Actionable Guidance for Success Under the Cybersecurity Maturity Model Certification Program
Notwithstanding Executive Orders to reduce federal rules affecting industry in effect today, the Department of Defense (DOD) recently enacted new regulations by finalizing the Cybersecurity Maturity Model Certification (CMMC) program, underscoring the importance of cybersecurity to our national defense and the warfighter. Most defense companies handling Controlled Unclassified Information (CUI) will be required to successfully obtain a third-party assessment and certification of their implementation of 110 security requirements incorporated into defense contracts and subcontracts. To note, under CMMC, based on DOD’s projections, a small number of such contractors would only need self-assessments, but most will need third-party certification. In place of getting a third-party CMMC assessment, contractors that do not handle CUI would be required instead to self-assess and attest that they have met the 17 basic safeguarding controls in the Federal Acquisition Regulation (a subset of the 110 requirements) to protect Federal Contract Information (FCI) (See 32 CFR 170.22(b)(1). Federal Contract Information is defined in FAR 52.204-21). The DOD itself will retain the responsibility for assessing enhanced cybersecurity controls for the most critical defense programs. After more than six years of planning, the DOD will soon roll out the CMMC program in earnest, making cybersecurity a pillar of defense contracting. Effective as of November 10, 2025, a CMMC requirement may be included in new solicitations as a condition of award and existing defense contracts may be modified to add a CMMC certification requirement.
While this development should come as no surprise to established defense contractors and subcontractors, the details are important to understand. A single misstep could put ongoing and future business with the DOD in jeopardy. Additionally, the Department of Justice (DOJ) has been enforcing cybersecurity compliance as part of its Cyber Fraud Initiative for four years, which brings an added risk of liability under the False Claims Act. Cybersecurity is now a business and legal imperative for defense and government contractors.
Background
As of December 31, 2017, the DOD required defense contractors to implement the 110 security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 via a contracts clause found at DFARS 252.204-7012 that is included in most defense contracts and Other Transaction Agreements. With limited exceptions for commercial-off-the-shelf (COTS) items, this clause also must be flowed down to subcontractors and suppliers throughout the defense supply chain.
Prior to CMMC, strict compliance with DFARS 252.204-7012 was not required. Rather, the DOD considered its contractors and subcontractors to be compliant provided that each such entity developed a System Security Plan (SSP), maintained a Plan of Actions and Milestones (POA&M) for each requirement not met (See Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), 85 Fed. Reg. 61505, 61508 (Sept. 29, 2020)), and completed a cybersecurity self-assessment in the Supplier Performance Risk System (SPRS) for each information system used in contract performance (See DFARS 252.204-7020). However, the DOD realized by 2019 that its then-existing cybersecurity compliance regime was insufficient, in part because POA&Ms could be left open potentially indefinitely without a need for defense contractors to fully implement all 110 security requirements.
Prior to CMMC being finalized, the DOD's internal security assessments of the industry showed that a considerable number of contractors had struggled to meet all 110 security requirements imposed in DOD contracts. These requirements have been in federal regulations and contracts for nine years, having first been introduced in October 2016. Yet, after taking years to get into full compliance, the DOD found that many defense contractors still had not fully implemented the security requirements. This is likely the case even today.
CMMC is designed to provide greater assurance to the DOD that its multi-tiered supply chain of contractors is meeting all existing contractual security requirements to protect CUI (also referred to as Covered Defense Information (CDI)) on the contractors’ information systems. To note, the DoD uses the term “Covered Defense Information” in DFARS 252.204-7012, which is the term that the DoD initially established in 2016 to describe the information requiring protection. More recently, the DoD instead has been using the term that applies government-wide, which is “Controlled Unclassified Information.” Although there is a distinction between these terms, this article will use “Controlled Unclassified Information” for the purpose of simplicity as defined in 32 CFR 2002.4(h). As the DOD stated on September 29, 2020:
“Malicious cyber actors have targeted, and continue to target, the DIB sector, which consists of over 200,000 small-to-large sized entities that support the warfighter…. [A]ctors ranging from cyber criminals to nation-states continue to attack companies and organizations that comprise the Department’s multi-tier supply chain including smaller entities at the lower tiers. These actors seek to steal DoD’s intellectual property to undercut the United States’ strategic and technological advantage and to benefit their own military and economic development” (See “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements” 85 Fed. Reg. 61505, 61517 (Sept. 29, 2020).
