Site Search

Menu

Capabilities

Menu

Artificial Intelligence (AI)

Menu

Cybersecurity, Risk and Regulatory

Menu

Financial Markets & Real Estate

Loading Results

What defense contractors need to know about compliance with CMMC

Improving cybersecurity in the defense supply chain

Companies bidding for defense contracts are estimated to have to comply with Cybersecurity Maturity Model Certification (CMMC) requirements starting in 2025, coinciding with the first phase of the program’s rollout.  Prior to then, CMMC may be included in defense contract solicitations as early as December 16, 2024.

In comparison to past regulations, current CMMC requirements represent a streamlined model designed to encourage compliance and accountability.

Affected contractors and subcontractors should begin their compliance planning now, and shore up their ability to defend against ongoing targeting by advanced and persistent threat actors.

On October 15, 2024, the Department of Defense (DoD) released updates to 32 Code of Federal Regulations (CFR) Part 170, commonly referred to as the CMMC Program final rule.

Fall of 2024 brought forth a much-anticipated update regarding the CMMC rule for safeguarding Controlled Unclassified Information (CUI). On October 15, 2024, the Department of Defense (DoD) released updates to 32 Code of Federal Regulations (CFR) Part 170, commonly referred to as the CMMC Program final rule. CMMC requires updates to both 48 CFR (Parts 204, 212, 217, and 252) and 32 CFR (Part 170) before it takes effect.

As of the publication of the proposed rule, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 and portions of NIST SP 800-172 have been referenced as the set of requirements to meet depending on CMMC Level. This is in accordance with an indefinite Class Deviation published which excludes the use of the new NIST SP 800-171 Revision 3 for CMMC for now. It is expected that Revision 3 will be required at a later date after the CMMC program has been rolled out and shows general adoption. Included were a number of key updates to the prior proposed rule.

Key Updates:

  • Phased Approach Timeline: The original four phases of the CMMC rollout remain, but Phase 1 has been extended by 6 months to 12 months total. Based on the final rule, Phase 1 begins on the effective date of 32 CFR Part 170 or 48 CFR Part 204, whichever occurs later. Given a 60-day finalization period starting on October 15, the final rule is set to go into effect as soon as December 16, 2024. It is expected that 48 CFR will not finalize review until sometime in 2025, marking the formal estimated start of Phase 1. However, contractors should be aware that the DoD can include CMMC in contract solicitations as soon as December 16, 2024, which would require a bilateral agreement between the contractor and the DoD after 48 CFR Part 204 has been finalized.
  • Definition of Security Protection Data (SPD): SPD is defined as data “stored or processed by Security Protection Assets (SPA) that is used to safeguard an Organization Seeking Assessment (OSA)’s assessed environment.” Examples given in the rule includes “configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.”
  • External Service Provider (ESP) and Cloud Service Provider (CSP) Clarifications: The updated rule provides expanded requirements for ESPs and CSPs within the CMMC scope. While ESPs handling CUI do not need a separate CMMC certification, their services should be included in their customer's assessment scope. CSPs handling SPD but not CUI are not required to meet FedRAMP requirements, however, they should still be included in their customer’s assessment scope. CSPs managing CUI should meet FedRAMP Moderate requirements by either obtaining a FedRAMP Moderate authorization or meeting equivalent security requirements as specified within the DoD’s FedRAMP equivalency memo. It is estimated that this will likely require additional collaboration between OSAs and ESPs/CSPs, as the expectation for responsibility on assessing these third parties has largely moved to OSAs.
  • Virtual Desktop Environment (VDI) Scoping: In another major change, the final rule offers clarification to questions regarding the scoping of VDI assets. The rule has been updated to state that endpoints that host VDI clients can be considered out of scope if the client is configured to not allow any processing, storage, or transmission of CUI (beyond the keyboard, video, and mouse input sent to the VDI client).
  • Assessment Record Retention Requirements: Reinforced in the rule is the requirement around the storage and maintenance of CMMC assessment artifacts. The rule includes the requirement that OSAs and Assessors must retain CMMC assessment artifacts for six years. Artifacts primarily consist of evidence used during an assessment. In addition, the rule requires a hash of assessment evidence to be kept, helping to maintain the integrity of the artifacts. All retention requirements are in accordance with input made by the Department of Justice (DOJ).

