The CMMC Transition and Its Cybersecurity Implications

Summary

This article provides information on the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program and where it originates. It shows examples of why there is a need for a shift in handling sensitive unclassified federal contract information (FCI) and controlled unclassified information (CUI) and explains the cybersecurity risk this shift should reduce. With a huge focus on ensuring DoD contractors and subcontractors meet CMMC cybersecurity requirements for future DoD contracts, companies will need to maneuver the CMMC transition process relative to their business operations and environment. Presented are various cybersecurity factors and considerations that may affect obtaining compliance, the improvements these changes intend to create, and helpful resources that can assist parties of the defense industrial base to reach CMMC compliance.

Background

Executive Order 13556 – CUI

In November 2010, Executive Order 13556 established an open and uniform program for managing unclassified information that requires safeguard and dissemination controls [1].

National Institute of Standards & Technology (NIST) Special Publication (SP) 800-171

In June 2015, NIST officially published SP 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” [2]. This publication highlights the requirements for protecting CUI stored, processed, or transmitted by nonfederal organizations and computer systems. NIST SP 800-171 is based on the Federal Information Security Management Act of 2002 and its “moderate” level requirements [3]. In May 2024, NIST SP 800-171 Revision 3, which supersedes previous versions, was released [4].

NIST SP 800-172

In February 2021, NIST officially published SP 800-172 titled “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171” [5]. NIST 800-172 builds upon the information included in NIST 800-171 and provides a more enhanced and complex selection of security control recommendations to follow when CUI is involved in critical systems and/or programs.

Federal Acquisition Regulation (FAR) 52.204-21

In May 2016, FAR 52.204-21 titled “Basic Safeguarding of Covered Contractor Information Systems” was published, which specifies basic security controls required for safeguarding FCI and covered information systems [6].

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

On December 31, 2017, DFARS 252.204-7012 titled “Safeguarding Covered Defense Information and Cyber Incident Reporting” went into effect [7]. DFARS 7012 is an important clause that is crucial to protecting CUI in the defense industrial base (DIB). It applies to all contractors that handle CUI, contractor proprietary information, controlled technical information, and/or covered defense information (CDI). This regulation requires defense contractors and subcontractors to implement robust cybersecurity controls and practices to secure sensitive data from cyber threats. DFARS 7012 specifically requires defense contractors and subcontractors to do the following:

• Protect unclassified CDI in accordance with NIST SP 800-171. Contractors must implement the 110 security controls and 320 objectives specified in NIST SP 800-171.
• Report cyber incidents to the DoD and provide logs and server access. Contractors must report all cyber incidents to the DoD Cyber Crime Center (DC3), provide malicious software and all cyber incident data, preserve cyber incident data for 90 days, and support DC3 with their cyber investigation.
• Confirm Cloud service providers (CSPs) meet Federal Risk and Authorization Management Program (FedRAMP) moderate or equivalent standards. Contractors must ensure that the CSPs they are currently using have achieved the requirements for a FedRAMP moderate baseline or equivalent standard.
• Flow down to subcontractors. Contractors must flow down requirements to their subcontractors, meaning their subcontractors are subject to the same requirements.

In addition to DFARS 7012, the following three additional clauses went into effect with DFARS’ Interim Final Rule in November 2020:

1. DFARS 7019: Improves on DFARS 7012 by making it a requirement for contractors to conduct an NIST SP 800-171 self-assessment aligned with the DoD assessment methodology. It also requires that self-assessment scores be sent to the DoD through its Supplier Performance Risk System (SPRS) [8].
2. DFARS 7020: Informs contractors that the DoD possesses the right to conduct a higher-level assessment of a contractor’s business operations and cybersecurity compliance. Contractors must provide DoD assessors with full access to their systems, personnel, and facilities. Contractors must also confirm their subcontractors have valid SPRS scores on file [9].
3. DFARS 7021: Sets the foundation for the Cybersecurity Maturity Model Certification (CMMC) and requires contractors to have a current (i.e., not older than three years) CMMC certificate at the CMMC level required by the contract and maintain the CMMC certificate at the required level for the duration of the contract [10].

What Is CMMC?

CMMC is the DoD’s program to assist industry players in meeting the necessary requirements outlined in DFARS 252.204-7012 and NIST SP 800-171 Rev. 2. The CMMC program intends to provide a consistent assessment methodology prior to contract award that can validate if a potential DoD contractor implements adequate cybersecurity protections for DoD information [11]. The program applies to all contracts where a defense contractor or subcontractor will process, store, or transmit FCI or CUI on their information systems and to new contracts, task orders, delivery orders, solicitations, and as a condition for an option period.