The DOD estimated that malicious cyber activities have led to the theft of United States intellectual property worth hundreds of billions of dollars (Id. at 61508).
While the DOD is moving towards strict compliance, there will be flexibility built into the CMMC model to account for temporary deficiencies, enduring exceptions to compliance, and POA&Ms will still be permissible in the short term but must be closed out promptly. It also may be possible to get a waiver of CMMC requirements for certain programs.
As a maturity model, CMMC has three levels of increasing difficulty. DOD program managers or requiring activities shall determine which level applies for a procurement based on the sensitivity of information handled on the contractor’s information system.
- At Level One, defense contractors need to meet the 17 basic safeguarding requirements identified in the Federal Acquisition Regulations (FAR) to protect FCI (the safeguarding requirements are in FAR 52.204-21). However, POA&Ms are not permitted. The contractor must demonstrate Level 1 compliance through annual self-assessments and affirmations of compliance.
- At Level Two, contractors must ultimately meet all 110 security controls in NIST SP 800-171 Revision 2 due to the processing of CUI in contract performance as a condition of a contract award. For contractors that have not met all requirements, it still will be possible to obtain a conditional CMMC certificate to remain eligible for award, but such contractors (i) must meet an assessment score of 80 percent based on the CMMC scoring methodology (i.e., 88 points), (ii) may not have POA&Ms for certain controls, and (iii) must close out deficiencies within 180 days as verified in a PO&M closeout assessment (See 32 CFR 170.21(a) and (b)). If these conditions are met, the contractor can achieve conditional CMMC status despite not immediately implementing all requirements. If any POA&Ms are not closed in 180 days, however, the conditional status will expire, and the contractor will temporarily be ineligible for future contract awards under CMMC, and there may be contractual repercussions for previously awarded contracts (See 32 CFR 170.17(a)(ii)(B)). As noted, while some Level 2 procurements will allow for self-assessment, most contractors will need an independent assessment. Affirmations of continuous compliance also will be required.
- Level Three has the same requirements as Level Two, but adds 24 technically complex and expensive security requirements from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (February 2021). The DOD will be responsible for assessing the implementation of these 24 requirements instead of a third-party assessor. Continuous compliance also will be required.
When achieved, CMMC status is effective for three years but also must be maintained throughout this period.
While CMMC was pending in rulemaking through the initiative of the DOD, the Department of Justice (DOJ) began opening and expanding investigations against government contractors and individuals working for them and bringing cases for “cyber-fraud” related to alleged cybersecurity noncompliance. The aptly named DOJ Cyber-Fraud initiative is designed to hold accountable entities and individuals that knowingly misrepresent their cybersecurity practices or protocols. The DOJ is relying on statutory authority found in the False Claims Act to raise cybersecurity standards as one of numerous policy goals related to the initiative and has reached 15 settlements worth over $60 million so far. As such, in addition to the business imperative to meet cybersecurity standards to do business with the DOD, government contractors also have legal risks from the DOJ associated with noncompliance and alleged fraud.
Analysis
Below are key considerations for CMMC readiness and success. While this analysis is not intended to cover every nuance, it should be useful for companies in considering business priorities and risk.
Verify Past Assumptions
Before seeking a third-party CMMC certification covering the implementation of 110 security controls, with the risk of being ineligible for future defense contracts and subcontracts at stake, it is imperative to be ready for the test. This may require organizations seeking certification to reexamine past assumptions and practices.
Critically, organizations seeking CMMC certification should document and be able to demonstrate that they are meeting cybersecurity controls, not only in their security plans and policies but also in their actual security practices. A security plan and policies should not simply repeat back the language of each security requirement. Beyond that, companies need to be able to show how they perform each requirement and assessment objective in detail.
