November 14, 2024

by Hollie Kapos

The first time I heard about the Cybersecurity Maturity Model Certification (CMMC) was June 8, 2019, at an Association of Corporate Counsel event, where Katherine Arrington, then special assistant to the assistant secretary of defense for acquisition of cyber at the Department of Defense DoD, spoke about the initiative.

 
Ms. Arrington explained that exfiltration of U.S. government information is the biggest threat to our nation and that government and industry need to work together to fight this threat. To minimize risk in the supply chain, DoD had issued DFARS 252.204-7012 in 2016, which requires contractors to implement minimum security controls in accordance with NIST SP 800-171. However, DoD determined this was not enough; the 800-171 controls were too flexible, as opposed to defining firm requirements and self-certification. Accordingly, DoD engaged Johns Hopkins Applied Physics Lab, Carnegie Mellon Software Engineering Institute, the Defense Industrial Base Sector Coordinating Council, and others to develop one unified standard for cybersecurity, which would be the basis for CMMC.

At that time, the plan was to require a third-party assessment of all links in the supply chain, with certification levels ranging from basic cybersecurity hygiene at level 1 to very robust requirements at level 5. CMMC would be incorporated in all DoD solicitations as a go/no-go factor beginning June 2020, with no exception for commercial products and services, or even commercial off the shelf (COTS).

After five years, multiple delays, and a major version release to CMMC 2.0, a final rule was issued October 15, 2024. However, we shouldn’t see the requirement in contracts until issuance of a final DFARS clause, which is expected in mid-2025. Thereafter, the clause will be added to contracts in a phased approach, with full implementation expected in 2028.

CMMC will be a requirement of all DoD contracts and subcontracts, excluding those exclusively for the procurement COTS or below the micro-purchase threshold. The CMMC level required for a given procurement will be identified within the prime contract. Contractors are required to flow down the DFARS clause based on information to be processed or handled by the subcontractor, i.e., federal contract information or controlled unclassified information.

For more details on CMMC requirements and how to prepare for an assessment, read related information in Demystifying CMMC for partners and suppliers. 
Also, please join me in a discussion with industry experts at immixGroup’s Government IT Sales Summit, where we’ll discuss CMMC and other cyber regulations, along with other regulatory updates.

immixGroup delivers mission-driven results through innovative technology solutions for public sector IT.