What’s at stake is big: The DoD’s budget request related to two key acquisition appropriations is estimated for $313 billion for FY2025.

In 2020, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) process, designed to bolster security, safeguard sensitive unclassified information, and enhance visibility into the defense supply chain.

The CMMC mandates standards, practices, and processes that all companies within the DoD supply chain—not just the defense industrial base (DIB)—must implement to bid on defense contracts. What’s at stake is big: The DoD’s budget request related to two key acquisition appropriations totaled $313 billion for FY2025.

Defense contractors are often the target of frequent, persistent, and complex cyber-attacks. A recent joint agency report from the Federal Bureau of Investigation (FBI) shows that advanced cyber actors have been responsible for espionage, sabotage and reputational harm against DoD targets and other critical infrastructure since at least 2020. Targets included entities connected to US government services, financial services, transportation systems, energy, and healthcare sectors.

Complying with CMMC can be a significant endeavor, one that could impact as many as 220,000 (Source: CMMC Program Final Rule, Background) primary contractors and subcontractors, large and small. In addition to DIB companies, CMMC affects a mix of traditional and nontraditional industries, such as higher education (research and development), health services, retail, critical infrastructure providers (including telecom), and technology (including cloud service providers).

The CMMC Program rule has been finalized in the Federal Register as of October 15, 2024. Phased rollout of the CMMC Program starts 60 days after the publication of the final Title 48 CFR CMMC acquisition rule.

Certification with federal cybersecurity regulations and requirements is essential for protecting sensitive data, mitigating cybersecurity risks, and maintaining eligibility for contracts.

Source: Office of the Under Secretary of Defense, Acquisition & Sustainment

What now? Get ready for CMMC

As updates to the CMMC Program final rule were published in the Federal Register as of October 2024, the phased rollout of CMMC is imminent. It is estimated that some contractors and subcontractors can expect to start seeing CMMC requirements within their DoD contract solicitations towards the beginning of 2025. Coinciding with the finalization date of the program rule, CMMC may be included in defense contract solicitations as early as December 16, 2024, at the DoD’s discretion.

The complexities of CMMC compliance will likely require quick action, a disciplined response, and deep knowledge of DoD acquisition rules. Meeting all requirements prior to third-party assessments includes significantly more effort than self-assessments in the past.

To start the process towards CMMC compliance, contractors should first evaluate the environment for compliance (documentation, control effectiveness, resources) and continue to expand their documentation and readiness.

How PwC can help you achieve CMMC compliance

  • PwC is a Cyber Accreditation Body (Cyber AB) Registered Practitioner Organization (RPO). We are focused on providing up-to-date and high quality guidance to our clients. PwC has a dedicated team of practitioners that has gone through the CMMC Registered Practitioner training and are authorized by the Cyber AB to give CMMC consulting advice and recommendations. In addition, our team is experienced with the DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7021 clauses.
  • We have experience delivering CMMC scoping, governance, assessment, remediation, and final readiness engagements across companies of all sizes in the power and utilities, aerospace and defense, R&D, telecommunications, technology, pharma, and the manufacturing sectors.
  • The team has experience supporting DIB companies with a global footprint across multiple countries.
  • Contact us today to learn more about our capabilities and how we can help you prepare for CMMC requirements.

Get started with PwC's preference center

Our insights. Your choices.

Contact us

Chad Gray

Cyber, Risk & Regulatory, PwC US

Linkedin Follow Email

Jessica Martin

Cyber, Risk & Regulatory, PwC US

Linkedin Follow Email

Chris VanEvery

Cyber, Risk & Regulatory, PwC US

Linkedin Follow Email
Follow us
Audit and Assurance services Consulting Tax services Newsroom Alumni US offices Contact us

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.