Just as in other areas of compliance, if a program just exists on paper, it is unlikely to be successful or survive scrutiny. For companies that rely on security templates generated by third parties, there is a substantial risk that the security plan will not match up to reality, or, conversely, that security implementation is not fully or appropriately documented. To note, companies that rely on Generative Artificial Intelligence to draft system security plans also run the risk that the AI will hallucinate and create a false record of compliance. It is much better for companies to discover potential compliance or documentation issues in advance of a third-party assessment when the stakes will be higher.
An independent view can be valuable as many years have passed since the cybersecurity requirements were first put in place in DFARS 252.204-7012. Such a review may include relying on existing company resources not directly involved in setting up the cyber program. A third-party mock assessment for CMMC also can be a useful tool. Some companies may choose to retain outside legal counsel or other experts. Ultimately, there are several options that can be effective to gain assurance of cybersecurity readiness.
Categorize and Follow the Data to Understand Scope
In accordance with the newly added solicitation provision found at DFARS 252.204-7025(d), defense contractors will need to identify and meet applicable security requirements for all information systems that will process, store, or transmit FCI or CUI during contract performance. To do this, it likely will be necessary for companies to catalogue which of their information systems have CUI/FCI to understand how many such systems will be impacted by CMMC. For organizations with significant involvement in defense contracting, the affected systems may go beyond the corporate enterprise network and could include systems that are not managed or even known by the Information Technology organization. It will be important to ensure CMMC readiness for all contractor information systems with CUI/FCI to meet the new rules.
For companies that have established an enclave approach to CUI protection by designating or isolating a single information system for CUI processing, it will be key to have policies, practices, and tools to keep the enclave intact and avoid leakage of data into other systems. This also should include employee training to help them identify CUI/CDI before inadvertently disseminating this information to uncovered systems. If employees regularly transmit or store CUI in other systems outside the enclave, then those systems may become in-scope for CMMC.
In one settled “cyber-fraud” case, a company allegedly failed to realize that an information system contained Covered Defense Information. As a result, the company allegedly did not implement security requirements that pertain to such information on the system in question. This apparent oversight led to a False Claims Act settlement of more than 8 million dollars.
Companies should also assess their use of third parties that handle security-related data or CUI on their own assets and software, which are referred to as “external service providers” in the CMMC rules. This includes managed services providers. Such companies also may need to meet CMMC requirements.
Continuing with the earlier theme of double-checking, defense contractors and subcontractors also should review the evolution of the DOD’s identification and marking practices for CUI and make sure any past assumptions about what systems are covered remain valid; it may be necessary to take a fresh look.
Ensure Accountability and Close Gaps
Under the new CMMC rules, an Affirming Official from each defense prime and subcontractor must attest to continuing compliance for the organization after every [successful] CMMC assessment for an information system, including PO&AM closeout, and annually thereafter, and enter this affirmation in SPRS (See 32 CFR 170.22(a). See DFARS 252.204-7021 (Nov. 2025) at paragraph (d)(3). The role of the Affirming Official will be key for organizations—it should be someone sufficiently senior in the organization and knowledgeable about cybersecurity.
To implement the affirmations of compliance, the DOD has introduced a new definition of “current,” which essentially means that there may not be any changes in compliance at the time of affirmation for each information system used in support of the affected contract (See DFARS 252.204-7021(a)). Such affirmations will be required at different times and circumstances. Critically, any cybersecurity deficiencies must be temporary and quickly remediated.
For a company and its Affirming Official to have confidence that a representation of continuing compliance can be made accurately, it will be important to have checks and balances and a mechanism for questions to be raised and resolved. This may require collaboration across the enterprise and breaking down silos. The right answer may not always be clear as cybersecurity involves judgment and there is often more than one way to meet a requirement.
Any contractor misrepresentation of its compliance also could lead to liability for the contractor under the False Claims Act under the DOJ’s Cyber-Fraud Initiative. Cybersecurity is increasingly becoming a legal and compliance activity rather than solely a province of information security and risk management. As such, it is more important than ever for defense contractors to have a clear record of cybersecurity compliance.
Primes Should Be Ready for New Burdens
Prime and higher tier contractors often need to be able to field a team for significant procurements with a large number of suppliers on the team. If their suppliers will be processing CUI or FCI, then these suppliers will need to meet their respective CMMC requirements in a timely manner. Prime contractors will need to plan to ensure that their suppliers either will be able to meet CMMC when it is required or develop alternative solutions such as providing suppliers with access to the prime’s compliant information system.
