top of page

CMMC Final Rule

The Cybersecurity Maturity Model Certification (CMMC) Final Rule is a critical update to the U.S. Department of Defense's (DoD) framework for safeguarding sensitive information within the defense industrial base (DIB). The final rule, published in October 2024, introduces significant changes that simplify the cybersecurity compliance process for contractors working with the DoD, while still ensuring that sensitive data like Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is protected from cyber threats.

Key Objectives of CMMC

The core objective of the CMMC is to verify that defense contractors can adequately safeguard sensitive government information, including FCI and CUI, against rising cybersecurity threats. The framework particularly addresses threats posed by Advanced Persistent Threats (APTs)—cyber actors who are capable of launching long-term, sophisticated attacks on U.S. systems.

Levels of Certification

One of the most significant changes in the final rule is the reduction of the original five CMMC levels to three levels, simplifying compliance for contractors.

Level 1

Basic Cyber Hygiene

  • Who it applies to: Contractors handling FCI.

  • Assessment type: Self-assessment.

  • Requirements: Compliance with Federal Acquisition Regulation (FAR) 52.204-21. This level includes basic cybersecurity measures that any organization should have, such as antivirus software, firewalls, and user authentication methods.

Level 2

Advanced Cyber Hygiene

  • Who it applies to: Companies handling general CUI.

  • Assessment type: Depending on the sensitivity of the data, either a self-assessment or a third-party assessment by a certified CMMC Third-Party Assessment Organization (C3PAO) is required.

  • Requirements: Alignment with NIST SP 800-171 Rev. 2. This involves implementing a robust set of cybersecurity practices to secure CUI against moderately sophisticated threats.

Level 3

Expert Cyber Hygiene

  • Who it applies to: Contractors handling more sensitive CUI, especially those facing risks from advanced persistent threats (APTs).

  • Assessment type: A formal evaluation conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

  • Requirements: Contractors must comply with both NIST SP 800-171 Rev. 2 and NIST SP 800-172 standards, which include advanced measures to counter sophisticated cyberattacks, such as network segmentation, advanced encryption, and threat monitoring systems.

Accountability and Enforcement

The final rule also introduces mechanisms for accountability and enforcement:

  • Annual Affirmation: All certified contractors must annually affirm their cybersecurity practices, ensuring that their security measures remain compliant with CMMC requirements.

  • False Claims Act Liability: Contractors who falsely claim compliance can face penalties under the False Claims Act, which holds entities accountable for misrepresenting their cybersecurity status.

Introduction of POA&Ms

A new feature in the final rule is the Plan of Action and Milestones (POA&M) provision. If a contractor cannot meet all the required cybersecurity standards, they can still obtain a conditional certification for up to 180 days while working on remediation. This grace period helps companies that are still in the process of upgrading their cybersecurity systems to continue competing for DoD contracts.

However, not all requirements are eligible for POA&Ms, and certain critical security controls must be in place before any certification is granted. For example, fundamental controls like user authentication and encryption are typically non-negotiable.

Impact on Small and Medium-Sized Businesses

The CMMC final rule is designed to minimize the burden on small and medium-sized businesses (SMBs), which often face challenges in meeting complex cybersecurity requirements. The streamlined three-level system, coupled with the ability to self-assess at Level 1 and in some cases at Level 2, reduces costs and administrative overhead for smaller companies that do not handle highly sensitive information.

However, all contractors—regardless of size—must comply with the new cybersecurity standards if they wish to bid on DoD contracts.

Timeline and Implementation

  • December 2024: The DoD will begin accepting assessments from C3PAOs (Third-Party Assessment Organizations).

  • Conditional Certification: Contractors will have the opportunity to receive temporary certification while resolving minor cybersecurity deficiencies.

Benefits of the CMMC Program

  1. Protection of Warfighter Information: CMMC helps safeguard sensitive information that could be exploited to harm U.S. military operations or personnel.

  2. Enhanced Cybersecurity Resilience: The program helps contractors implement modern cybersecurity practices that meet evolving threats.

  3. Collaboration and Trust: The DoD emphasizes a culture of collaboration between industry and government to maintain high cybersecurity standards while maintaining public trust in the security of defense-related systems​

    Department of Defense

    Home | Holland & Knight

    Greenberg Traurig

    .

In summary, the CMMC Final Rule aims to ensure that contractors working with the DoD adopt and maintain robust cybersecurity practices while simplifying the process for smaller businesses. Its introduction of accountability measures and flexibility via POA&Ms are designed to promote compliance while addressing the realities of evolving cybersecurity threats.

bottom of page