FCI is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, defined in FAR 52.204-21 [6]. CUI is information the government creates or possesses or that an entity creates or possesses for or on behalf of the government that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, defined in 22 Code of Federal Regulations (CFR) Part 2002 [12]. The CUI marking replaces legacy markings such as for official use only (FOUO), sensitive but unclassified (SBU), and law enforcement sensitive (LES) [13].

The CMMC program is designed to align with the existing DoD information security requirements of DIB partners. CMMC’s goal is to further enforce the security and protection of sensitive unclassified information and CUI shared by the DoD and its contractors and subcontractors by providing a guarantee that the industry is meeting cybersecurity requirements for future contracts and systems that properly store, process, and transmit CUI [14].

The CMMC program was initially started as CMMC 1.0 in January 2020 but was updated to the next iteration of the cybersecurity model with CMMC 2.0 in November 2021. CMMC 2.0 was designed to reduce the resources required for small- to medium-sized businesses to meet CMMC compliance. One notable way CMMC 2.0 did this was by reducing the number of maturity models in the CMMC program from five in CMMC 1.0 to three for CMMC 2.0.

The CMMC program is based on DFARS 252.204-7012 and builds upon its concepts, but there are a few major differences that set it apart. The program seeks to add a required verification component that can efficiently verify the cybersecurity of defense contractors consistently relative to FAR 52.204-21, DFARS 252.204-7012, NIST 800-171 Rev. 2, and NIST 800-172. CMMC uses a tiered model (Figure 1) that requires companies that handle sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the data.

CMMC Level 1 (Foundational)

This level is reserved for all federal contractors and subcontractors that only handle FCI. It protects information and communications related to federal contractors and has 15 cybersecurity requirements from FAR 52.204-21 that must be followed [6]. CMMC Level 1 also requires that a self-assessment be conducted by the organization seeking certification (OSC) and an affirmation that they align with FAR 52.204-21 annually. Results from both the assessment and affirmation must be sent to the SPRS [11].

CMMC Level 2 (Advanced)

This level is designed for DoD contractors and subcontractors that specifically handle CUI. It requires organizations to implement the 110 security controls specified in NIST SP 800-171 Rev. 2, which are the same NIST controls required in DFARS 252.204-7012. CMMC Level 2 also requires OSCs to either conduct self-assessments or have a CMMC Third-Party Assessment Organization (C3PAO) conduct the assessment every three years. The type of assessment organizations choose depends on the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.

The results from contractor self-assessments should be entered into the SPRS, and results from a C3PAO assessment should be entered into the CMMC Enterprise Mission Assurance Support Service (eMASS). All contractors under CMMC Level 2 will have to affirm compliance with the 110 security control requirements featured in NIST SP 800-171 Rev. 2 annually and that affirmation will be entered into the SPRS [11].

CMMC Level 3 (Expert)

This level is the CMMC final level and meant for DoD contractors and subcontractors that handle the most sensitive CUI for DoD programs with the highest priority. It focuses on reducing a system environment’s vulnerabilities to advanced persistent threats (APTs) with more rigorous and advanced cybersecurity measures. CMMC Level 3 requires organizations to properly implement the 110 security controls specified in NIST SP 800-171 Rev. 2 and an additional 24 security controls specified in NIST SP 800-172.

To qualify for this level’s certification, an organization must have already demonstrated they are compliant and meet all requirements under CMMC Level 2. At CMMC Level 3, certification must be completed with an assessment by the DoD’s own Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) every three years. Assessment results from a C3PAO or DIBCAC should be entered into CMMC eMASS. Affirmations of compliance with NIST 800-171 Rev. 2 and NIST 800-172 are still required annually [11].

SPRS and CMMC Scoring Methodology

SPRS is a self-certification scoring method that measures current cybersecurity compliance with the NIST 800-171 framework (Figure 2). The SPRS score is a numerical grade that gets entered into the DoD SPRS application using designated systems. It is a tool that the DoD and contracting officers use to measure the risk associated with a contractor’s cybersecurity posture. The DoD now uses the SPRS score as a major component of a contractor’s CMMC evaluation. The score must be maintained and cannot be more than three years old [16]. The scoring methodology an organization uses will depend on the CMMC level they operate on. These scores are based on three levels presented in the next paragraphs.

CMMC Level 1

In this level, there is no score, and requirements are “MET” or “NOT MET.”

CMMC Level 2

The scoring in this level ranges from –203 to 110 points, with a minimum passing score of 88. Security requirements are valued at 1, 3, or 5 points and begins with a perfect score of 110. Points are deducted (1, 3, or 5) for controls not implemented and could go down to –203. Nothing is deducted if the proper security control has been implemented. If all controls are implemented, the perfect score of 110 is maintained.