In the CMMC contracting clause, the DOD has included a new requirement for prime contractors to “[e]nsure all subcontractors and suppliers complete prior to subcontract award, and maintain on an annual basis, an affirmation … of continuous compliance” with the applicable CMMC requirements in the subcontract (See DFARS 252.204-7021(d)(4)). This is a change from the prior contracting practice, which only requires prime contractors to flow down the applicable cybersecurity clause and does not expressly require more surveillance or effort (See DFARS 252.204-7012(m)(1)). By including the new regulatory language, DOD is apparently expecting large prime contractors to help roll out and enforce CMMC. The increased burdens on prime contractors will need to be managed well in advance and effectively.
In addition to the business risk of not being able to participate in a major procurement, prime contractors also face “cyber-fraud” risk. In one recent settlement, a prime contractor allegedly failed to flow-down a DOD cybersecurity clause and paid $4.6 million to resolve the case, which included other allegations.
Overall, supply chain cybersecurity will likely be a competitive differentiator for large contractors and integrators. Contractors that are proactive about cybersecurity will have an advantage in future procurements.
Get in Line to Be Assessed Early and Often
For companies that will need to have a third-party assessment, it will be important to have an assessment scheduled as soon as the company is ready for certification. It is well known in the CMMC ecosystem that there is a significant shortage of qualified assessors to meet demand once CMMC is a requirement in defense contracts. This problem will only grow in the short term.
As of the date of this article, the accrediting body that authorizes third-party assessors (called the Cyber AB), has recognized only 83 companies to conduct CMMC assessments. Many of these assessment companies are small businesses and thus do not have large numbers of assessment teams. Yet, the DOD currently estimates that 118,289 unique entities will need to get at least one CMMC assessment by a third party, which is a large number for the 83 companies to assess for CMMC (See “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements,” 90 Fed. Reg. 43560, 43573 (September 10, 2025)). Simply put, the supply of third-party assessors is unlikely to be able to meet the demand of companies seeking assessment for the foreseeable future.
While the DOD’s CIO office has tried to address the supply/demand issue for providing for a phased/delayed rollout of CMMC, the DOD’s own website states that “[i]n some procurements, DOD may implement CMMC requirements in advance of the planned phase.” This is consistent with federal regulations which provide DOD components with the discretion to include CMMC third-party requirements in contracts at any time after the rule is in effect (See 32 CFR 170.3(e)(1)). In the comments included with the new CMMC regulations, the DOD stated that it could not add a requirement for advance/centralized DOD approval before a requiring activity could add CMMC to a solicitation or contract (See “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements,” 90 Fed. Reg. 43560, 43568-43569). As such, the phased or delayed rollout may not hold up as planned or hoped.
Many of the over 100,000 contractors subject to a Level 2 assessment by a third party also may need multiple assessments for their different information systems processing CUI/CDI in support of defense contracts. That will add to the wait for companies seeking to be assessed.
Notwithstanding the intentions of the DOD CIO’s office, a CMMC requirement can be added at any time as of the effective date of November 10, 2025, consistent with DOD’s own rules. For companies that do not have assessments scheduled yet, it is imperative to find, vet, and retain a qualified third-party assessor.
Conclusion
While CMMC undoubtedly will add costs and regulatory burdens for defense contractors and subcontractors, the Department of Defense has determined that the costs are necessary by pressing forward and approving new regulations. Real world risks to American security are as present as ever before. To state the obvious, cyber risks and threats have only increased in the last several years. The defense industrial base plays a crucial role in keeping the country safe and it must thus protect the critical technology that it processes on its unclassified information systems.
Without the rigorous enforcement of the DOD’s cybersecurity requirements that CMMC will soon provide, and in the absence of regulatory certainty over the last several years, some companies may have decided to wait to fully implement the requirements. During this time, there were numerous false starts and delays in the regulatory process. However, CMMC is now imminent and here. Any wait should now be over for any company that wants to do business with the Department of Defense or its prime or higher-tier contractors.
