What defense contractors need to know about compliance with CMMC

Improving cybersecurity in the defense supply chain

Companies bidding for defense contracts are estimated to have to comply with Cybersecurity Maturity Model Certification (CMMC) Requirements in early 2025.

In comparison to past regulations, current CMMC requirements represent a streamlined model designed to encourage compliance and accountability.

Affected contractors and subcontractors should begin their compliance planning now, and shore up their ability to defend against ongoing targeting by advanced and persistent threat actors.

On December 26, 2023, the DoD issued a long-awaited proposed rule to create the CMMC Program

The end of 2023 brought forth anticipated updates regarding the status of the CMMC Rule for protection of Controlled Unclassified Information (CUI). A proposed rule has been issued by the DoD to create the CMMC Program. This continues the rulemaking process, with a 60-day public comment period through February 26, 2024. The adjudication process then begins where the DoD responds to comments, adjusts the Proposed Rule as needed, and receives approval from the White House Office of Management and Budget (OMB) on the updated version. This represents a long-awaited update to the CMMC program timeline along with new considerations for defense contractors.

Numerous complexities with the proposed CMMC rule can limit an organization’s effectiveness when establishing an approach to reach certification. PwC, a Registered Practioner Organization (RPO), is uniquely positioned to help organizations seeking certification navigate the complexities and prepare for CMMC assessments. PwC’s team of 30+ Registered Practioners has experience supporting readiness assessments for a range of clients across the Fortune 500 both small and large spanning multiple industries.

Adjudication of CMMC runs in parallel to the DFARS 252.204-7012 proposed rule changes expected in Spring 2024. As of publication of the proposed rule, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 revision 2 and portions of NIST SP 800-172 have been referenced as the set of requirements to meet depending on CMMC Level. 

Key Updates:

  • Phased Rollout: The proposed rule indicates a four-phase approach to rollout the final rule occurring over 30 months. Especially noteworthy is that assessment requirements per phase also are included for existing contracts at option years.
  • Scoping External Service Providers (ESPs): External Service Providers (ESPs) utilized by defense contractors are required to meet an equivalent CMMC level to maintain certification. ESPs in scope for this requirement are defined as vendors that handle security related data or CUI on their own assets. The definition from the rule excludes organizations that solely utilize the original defense contractor’s infrastructure.
  • Scoping Cloud Service Providers (CSPs): CSPs are defined as a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) and can be available as software-as-a-service, infrastructure-as-a-service, and platform-as-a-service offerings. Regarding CMMC requirements for CSPs, those that do not have FedRAMP authorized services at the Moderate or High baselines must achieve 100% compliance through an assessment performed by a FedRAMP recognized Third Party Assessment Organization (3PAO) assessment as per the DoD FedRAMP Moderate Equivalency memo, dated 12/31/2023. Both ESPs and CSPs require a Customer Responsibility Matrix (CRM) that delineate ESP/CSP’s responsibilities, customer-owned responsibilities, and shared responsibilities as it relates to the in-scope CMMC requirements.
  • New Plans of Action and Milestones (POA&Ms) Requirements: Now codified in the proposed rule is a requirement to conduct assessments to verify that POA&Ms have been successfully closed within 180-days of the initial CMMC Assessment. Closeout Assessments must be conducted at the equivalent level of the original assessment (either self-assessed or using a third party) for open POA&Ms only. For most organizations seeking CMMC L2 and all seeking L3, a Conditional Certification may be obtained when a minimum score of 80% has been achieved with permissible POA&Ms. That Conditional Certification moves to a Final Certification once all POA&Ms have been closed and validated with a POA&M Closeout Assessment.
  • Annual Affirmation Requirements: For CMMC L1 and L2, annual affirmations are now required for certification. Misrepresentation of compliance discovered in these affirmations creates additional risk of liability in accordance with the False Claims Act.

What’s at stake is big and growing: The DoD’s budget request related to two key acquisition appropriations totaled $315 billion for FY2024, an overall increase from last year’s request

In 2020, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) process, designed to bolster security, protect sensitive unclassified information, and enhance visibility into the defense supply chain.

The CMMC mandates new standards, practices, and processes that all companies within the DoD supply chain—not just the defense industrial base (DIB)—must implement to bid on defense contracts. What’s at stake is big and growing: The DoD’s budget request related to two key acquisition appropriations totaled $315 billion for FY2024, an overall increase from last year’s request.

Defense contractors are the target of frequent, persistent, and complex cyber attacks. A recent joint agency alert reported that from at least January 2020 through February 2022, there has been regular targeting of large and small US-cleared defense contractors (CDCs) as well as subcontractors that provide the following to the DoD and intelligence community: command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.

Implementing CMMC is a significant endeavor, one that could impact as many as 300,000 primary contractors and subcontractors, large and small. In addition to DIB companies, CMMC affects a mix of traditional and nontraditional industries, such as higher education (research and development), health services, retail, critical infrastructure providers (including telecom), and technology (including cloud service providers).

The framework is currently a proposed rule anticipated to be finalized throughout 2024. No start date for compliance has been set, but it is currently estimated that CMMC will start appearing in contracts as early as 2025.

Certification with federal cybersecurity regulations and requirements is essential for protecting sensitive data, mitigating cybersecurity risks, and maintaining eligibility for contracts

Source: Office of the Under Secretary of Defense, Acquisition & Sustainment

What now? Get ready for CMMC

While the proposed rule has been published as of December 2023, contractors will need to prepare for the phased rollout of CMMC. Depending on the type of contract and award timing, CMMC L2 Certification Assessments may be required as soon as mid-2025. In the meantime, annual self-assessments based on the NIST SP 800-171 will be in effect until the final rule is published.

The months between now and 2025 may seem like a comfortable timeline to build compliance, but the complexities of CMMC compliance will require quick action as well as a disciplined response and deep knowledge of DoD acquisition rules.

To start the process towards CMMC compliance, contractors should first evaluate the environment for compliance (documentation, control effectiveness, resources) and continue to expand their documentation and readiness.

How PwC can help you achieve CMMC compliance

  • PwC is a Cyber Accreditation Body (Cyber AB) Registered Practictioner Organization (RPO). We are focused on providing up-to-date and high quality guidance to our clients. PwC has a dedicated team of 30+ practitioners that has gone through the CMMC Registered Practitioner training and are authorized by the Cyber AB to give CMMC consulting advice and recommendations. In addition, our team is experienced with the DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7021 clauses. 
  • We have experience delivering multiple CMMC scoping, governance, assessment, remediation, and final readiness engagements across large and small Fortune 500 companies in the power and utilities, aerospace and defense, R&D, telecommunications, technology, pharma, and the manufacturing sectors.
  • The team has experience supporting DIB companies with a global footprint across multiple countries.
  • Contact us today to learn more about our capabilities and how we can help you prepare for CMMC requirements.

Contact us

Chad Gray

Cyber, Risk & Regulatory, PwC US

Jessica Martin

Cyber, Risk & Regulatory, PwC US

Chris VanEvery

Cyber, Risk & Regulatory, PwC US

Follow us