The following lists the deduction scheme and possible points that can be subtracted:

• If not implemented, this could lead to significant exploitation of the network or exfiltration of CUI (5 points).
• If not completely or properly implemented, this could be partially effective and points adjusted depending on how the security requirement is implemented (3 or 5 points).
  • Partially effective implementation (3 points).
  • Noneffective (not implemented at all) (5 points).
• If not implemented, this has a specific and confined effect on the security of the network and its data (3 points).
• If not implemented, this has a limited or indirect effect on the security of the network and its data (1 point).

CMMC Level 3

The scoring in this level has a maximum score of 24, with each security requirement valued at 1 point. If any single requirement is not met, it will result in a failed CMMC Level 3 assessment [18].

Results at all levels are entered into the SPRS and reviewed by contracting officers and requiring activities.

Why the Need for CMMC?

The world has seen constant technological advancements in artificial intelligence, machine learning, automation, Cloud Computing, Edge Computing, the Internet of Things (IoT), and networking capabilities over the past decade. This ever-changing cyber landscape has also allowed for the advancement of cyber threats such as malware, distributed denial-of-service attacks, ransomware, social engineering attacks, phishing, injection attacks, and supply chain attacks. This change has increased the overall threat landscape organizations must handle daily and bolstered the tools cyber adversaries have at their disposal. Attackers are regularly and exponentially outsmarting state-of-the-art cyber defenses of businesses, institutions, and governments, leaving them ahead of cyber professionals [19].

According to Statista, the global cost of cybercrime is projected to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028 [20]. In MoreField’s cybersecurity forecast for 2025, ransomware attacks have also been the highlight of emerging threats, with their frequency and complexity on the rise [21]. This forecast states that ransomware has demonstrated an 81% year-over-year increase from 2023 to 2024.

In 2023, the Cyber National Mission Force carried out 22 operations. In comparison, the Cyber National Mission Force has been deployed more than 85 times to carry out missions spanning across at least 80 networks in 2024, according to Morgan Adamski, executive director of the U.S. Cyber Command [22]. Cyber Command’s expanded operations come amid intensifying threats from foreign adversaries like China, which federal agencies warn has been carrying out broad and significant cyber espionage campaigns targeting top government officials in the United States.

Nation-state actors and APTs are active on the world stage and can generate and impact global conflicts, fueling tension between nations. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assessed that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) have been responsible for computer network operations against global targets for espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022 [23].

In March 2024, hackers that operated as part of the APT31 hacking group in support of the People’s Republic of China’s Ministry of State Security were charged with conspiracy to commit computer intrusions and wire fraud [24]. This was the result of their involvement in conducting global campaigns of computer hacking that targeted political dissidents and perceived supporters located inside and outside of China, government and political officials, candidates, and campaign personnel in the United States and elsewhere. APT31 sent over 10,000 malicious emails that included a malicious tracking link to government officials and journalists from prominent news outlets and gained access to the victim’s computer networks using sophisticated zero-day exploits.

These cyber events and statistics show that there is a yearly increase in the frequency of cyberattacks, highlighting the increased activity of cyber adversaries and nation-state actors and need for organizations to be prepared in today’s cyber landscape.

In the 2019 DoD Office of Inspector General (DODIG) Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems, it was found that DoD contractors did not consistently implement DoD-mandated system security controls for safeguarding defense information [25]. Within the contractors assessed by the DODIG, they identified multiple deficiencies regarding the use of multifactor authentication (MFA), enforcing strong password use, identifying and mitigating network/system vulnerabilities, documenting cyber incidents, implementing physical security controls, overseeing network and boundary protection services provided by a third-party company, protecting CUI on removable media, and more. In this audit, it was noted that there was not a specific established process for verifying a contractor’s networks and systems. It was also noted that DoD component contracting offices and requiring activities did not always know which contracts required contractors to maintain CUI because the DoD did not implement processes and procedures to track which contractors maintained CUI.

In December 2024, the U.S. Treasury Department stated that a China-based APT actor broke into their systems and was able to access employee workstations and some unclassified documents [26]. The Treasury Department determined this breach to be a major cyber incident where the APT was able to override security via a key used by a third-party service provider, BeyondTrust, who offered remote technical support to their employees.

The DODIG audit and Treasury Department breach show that DoD and government agencies need to seriously improve their operational practices to be more secure and highlight the importance of properly securing sensitive unclassified information and CUI. These events also emphasize the fact that APTs can intentionally target sensitive unclassified information and CUI in their cyber operations and will leverage third-party service providers to gain access to critical systems.

