On October 15th, the United States Department of Defense (DoD) published the Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program in Title 32 of the Code of Federal Regulations (CFR). This marks the culmination of the DoD’s journey to make CMMC law. With the timeline now fixed, starting next year prime contractors and their subcontractors who handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), will require a CMMC assessment.
Back in September 2020, the DoD introduced an interim rule under 48 CFR, establishing the initial framework for integrating CMMC into the federal acquisition process. This allowed for a phased implementation of cybersecurity standards for defense contractors. Now, with the publication of the 32 CFR Final Rule, which focuses on CMMC compliance enforcement, the timeline for meeting these requirements is clear. This means that by the second quarter of 2025, businesses that cannot provide an adequate score in SPRS may find themselves less competitive or even locked out of defense contracts.
Here’s what the publication of the Final Rule means for your business and how you can prepare.
Key Aspects of the Final Rule: What This Means for Your Business
Contractors and subcontractors handling FCI or CUI should be aware of the following:
- Consolidation and Alignment with Established Standards: CMMC combines Federal Acquisition Regulation (FAR) 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 and -172, leading to 134 total security requirements for organizations at the highest level of certification.
- Conditional Certification: The rule introduces flexibility for contractors who achieve 80% compliance, allowing them to secure contracts with a 180-day window to close remaining gaps. However, it also enforces a strict deadline for full compliance.
In transitioning the defense supply chain to a mandatory CMMC compliance model, the Final Rule outlines key requirements for contractors:
- Mandatory Certification: All contractors dealing with CUI or FCI will need to meet specific CMMC levels to remain eligible for defense contracts.
- Third-Party Certification Required: For higher levels (Level 2 and above), contractors must undergo third-party assessments (C3PAO) to prove their cybersecurity capabilities. Only Level 1 allows for self-assessment.
- Phased Implementation: Over the next three years, CMMC will roll out in four phases, beginning with Level 1 self-assessments and culminating in full compliance with NIST SP 800-171 and 800-172 requirements—134 security controls in total.
- Ongoing Compliance: Certification is not a one-time task. To maintain it, businesses will need continuous monitoring, reassessments every three years, and annual affirmations of compliance.
Why You Need to Act Now
It is anticipated that CMMC Level 1 certification will be required within the next six months. For many organizations performing the gap analysis and implementing or enhancing controls is, at best case, a three-month endeavor. Here’s why you need to act now:
- Prime Contractor Requirements: Prime contractors are already actively reviewing their supply chain to ensure that they are able to meet DoD standards. These contractors are indicating that they want their suppliers to be ready in advance to reduce last minute risk for large contracts. As such, many are already seeking CMMC compliance.
- Missed Opportunities: Without a score and associated action plan, you won’t be able to bid on or maintain defense contracts.
- Penalties for Misrepresentation: Even during self-assessment, accurately reporting your compliance is critical. Misrepresentation could lead to penalties, so businesses should ensure they meet the necessary cybersecurity standards immediately, even before undergoing third-party assessments.
- Limited Availability of C3PAOs: With the demand for certified third-party assessors expected to skyrocket, waiting too long could mean significant delays in getting certified. This delay could cost your business contracts.
How Malleum Can Help
At Malleum, we specialize in leading businesses through their CMMC compliance journey. Here’s how we can support you:
- Gap Analysis: Malleum is a certified Registered Practitioner Organization with the CMMC governing body. As such we’re here to help not only in performing full Level 2 assessments but to develop and carry out implementation work, ensuring you are ready in time for your audit.
- Full Compliance Support: Malleum can support organizations with Level 1 self-assessments, ensuring they are complete and compliant. Our process will set you up for success and leave you with a long term process for managing CMMC.
- Get Ahead of the Curve: With the demand for C3PAO-led assessments set to spike, we can help you get ahead by preparing you for the process now.
Don’t wait until it’s too late—start your CMMC readiness journey today.