CMMC Finalized: What You Need to Know

In October 2024, the DoD published the final version of the Cybersecurity Maturity Model Certification (CMMC), nearly three full years after CMMC 2.0 was first announced in November 2021.  The new rule takes effect on December 16th, 2024.

With CMMC finalized, here is some key information organizations with certification goals need to know.

What is CMMC?

CMMC is a Department of Defense (DoD) program to protect data in the Defense Industrial Base (DIB). CMMC compliance is required for organizations to secure DoD contracts so the department can be confident that contractors and subcontractors have cybersecurity programs in place to safely process and handle data.

CMMC is focused on two types of data, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

FCI is data provided by or generated for the Federal Government under a contract to develop or deliver a product or service not intended for public release.

CUI is information that does not carry classified status but must be safeguarded due to government policies and laws or ordinances, such as:

  • Data on defense, nuclear, and natural resources infrastructures
  • Financial records
  • International agreements
  • Global and domestic defense data
  • Provisional and statistical data from governmental agencies

CMMC is largely based on the NIST SP 800-171 standard and maps these controls across organizational maturity levels ranging from basic cyber hygiene to advanced cyber threats.

What About DFARS?

Two CMMC rulemakings have been happening simultaneously. The DoD’s follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change is expected to be published in early to mid-2025. The DFARS rule change will trigger the CMMC requirement in DoD contracts. Find more information on the timing of the proposed DFARS rule here.

Significant Changes in CMMC 2.0

Significant Changes in CMMC 2.0 compared to the original version include reducing the number of certification levels from five to three. The three certification levels are:

  • Level 1: Foundational
  • Level 2: Advanced
  • Level 3: Expert

CMMC 2.0 allows for Plans of Action and Milestones (POA&M). POA&Ms allow organizations to achieve certification if they have security gaps by documenting the gaps and detailing how they will be addressed.

For more information on how CMMC has evolved, read our An Early Look at CMMC 2.0 blog post.

Steps to CMMC Certification

With CMMC finalized, organizations with certification goals need to complete the following steps:

Identify the Proper Certification Level

Early in your certification journey, you need to identify whether Level 1, 2, or 3 certification is appropriate for the data you’re handling.

Identify Your FCI and CUI

Your CMMC certification only needs to apply to parts of your organization that touch FCI or CUI. Organizations should track the flow of FCI and CUI to identify what divisions do and do not encounter the data. Removing parts of the organization from the CMMC certification process that don’t apply can save time and money.

Creating a System Security Plan

A System Security Plan (SSP) is a required document that describes an organization’s security controls and how they protect FCI and CUI. SSPs typically include details on system boundaries, system interconnections, implemented security controls, and the environment in which the system operates.

Conduct a Self-assessment

Executing a self-assessment is an effective way for your organization to prepare for certification by identifying existing NIST 800-171 and CMMC gaps and collecting evidence.

Remediation

Design and implement the controls necessary to close the security gaps found in the assessment.

Select a C3PAO

A CMMC Third Party Assessor Organization (C3PAO) is an organization that has been accredited and authorized to conduct CMMC assessments by the CMMC Accreditation Body. Organizations seeking Level 2 certification that handle CUI are required to work with a C3PAO.

Read our CMMC Certifications Steps blog to learn more.

CMMC Timeline

CMMC will be rolled out in 4 phases. Here are the details for each phase:

Phase 1 is the inclusion of Level 1 and Level 2 self-assessments in contracts. Phase 1 will be effective when the DFARS rule change is published.

Phase 2 will begin the requirement for C3PAO assessments for certain Level 2 certifications. Phase 2 will begin one year after Phase 1 begins.

Phase 3 will see the DoD begin to include Level 2 C3PAO assessment requirements in options to exercise active DoD contracts. Phase 3 begins one year after Phase 2.

Phase 4 will be the full implementation of the CMMC requirements in all applicable solicitations and contracts. Phase 4 begins one year after Phase 3.

If you’d like to dive deeper into CMMC, listen to our CMMC: The Requirements, Challenges, and Benefits podcast.

CompliancePoint has a team of cybersecurity professionals that can guide your organization through the CMMC certification process. Contact us at connect@compliancepoint.com to learn more about our services.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.