Level 2: Level 2 focuses on the protection of CUI and incorporates the 110 security requirements specified in NIST SP 800-171 Rev 2.
Level 3: Level 3 focuses on the protection of CUI and encompasses a subset of the NIST SP 800-172 security requirements with DoD-approved parameters where applicable, as identified in 32 CFR § 170.14(c)(4).

Implications for Defense Contractors

Now that the CMMC Programmatic Rule (CFR 32) has been published to the Federal Register and went into effect on December 16, 2024, defense contractors must take immediate steps to ensure compliance. This allows C3PAOs granted reauthorization to commence CMMC Level 2 certification assessments and issue Level 2 certificates of CMMC Status without the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The following actions are recommended for all contractors within the defense supply chain:

Evaluate Current Cybersecurity Practices: Contractors should conduct a thorough assessment of their existing cybersecurity posture to determine which CMMC level applies to their operations.
Implement Necessary Cybersecurity Controls: Based on the applicable CMMC level, contractors must implement the required controls to meet certification standards. This may involve significant investment in technology, processes and personnel training.
Develop Program Documentation: Contactors must develop certain required documentation supporting their CMMC program including a system security plan, shared responsibility matrix, incident response plan, and other supporting policies and procedures.
Engage in Readiness Activities: Contractors should begin engaging with a qualified provider to schedule a gap or mock assessment to identify any potential deficiencies that could hinder certification.
Conduct a Self-Assessment: Contractors are required to complete a self-assessment before undergoing the certification assessment conducted by an authorized C3PAO.

Support and Guidance from Cherry Bekaert

Navigating CMMC compliance can be challenging. Cherry Bekaert offers tailored services to support organizations through every stage of the process. Whether you need a readiness assessment, gap analysis or help with achieving certification, our qualified team provides the guidance needed to meet CMMC standards and secure your position in the defense supply chain.

Conclusion

The finalization of the CMMC Programmatic Rule (CFR 32) represents a significant advancement in the DoD’s efforts to safeguard FCI and CUI within the defense supply chain. The next step will be finalization of the CMMC Acquisition Rule (CFR 48) which will contractually enforce CMMC requirements upon contractors. Failure to comply with CMMC once enforceable could result in being barred from award or executing on DoD contracts.

As the rule moves closer to becoming enforced, it is imperative for all defense contractors to stay informed, prepare for certification and ensure compliance with these new cybersecurity requirements. The future of national security and defense contracting depends on the successful implementation of these standards, which will play a critical role in protecting the integrity and resilience of the Defense Industrial Base.

For more information on the CMMC rule and its implications, please refer to the below references:

References:

Contact Us

If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.

Connect With Us