The frequency of cybersecurity attacks has increased significantly over the last decade and the Department of Defense is a frequent target. In an effort to try and strengthen security, they have introduced the Cybersecurity Maturity Model Certification (CMMC) 2.0 to ensure private information is safeguarded from attacks. First introduced in 2020, CMMC was put in place to replace FARS and DFARS requirements for all those contracting with the United States Department of Defense. This applies to a prime contractor contracting directly with the government, all the way down through all tier subcontractors and vendors. If you are working on a project or product for the DOD, this applies to you. It is important to know that cybersecurity requirements are not new for government contractors, but CMMC 2.0 will make it easier for the government to ensure compliance. Currently, government contractors need to comply with either FARS or DFARS and self-report in their cyber hygiene.
CMMC 2.0 will have three levels of cybersecurity requirements based on level of certification required. Level of certification will be noted in each contract and will be determined based on the type of information you will be working with. You will see this often discussed as FCI (Federal Contract Information) and CUI (Controlled Unclassified Information). FCI is information that is pertinent to the contract and not intended for the general public. Every government contract contains FCI. CUI is government created or owned information that, while not considered classified, requires extra levels of security.
Level 1- Foundational – Level one is meant for contractors and subcontractors who handle FCI only. They are required to meet 17 cybersecurity standards and can self-report compliance.
Level 2 – Advanced- Contractors and subcontractors that handle CUI must meet level 2 compliance which mirrors NIST SP 800-171 and consists of an additional 110 security controls. According to the DOD, a subset of programs with level 2 requirements will not involve critical information for national security and compliance can be achieved with self-assessment. However, many will not fit that subset and will need a third-party assessment through a CMMC Third Party Assessment Organization (C3PAOs). The assessment will be valid for three years.
Level 3- Expert– Contractors with access to even more critical information will need to comply with the first two levels of requirements plus additional controls that are still being developed. These will need to be assessed by the Department of Defense.
CMMC requirements are expected to appear in all contracts starting in the fiscal year 2026, which means that all contractors will need to have proper compliance to bid on or continue the work. Although 2026 is the deadline for all contracts, there has been discussions that some contracts will start including requirements sooner. This may create a problem for contractors as the road to assessment is all but clear. There are currently entities that are working towards qualifying as C3PAO but no one is expected to be certified for level 1 or 2 before 2024.
Companies can and should get a head start on this as it can take a significant amount of time to comply with the numerous requirements. Although there are no certified assessors, there are many cybersecurity compliance companies who are familiar with the requirements and can help you be in the best position to pass compliance when necessary.
The cost of non-compliance is the inability to bid for Department of Defense work. It should also be noted that, even while CMMC compliance is a future requirement, current government contracts do have similar cybersecurity compliance specifications currently in place that need to be considered. Making cybersecurity a priority will help ensure you are in the best position to continue with government contracts.