What defense contractors need to know about compliance with CMMC 2.0

In 2020, the Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) process, designed to bolster security, protect sensitive unclassified information, and enhance visibility into the defense supply chain.

The CMMC mandates new standards, practices, and processes that all companies within the DoD supply chain—not just the defense industrial base (DIB)—must implement to bid on defense contracts. What’s at stake is big and growing: Defense acquisitions soared to $447 billion in fiscal 2020, a 10% jump over the year before.

Defense contractors are the target of frequent, persistent, and complex cyber attacks. A recent joint agency alert reported that from at least January 2020 through February 2022, there has been regular targeting of large and small US-cleared defense contractors (CDCs) as well as subcontractors that provide the following to the DoD and intelligence community: command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.

In November 2021, the DoD unveiled CMMC 2.0, an updated program structure and revised requirements following a review of the initial vision (CMMC 1.0). CMMC 2.0 streamlines certifications from five progressively advanced levels in CMMC 1.0 to three. The naming conventions have also been revised.

• Level 1 is now Foundational.
• Level 2 is Advanced.
• Level 3 is Expert.

That will be a significant endeavor, one that could impact as many as 300,000 primary contractors and subcontractors, large and small. In addition to DIB companies, CMMC 2.0 will affect a mix of traditional and nontraditional industries, such as higher education (research and development), health services, retail, critical infrastructure providers (including telecom), and technology (including cloud service providers).

The updated framework is currently in a rulemaking process that the DoD projects will last nine to 24 months from November 2021. No start date for compliance has been set, but the DoD has said that federal contractors should be prepared to comply by the end of fiscal year 2023.

While rulemaking for CMMC 2.0 is in progress, contractors will need to attest to DFARS 7019 Assessment Methodology and 7020 DoD Assessment Requirements. In the meantime, annual self-assessments based on the National Institute of Standards and Technology (NIST) Special Publication 800-171 will be in effect until the final rule is published.

The months between now and late 2023 may seem like a comfortable timeline to build compliance with CMMC 2.0 but the complexities of compliance will require quick action as well as a disciplined response and deep knowledge of DoD acquisition rules.

Contractors should use this window to evaluate the environment for compliance (documentation, control effectiveness, resources) and continue to expand their documentation and readiness.