The CMMC program provides clear cybersecurity requirements that are tried, true, and known as best practices. The program gives DoD contractors a clear set of goals they should strive for in terms of meeting all requirements featured in FAR 52.204-21, DFARS 252.204-7012, NIST 800-171, or NIST 800-172 and implementing the proper security controls into their systems.

The CMMC program also plans to ensure the DoD and its contractors and subcontractors are doing their due diligence in applying proper security controls and reviewing its own cybersecurity. Requiring cybersecurity assessments every three years and annual affirmations to confirm compliance with the respective CMMC level can be seen as a form of ongoing monitoring for the cybersecurity practices of DoD contractors and subcontractors. The program directly addresses many of the security faults and issues mentioned in the DODIG audit, promotes the protection of sensitive unclassified data and CUI, prepares organizations to better respond to cyber threats and APTs, and aims for improving the cybersecurity posture of the DIB. While not every DIB company will necessarily be subject to a CMMC mandate, most eventually will. To be successful, the CMMC initiative relies on an entire community of security and training professionals [27].

The CMMC Ecosystem

Throughout the CMMC process from start to finish, there are various organizations and entities that an OSC may interact with for CMMC compliance. The CMMC ecosystem refers to the interrelated processes, organizations, and entities that are involved in the initial review, implementation, assessment, and certification of the CMMC framework.

DoD Chief Information Officer (CIO) CMMC Project Management Office

The DoD CIO provides oversight of the CMMC program and establishes CMMC assessment, accreditation, and training requirements; develops and updates CMMC program policies; implements guidance; and establishes DoD requirements for C3PAOs, the Cybersecurity Assessor and Instructor Certification Organization (CAICO), assessors, and instructors [28].

DCMA DIBCAC

This center advises DoD CIO CMMC Project Management Office (PMO), conducts CMMC Level 2 certification assessments on C3PAOs, and conducts CMMC certification assessments on DIB.

CMMC Accreditation Body (Cyber AB)

This is the official accreditation body of the CMMC ecosystem and the sole authorized nongovernmental partner of the DoD in implementing and overseeing the CMMC program [29].

C3PAO

These are organizations authorized by the Cyber AB to perform official CMMC assessments. They employ CMMC assessors and are responsible for conducting the assessments and issuing CMMC certifications to organizations that meet the requirements [30].

Certified CMMC Professional (CCP)

These are qualified individuals or organizations authorized by the Cyber AB to evaluate and assess organizations against the CMMC framework for Level 1.

Certified CMMC Assessor (CCA)

These are qualified individuals or organizations authorized by the Cyber AB to evaluate and assess organizations against the CMMC framework for Level 2.

Both CCP and CCA conduct on-site or remote assessments to determine if an organization meets the required cybersecurity practices and processes for certification.

CAICO

CAICO is the dedicated CMMC entity facilitating the training, examination, and professional certification for individuals within the CMMC ecosystem [30].

Licensed Training Provider (LTP)

LTP is an established training organization that has been reviewed and approved by CAICO. The organizations that fall under this provider deliver CMMC-related training and education programs, equipping individuals and organizations with the necessary skills and knowledge to meet CMMC requirements. They offer specialized courses and certifications to enhance cybersecurity expertise.

Licensed Publishing Provider (LPP)

Vetted by CAICO, this organization is responsible for creating quality CMMC training curriculum that is utilized by LTPs to individuals pursuing official DoD-recognized, CMMC, professional certifications.

Certified CMMC Instructor

This includes individuals that work with LPP and LTP to develop curriculum and deliver courses.

Noncertified Entities

These are organizations or professionals that can assist in preparing OSCs for CMMC assessments but are not certified to conduct official CMMC assessments.

Registered Practitioner Organization (RPO)

RPO is an organization that provides a noncertified advisory service, often before CMMC assessment. RPOs do not conduct certified CMMC assessments.

Registered Practitioners (RPs)

RPs are individuals with implementation experience who provide consultative preparation services to OSCs and work under an RPO [30].

Reaching Compliance and Preparing for Assessment

When beginning to initiate the path to CMMC compliance, OSCs should do the following:

