What defense contractors need to know about compliance with CMMC 2.0

Improving cybersecurity in the defense supply chain

Companies bidding for defense contracts will have to comply with revised Cybersecurity Maturity Model Certification requirements by the end of fiscal year 2023.

CMMC 2.0 requirements announced in November 2021 represent a streamlined model from the initial vision to encourage compliance and accountability.

Affected contractors and subcontractors should begin their compliance planning now, and shore up their ability to defend against ongoing targeting by advanced and persistent threat actors.

What's at stake is big and growing: Defense acquisitions soared to $447 billion in fiscal 2020, a 10% jump over the year before.

In 2020, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) process, designed to bolster security, protect sensitive unclassified information, and enhance visibility into the defense supply chain.

The CMMC mandates new standards, practices, and processes that all companies within the DoD supply chain—not just the defense industrial base (DIB)—must implement to bid on defense contracts. What’s at stake is big and growing: Defense acquisitions soared to $447 billion in fiscal 2020, a 10% jump over the year before.

Defense contractors are the target of frequent, persistent, and complex cyber attacks. A recent joint agency alert reported that from at least January 2020 through February 2022, there has been regular targeting of large and small US-cleared defense contractors (CDCs) as well as subcontractors that provide the following to the DoD and intelligence community: command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.

In November 2021, the DoD unveiled CMMC 2.0, an updated program structure and revised requirements following a review of the initial vision (CMMC 1.0). CMMC 2.0 streamlines certifications from five progressively advanced levels in CMMC 1.0 to three. The naming conventions have also been revised.

  • Level 1 is now Foundational.
  • Level 2 is Advanced.
  • Level 3 is Expert.

That will be a significant endeavor, one that could impact as many as 300,000 primary contractors and subcontractors, large and small. In addition to DIB companies, CMMC 2.0 will affect a mix of traditional and nontraditional industries, such as higher education (research and development), health services, retail, critical infrastructure providers (including telecom), and technology (including cloud service providers).

The updated framework is currently in a rulemaking process that the DoD projects will last nine to 24 months from November 2021. No start date for compliance has been set, but the DoD has said that federal contractors should be prepared to comply by the end of fiscal year 2023.

CMMC 2.0 is a streamlined and flexible model to help encourage better compliance and higher accountability

Source: Office of the Under Secretary of Defense, Acquisition & Sustainment

What now? Get ready for CMMC 2.0

While rulemaking for CMMC 2.0 is in progress, contractors will need to attest to DFARS 7019 Assessment Methodology and 7020 DoD Assessment Requirements. In the meantime, annual self-assessments based on the National Institute of Standards and Technology (NIST) Special Publication 800-171 will be in effect until the final rule is published.

The months between now and late 2023 may seem like a comfortable timeline to build compliance with CMMC 2.0 but the complexities of compliance will require quick action as well as a disciplined response and deep knowledge of DoD acquisition rules.

Contractors should use this window to evaluate the environment for compliance (documentation, control effectiveness, resources) and continue to expand their documentation and readiness.

How PwC can help you achieve CMMC compliance

As a CMMC Registered Provider Organization, PwC is authorized to deliver a range of consulting services to help contractors efficiently and quickly prepare for an updated CMMC 2.0 assessment.

Contact us

Chad Gray

Cyber, Risk & Regulatory, PwC US

Jessica Martin

Cyber, Risk & Regulatory, PwC US

Chris VanEvery

Cyber, Risk & Regulatory, PwC US

Follow us