Cybersecurity Maturity Model Certification 2.0

Cybersecurity Maturity Model Certification 2.0

December 16, 2024

The Department of Defense’s (DOD) final rule (32 CFR Part 170) for the Cybersecurity Maturity Model Certification program (CMMC) 2.0 are effective the week of December 16, 2024. This rule, often referred to as “the program rule”, establishes the requirements to meet CMMC Levels 1-3, expectations around the time-phasing of self-assessment vs. certification requirements, and formalizes the role of the Cyber AB and CMMC / certification assessment ecosystem. The timeline for CMMC phased implementation was not updated in the proposed revision and rulemaking is still expected to extend into 2025.

While the requirement will not make its way into contracts until the second part of the rule (48 CFR - Docket 2020-0034-0194) is finalized and effective, the now final 32 CFR Part 170 makes the basis of future CMMC requirements clear. Upon contract award:

  • CMMC Level 1 (Self-Assessment/Attestation): DOD contractors / subcontractors who receive only Federal Contract Information with no Controlled Unclassified Information in scope, must meet CMMC Level 1 requirements. No CMMC Level 1 requirements are eligible to be on Plans of Action and Milestones (POAM).
  • CMMC Level 2 (Initial Phase: Self-Assessment; Subsequent Phases: Certification Assessment): DOD contractors / subcontractors who manage Controlled Unclassified Information (CUI) within scope of their DOD contracts must meet CMMC Level 2 requirements (NIST SP 800-171 (R2)). All requirements must be fully implemented to fully satisfy the requirements for CMMC Level 2, with only select requirements eligible for POAMs not to exceed 180 days.
  • CMMC Level 3 (Phase 3+: Certification Assessment): Expected to apply to a narrow scope of mostly DOD Prime Contractors managing CUI associated with DOD’s most critical program technologies. Certification (via CMMC 3rd-Party Assessment Organization) at CMMC Level 2 is a prerequisite. Additionally requires full implementation (no POAM) of 24 NIST SP 800-172 requirements.

Defense Industrial Base companies with DOD CUI are reminded that the DFARS 252.204-7012 and DFARS 252.204-7020 regulatory mandates in current contracts continue to require organizations to assess and implement NIST SP 800-171 Revision 2 security requirements (per DOD Class Deviation for 252.204-7012), and submit their DOD NIST Assessment Methodology Score into the Supplier Performance Risk System (SPRS). All DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements. Suppliers are encouraged to engage with NIST MEP and/or the CyberAB Marketplace to validate preparedness for an anticipated CMMC third-party assessment and certification. Additionally, the “DOD encourages all DIB companies to join ND-ISAC...” for threat intelligence and sharing but it is also a platform to learn more about CMMC via the National Defense Information Sharing Analysis Center (ND-ISAC) / DIB Sector Coordinating Council (SCC) Cyber Assist website.

Lockheed Martin also hosts monthly Supply Chain Cyber Academy sessions with members from the National Defense Information Sharing and Analysis Center/Defense Industrial Base Sector Coordinating Council to provide education and awareness for CMMC, NIST SP 800-171, cyber DFARS, and cybersecurity best practices. You can register for the monthly sessions by reviewing their calendar below.

We encourage suppliers to take advantage of these resources to support on-going efforts to protect CUI in accordance with NIST SP 800-171 and potential future CMMC requirements.