1. Look to engage with familiar DoD organizations for assistance.
2. Establish a procurement account and obtain an active CMMC status in the SPRS.
3. Understand the scope of CMMC. OSCs must look inward to see where they stand within the overall CMMC process.
   First, there must be an understanding of the CMMC levels, what is required, and what they entail. OSCs need to take note of the type of data they handle in their operations and whether it is FCI or CUI. If the organization only handles FCI, follow the requirements featured in CMMC Level 1. If they handle CUI, then the organization should focus on whether they fall under Level 2 or 3.
   Reviewing contract requirements, understanding how critical and high priority an organization’s work is, and evaluating the risk of an organization’s threat environment for cyberattacks and APTs will help determine whether an organization will follow Level 2 or 3 requirements. Understanding the CMMC scoring methodology will also be key. For example, OSCs at CMMC Level 2 can only afford to lose 22 points through deduction while still being compliant.
4. Understand the scope of the assessment.
   OSCs need to identify their assets and exactly where the FCI or CUI resides within the organization. In this case, an asset is anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (installed and physical instances), virtual computing platform (common in Cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards, etc.) [31]. FCI and CUI data can be located on local storage, Cloud storage, printers, servers, workstations, IoT devices, and mobile devices. Attention should be paid to when and how FCI or CUI is processed, stored, and transmitted in and out of the organization during operations as follows:
   • Process – FCI/CUI can be used by an asset (accessed, entered, edited, generated, manipulated, or printed).
   • Store – FCI/CUI is inactive or at rest on an asset (located on electronic media, in system component memory, or in physical format like paper documents).
   • Transmit – FCI/CUI is being transferred from one asset to another.

With the knowledge and understanding of the location of FCI/CUI data and the nature of operational processes, a network topology diagram should be created of how FCI or CUI moves within the organization to better visualize what is being protected.

Instead of maintaining a fully fleshed-out network environment, an organization may opt to use an on-premise or Cloud enclave for CUI. Enclaves are stand-alone information systems that establish a software-defined perimeter around their included resources to protect sensitive data such as CUI of an organization’s information systems [32]. This creates a network partition and allows incorporating NIST 800-171 for FCI/CUI in specific areas of a network and for related operations.

Organization Maintained Enclave

A few advantages and disadvantages related to organization maintained enclaves are as follows:

• Advantages
  • Lowers cost of implementation
  • Allows for quicker implementation
  • Limits use of CUI-related assets (workstations, phones, etc.)
  • Easier to reach security requirements
  • Reduces continuous monitoring workload
• Disadvantages
  • Limited assets could restrict business operations
  • More susceptible to insider threats
  • Air-gapped – physically isolated from other networks and any external connections, including the public internet

An organization may also opt to use a third-party CSP or managed service provider (MSP). DFARS 252.204-7012 requires the use of FedRAMP-approved government Clouds. FedRAMP was created in 2011 to present a cost-effective, risk-based approach for adopting secure Cloud services across the federal government by providing a standardized approach to security and risk assessment for Cloud technologies and federal agencies. According to FedRAMP, compliance is required for all Cloud service providers that offer services to federal agencies and all federal agencies that transmit sensitive data over the Cloud. FedRAMP helps eliminate redundant and inconsistent efforts, supports the adoption of Cloud Computing and innovative technologies, and promotes the use of properly secured systems and applications.

Managed Service Provider Cloud

A few advantages and disadvantages related to managed service provider Cloud environments are as follows:

• Advantages
  • Lower cost of system management (pay only for what is needed)
  • Expertise and experience from MSP team
  • High system uptime and availability
  • Ease of scalability
• Disadvantages
  • Lack of on-site support
  • Subject to vulnerabilities of MSP, such as access controls and uncontrollable administrative rights
  • Depends on MSP for technical assistance, patches, and updates

OSCs also want to take note of who has access to stored FCI/CUI and who has authorization to process and transmit FCI/CUI. The following questions should be asked:

• Who are the contract information systems officers?
• Who writes the procedures and policies?
• Who will monitor logs, access, and user permissions?
• Who will implement technical changes, such as patches/updates?
• Who will train employees?
• Who will monitor the organizational alignment with current procedures and policies?
• Are they employees, and are they part time or full time?
• Are individual network environments maintained, or is an MSP utilized for FCI/CUI-related operations?

In continuing to initiate the path to CMMC compliance, OSCs should also do the following:

