DoD cybersecurity requirements have changed. Organizations all across the defense supply chain, including defense contractors and subcontractors as well as university research facilities in partnership with the Department of Defense, will have to make sure they understand and comply with the new CMMC 2.0 framework.
Many of the changes made to CMMC compliance requirements are expected to make compliance easier for smaller organizations across the Defense Industrial Base without compromising the security of sensitive data. However, even change for the best can feel like an overwhelming adjustment to make.
With the CMMC final rule going into effect in 2025, Cask Government Services is here to provide an overview of what has changed for businesses in the defense sector and help you prepare for upcoming CMMC implementation and assessment deadlines.
What’s Changing with CMMC 2.0?
Big changes have been in the works for the Cybersecurity Maturity Model Certification program for a long time, with the final rule releasing in mid-October 2024 after five years of development. While compliance with the new rules has already entered enforcement, there will be a “phased rollout” across 2025 as these new requirements make their way into new DoD contracts.
In short, here is what has changed with CMMC 2.0:
A Simpler Cyber Compliance Model
First things first, the five-level compliance model organizations have previously had to adhere to is now only three levels. Level 5, the highest level with the most stringent and expansive requirements for cybersecurity practices, has been eliminated altogether, while the remaining four levels have been adjusted and simplified:
Level 1: Foundational
Contractors who only handle Federal Contract Information (FCI) only need to meet Level 1 CMMC compliance requirements. This is the simplest level, aligning with 17 basic cybersecurity practices derived from Federal Acquisition Regulation (FAR) 52.204-21.
Level 2: Advanced
Contractors handling Controlled Unclassified Information (CUI) have more rigorous standards to meet than those who only handle FCI. However, the second rung of CMMC compliance standards have also been simplified. Now, the 110 cybersecurity practices described by Level 2 requirements align directly with NIST 800-171.
Level 3: Expert
Organizations handling the most sensitive DoD information where the stakes are highest fall into the new expert level category for CMMC compliance. Written to align with NIST SP 800-172, this level mandates over 110 cybersecurity practices to ensure enhanced protection from highly sophisticated Advanced Persistent Threats (APTs).
Now that the three CMMC 2.0 levels align directly with established FAR and NIST standards, there will be less confusion among contractors regarding which cybersecurity practices are needed to ensure compliance with their relevant level.
New Assessment Standards
While CMMC final rulemaking was underway, small businesses were the most concerned about the cost and complexity of maintaining CMMC compliance. New standards for self-assessment are expected to ease at least some of these burdens compared to the old CMMC framework.
Smaller contractors handling FCI have a lot to look forward to with CMMC 2.0, especially when it comes to self-assessment requirements. Level 1 now allows annual CMMC self-assessments to satisfy compliance requirements. Likewise, Level 2 also has some expanded self-assessment options for eligible contractors.
Level 3 requires government-led assessments every three years. The assessment is conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). In addition, eligibility for Level 3 requires all assessment conditions for Level 2 have also been met. The Department of Defense can also approve contractors at Level 2 or above to bypass third-party assessments under specific conditions.
Flexibility for DoD Contracts
The soft, staggered rollout for CMMC compliance requirements over the course of 2025 means that, at the beginning at least, organizations handling CUI and FCI will have some leeway as they adjust to the new standards.
For contractors struggling to fully comply with NIST standards, the new CMMC final rule allows DoD program offices to grant Plans of Action and Milestones, which provide a 180-day conditional certification while the contractor works to bring their compliance practices up to NIST standards.
New CMMC Compliance Deadlines to Watch For
While CMMC 2.0 enforcement has already begun, it won’t start appearing in DoD contracts until mid-2025, giving contractors plenty of time to prepare. The DoD’s CMMC implementation timeline is as follows:
- Revisions to 48 CFR Rules will be updated by the end of 2024 or early spring 2025.
- From mid-2025 onward, the new CMMC framework will start appearing in all DoD contracts. This gradual rollout should be completed by the end of 2025.
- By October 1, 2026, the DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all of its contractor applications.
Don’t Miss Your CMMC Deadlines
Looking ahead to the end of 2024 and the beginning of 2025, organizations need to prepare to ensure their practices are in alignment with CMMC 2.0—or, if not, if pursuing a Plan of Action is feasible. Just because you won’t see the new framework in DoD contracts until midway through 2025 doesn’t mean you should put off your CMMC implementation plans. While the DoD is providing ample time for the Defense Industrial Base to adjust, the earlier you start, the more prepared you will be.
It takes an average of 12 months to get an assessment ready. If you’re not sure where to start to make sure you’ll be prepared to keep winning DoD contracts from 2025 onward, get in touch with Cask to ask about our CMMC readiness program. Through our consulting program, you’ll gain custom-tailored consulting to make sure your organization is ready for its assessments.
Cask has been part of the CMMC journey since inception. We are truly excited with the publication of the final rule—and we are ready to support our defense industrial base partners in their compliance readiness or assessment.” – Elizabeth Guezzale, Cask Government Services
If you are confident that you already meet CMMC 2.0 standards, we also offer authorized C3PAO services to fulfill your third-party assessment obligations. Contact us today to start your preparations and set yourself up for success in the defense sector.