1. Conduct a self-assessment.Based on the understanding of the CMMC requirements, current cybersecurity posture, and how FCI/CUI flows in and out of OSCs, a self-assessment can be conducted.
   An RPO can also be utilized to assess the state of OSCs before an official assessment. Are the proper security practices and controls in place relative to the requirements of FAR 52.204-21, DFARS 252.204-7012, NIST 800-171, or NIST 800-172? Using CMMC’s scoring methodology, what score did the OSC receive?
2. Develop a plan to reach full CMMC compliance.
   Based on the score in the initial self-assessment, where can OSCs improve their security posture? OSCs need to weigh their options, prioritize what security issues need to be addressed, and develop a plan to improve security control. Does MFA or encryption need to be enabled for certain business functions? Do cyber professionals need to be hired? How do security controls affect CMMC scoring?
   For example, OSCs at Level 2 may be deducted 5 points for missing a security control like MFA. OSCs may be limited in their ability to implement a complete fix but could possibly implement a control that will deduct fewer points. These changes can move the needle in improving overall cybersecurity and CMMC score.
3. Submit the assessment scope to the assessor.
   Formally document and provide the CMMC assessor with the full scope of assets, facilities, systems, and people involved with FCI/CUI business operations. These are the assets that will be reviewed during the official CMMC assessment.
4. Display CMMC readiness and remediation.
   Carry out the plan that was created to reach CMMC compliance and remediate any high-priority shortcomings in previous organizational security controls and processes.
5. Obtain a C3PAO assessment or conduct an official self-assessment.
   Once remediations have occurred, OSCs are ready for the official CMMC assessment. This can be conducted by a C3PAO, CCP, or CCA, depending on CMMC requirements. In-house personnel can conduct the official self-assessment, but they must be qualified by the Cyber AB.
6. Pass or fail certification.

The CMMC process can take organizations anywhere from 16 to 24 months to fully complete. The timeframe will depend on the current state and complexity of the assessed environment, and the process can take longer if issues arise along the way. Many organizations that currently process, store, or transfer FCI or CUI are already preparing themselves to align with CMMC requirements. If they are not, it is up to the organization if they would like to continue working with the DoD on future contracts.

On October 15, 2024, the final rulings for the Cybersecurity Maturity Model Certification (CMMC), officially known as Title 48 CFR and Title 32 CFR Part 170, were published [11]. These rulings became effective on December 16, 2024, 60 days after the publication of the final rule. CMMC assessment requirements will be implemented using a four-phase plan over three years (see Figure 3). The phases add CMMC level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4 [33].

• Phase 1 was extended by six months and started with the implementation of the October 15, 2024, ruling and amendments to the DFARS clause, which occurred on December 16, 2024.
• Phase 2 will require contractors handling CUI in most circumstances to undergo a third-party assessment by a C3PAO as a condition of award. Phase 2 is estimated to go into effect December 16, 2025.
• Phase 3 will require DoD’s DCMA DIBCAC to conduct Level 3 CMMC assessments for contracts related to the most sensitive CUI. Phase 3 is estimated to go into effect December 16, 2026.
• Phase 4 is the “full implementation” of the CMMC requirements. Phase 4 is estimated to go into effect December 16, 2027.
• Phases 2–4 will each start consecutively one calendar year after the preceding phase. However, the DoD’s objective timeline to begin implementing the CMMC requirements is fiscal year 2025.
• Full implementation of CMMC by all defense contractors is estimated to occur over seven years.

Resources to Help in Reaching CMMC Compliance

Cyber AB Marketplace

Provides a trusted location to look up potential RPO, CCA, CCP, C3PAO, LTP, and LPP [35].

FedRAMP Marketplace

A searchable and sortable list of Cloud providers, products, and services that are FedRAMP and Defense Information Systems Agency (DISA) approved [36].

NSA DIB Cybersecurity Services

NSA offers no-cost cybersecurity services to any company that contracts with the DoD (sub or prime) or has access to nonpublic DoD information. These services include protective Domain Name System (DNS) (a DNS filter), vulnerability scanning, attack surface management, and access to nonpublic, DIB-specific NSA threat intelligence [37].

DC3 DIB Collaborative Information Sharing Environment (DCISE)

An operational hub of the DoD’s DIB Cybersecurity Program that is the designated recipient for reporting DIB cyber incident reports as required by 10 U.S. Code Sections 391 and 393 and DFARS 252.204-7012. DC3 DCISE offers no-cost forensics, malware analysis, and cybersecurity services for DIB partners. It also shares a significant number of cyber threat reports (hundreds annually) for DIB and U.S. government consumption [38].

NIST Manufacturing Extension Partnership (MEP)

The NIST MEP is a national network with hundreds of specialists across MEP centers located in all 50 states and Puerto Rico, as shown in Figure 4. MEP provides companies with services and access to public and private resources to enhance growth, improve productivity, reduce costs, and expand capacity. The NIST MEP can help DIB organizations assess their business’s current risk posture, identify any gaps, and implement solutions to cost effectively protect digital and information assets and meet legal and contractual cybersecurity and privacy requirements [39].

Next Gen Commercial Operations in Defended Enclaves for Small Businesses (N-CODE)

The N-CODE program was created to improve cybersecurity while lowering the barrier for small businesses to engage with DoD programs. Small businesses may find that individually implementing security controls and then demonstrating CMMC compliance are cost prohibitive. As such, small businesses that opt into the N-CODE pilot can leverage an initial set of productivity tools within a secure environment that will meet a majority of the CMMC controls. This will provide an affordable path to secure data while maximizing participation in the defense industrial base [41].

Conclusions

The CMMC program represents a significant shift in how the DoD and DIB approach cybersecurity within its supply chains. Driven by the escalating cyber threat landscape and vulnerabilities exposed by past incidents, APT activity is becoming increasingly more prominent. CMMC aims to establish an agreeable and verifiable baseline level of security for handling sensitive unclassified government information and CUI. CMMC also provides an official process of confirming a baseline of cybersecurity at the contract level. The program’s tiered structure, ranging from basic cyber hygiene at Level 1 to advanced threat protection at Level 3, allows the DoD to tailor requirements based on the sensitivity of the data handled by each contractor.

While achieving CMMC compliance requires a significant investment of time and resources, the framework provides a clear roadmap for organizations to enhance their cybersecurity posture. By understanding the requirements, conducting thorough self-assessments, leveraging helpful organizations, and developing comprehensive remediation plans, contractors can meet compliance obligations and strengthen their overall defenses against increasingly sophisticated cyber threats. Ultimately, CMMC aims to create a more secure and resilient DIB that is better equipped to protect critical information and maintain national security.

References

1. The White House. “Executive Order 13556 – Controlled Unclassified Information.” https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information, accessed on 7 February 2025.
2. NIST. “NIST Released Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” https://csrc.nist.gov/news/2016/nist-released-special-publication-800-171,-revisio, accessed on 7 February 2025.
3. Carnegie Mellon University. “NIST 800-171 Compliance information.” https://www.cmu.edu/iso/compliance/800-171/index.html, accessed on 7 February 2025.
4. NIST. “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” https://csrc.nist.gov/pubs/sp/800/171/r3/final, accessed on 7 February 2025.
5. NIST. “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.” https://csrc.nist.gov/pubs/sp/800/172/final, accessed on 7 February 2025.
6. U.S. General Services Administration (GSA). “Basic Safeguarding of Covered Contractor Information Systems.” https://www.acquisition.gov/far/52.204-21, accessed on 7 February 2025.
7. U.S. GSA. “Safeguarding Covered Defense Information and Cyber Incident Reporting.” https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting, accessed on 7 February 2025.
8. U.S. GSA. “Notice of NISTSP 800-171 DoD Assessment Requirements.” https://www.acquisition.gov/dfars/252.204-7019-notice-nistsp-800-171-dod-assessment-requirements, accessed on 7 February 2025.
9. U.S. GSA. “NIST SP 800-171DoD Assessment Requirements.” https://www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements, accessed on 7 February 2025.
10. U.S. GSA. “Cybersecurity Maturity Model Certification Requirements.” https://www.acquisition.gov/dfars/252.204-7021-cybersecurity-maturity-model-certification-requirements, accessed on 7 February 2025.
11. U.S. DoD CIO. “About CMMC.” https://dodcio.defense.gov/cmmc/About/, accessed on 7 February 2025.
12. Code of Federal Regulations. “Title 32 Subtitle B Chapter XX Part 2002 Subpart A Section 2002.4.” https://www.ecfr.gov/current/title-32/subtitle-B/chapter-XX/part-2002/subpart-A/section-2002.4, accessed on 7 February 2025.
13. U.S. Department of Commerce Office of the Chief Information Officer. “Controlled Unclassified Information (CUI).” https://www.commerce.gov/ocio/programs/controlled-unclassified-information-cui, accessed on 25 February 2025.
14. Defense Counterintelligence and Security Agency. “Cybersecurity-Maturity-Model-Certification-CMMC.” https://www.dcsa.mil/Industrial-Security/Controlled-Unclassified-Information-CUI/Cybersecurity-Maturity-Model-Certification-CMMC/, accessed on 7 February 2025.
15. U.S. DoD CIO. “CMMC Certification Levels and Requirements.” https://dodcio.defense.gov/cmmc/About/, accessed on 7 February 2025.
16. DISA. “Supplier Performance Risk System.” https://www.sprs.csd.disa.mil/, accessed on 7 February 2025.
17. DISA. “NIST SP 800-171 Assessment Landing Page.” https://www.sprs.csd.disa.mil/pdf/SPRS_Government.pdf, accessed on 25 February 2025.
18. Code of Federal Regulations. “CMMC Scoring Methodology.” https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170/subpart-D/section-170.24, accessed on 7 February 2025.
19. de Nobrega, K. M., A. F. Rutkowski, and C. Saunders. “The Whole of Cyber Defense: Syncing Practice and Theory.” The Journal of Strategic Information Systems, vol. 33, no. 4, https://www.sciencedirect.com/science/article/pii/S096386872400043X, accessed on 7 February 2025.
20. Fleck, A. “Cybercrime Expected to Skyrocket in Coming Years.” Statista, https://www.statista.com/chart/28878/expected-cost-of-cybercrime-until-2027/, accessed on 7 February 2025.
21. Morefield. “5 Cybersecurity Predictions for 2025.” https://morefield.com/blog/5-cybersecurity-predictions-for-2025/, accessed on 7 February 2025.
22. Riotta, C. “U.S. Cyber Force Surges Global Operations Amid Rising Threats.” Bank Info Security, https://www.bankinfosecurity.com/us-cyber-force-surges-global-operations-amid-rising-threats-a-26889, accessed on 7 February 2025.
23. CISA. “Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure.” https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a, accessed on 7 February 2025.
24. U.S. Department of Justice. “Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians.” https://www.justice.gov/archives/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived, accessed on 7 February 2025.
25. U.S. DoDIG. “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems DODIG-2019-105.” https://www.dodig.mil/reports.html/Article/1916036/audit-of-protection-of-dod-controlled-unclassified-information-on-contractor-ow/, accessed on 7 February 2025.
26. Tidy, J., and N. Yousif. “U.S. Treasury Says it was Hacked by China in ‘Major Incident’.” BBC, https://www.bbc.com/news/articles/c3weye2j0e7o, accessed on 7 February 2025.
27. Cyber AB. “An Ecosystem of Cybersecurity Professionals.” https://cyberab.org/CMMC-Ecosystem/The-Cybersecurity-Ecosystem, accessed on 7 February 2025.
28. Code of Federal Regulations. “Title 32 Subtitle A Chapter I Subchapter Part 170 Subpart B Section 170.6 CMMC PMO.” https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170/subpart-B/section-170.6, accessed on 7 February 2025.
29. Cyber AB. “About Us.” https://cyberab.org/About-Us/Overview, accessed on 7 February 2025.
30. Cyber AB. “Professions of the Ecosystem.” https://cyberab.org/CMMC-Ecosystem/Ecosystem-Roles, accessed on 7 February 2025.
31. NIST. “Specification for Assets Identification 1.1.” https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7693.pdf, accessed on 25 February 2025.
32. Stiles, S. “What Is a CUI Enclave and When Should You Have One?” https://www.summit7.us/blog/what-is-a-cui-enclave-and-when-should-you-have-one, accessed on 7 February 2025.
33. Chamberlain, A. “Final CMMC Rule: Key Details and Phased Implementation Timeline.” CohnReznick, https://www.cohnreznick.com/insights/final-cmmc-rule-key-details-and-implementation-timeline, accessed on 7 February 2025.
34. U.S. DoD CIO. “The Planned Implementation Phases of the CMMC Program.” https://dodcio.defense.gov/cmmc/About/, accessed on 25 February 2025.
35. Cyber AB. “Cyber AB Marketplace.” https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/9/Sort/NameAscending, accessed on 7 February 2025.
36. Federal Risk and Authorization Management Program. “FedRAMP Marketplace.” https://marketplace.fedramp.gov/products, accessed on 7 February 2025.
37. NSA. “DIB Cybersecurity Services.” https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/, accessed on 7 February 2025.
38. DoD Cyber Crime Center. “Defense Industrial Base Collaborative Information Sharing Environment Overview.” https://www.dc3.mil/Missions/DIB-Cybersecurity/DIB-Cybersecurity-DCISE/, accessed on 7 February 2025.
39. NIST. “Cybersecurity Resources for Manufacturers.” https://www.nist.gov/mep/cybersecurity-resources-manufacturers, accessed on 7 February 2025.
40. NIST. “MEP National Network Map.” https://www.nist.gov/image/mep-national-network-map, accessed on 7 February 2025.
41. U.S. Army Public Affairs. “Army to Pilot Secure, Cloud Environment for Small Businesses in the Defense Industrial Base.” https://www.army.mil/article/280537/army_to_pilot_secure_cloud_environment_for_small_businesses_in_the_defense_industrial_base, accessed on 7 February 2025.

Biography

Olutoye Sekiteri is a research analyst for the Cybersecurity and Information Systems Information Analysis Center (CSIAC), where he provides research efforts related to CSIAC’s four technical focus areas, conducts data analysis to support DoD science and technology communities, and connects government clients with subject matter experts to aid in answering technical inquiries. He previously worked at the University of Maryland, Baltimore County (UMBC) as a research assistant for its Department of Information Systems, supporting a research project recording emergency medical technician stress levels during interactive simulations. Mr. Sekiteri holds a B.S. in information systems from the UMBC, where he is currently pursuing a master’s degree in cybersecurity.