Now Final: 48 CFR DFARS Rule Establishes CMMC Requirements for Defense Contractors

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s (DoD) latest framework designed to protect sensitive unclassified information within the Defense Industrial Base (DIB). This program ensures that DoD contractors and subcontractors implement appropriate cybersecurity measures to safeguard federal contract information (FCI) and controlled unclassified information (CUI). The primary goals of CMMC 2.0 are to enhance the cybersecurity posture of the DIB, protect sensitive unclassified information from theft and espionage, and create a uniform standard for cybersecurity across the defense supply chain.

With the recent publication of 48 CFR as a final rule, defense contractors now face increased concrete requirements for safeguarding sensitive unclassified information. This blog provides an overview of these requirements, implementation timelines, and best practices for compliance.

What Are 48 CFR, 32 CFR, and CMMC 2.0?

48 CFR – Defense Federal Acquisition Regulation Supplement (DFARS)

Title 48 of the Code of Federal Regulations contains the Federal Acquisition Regulations (FAR) and its supplements, including the Defense Federal Acquisition Regulation Supplement (DFARS). The recently published final rule in 48 CFR includes DFARS clause 252.204-7021, which mandates CMMC requirements for defense contractors. This clause establishes that contractors and subcontractors must implement specific cybersecurity standards based on the sensitivity of information they handle. The rule requires defense contractors to achieve appropriate CMMC certification levels as a condition for contract awards.

32 CFR – National Defense Regulations

Title 32 CFR contains regulations related to national defense, including Part 170, which establishes the CMMC Program. 32 CFR was published in October of 2024. Section 170.14 specifically outlines the CMMC Model, detailing the cybersecurity requirements at each level. This regulatory framework describes how the DoD will assess contractor compliance with information protection requirements.

CMMC 2.0 – Cybersecurity Maturity Model Certification

CMMC is a unified standard designed to enhance the protection of FCI and CUI within the DIB. As outlined in the DoD CMMC Model Overview document, CMMC incorporates security requirements from FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), NIST SP 800-171 Rev 2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), and a subset of requirements from NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information).

Who Is Required to Obtain CMMC 2.0 Certification

Businesses that are part of the defense supply chain are required to obtain CMMC certification. CMMC compliance, and ultimately CMMC certification, demonstrates an organization has adhered to CMMC 2.0 framework. This certification process is crucial as it ensures that companies handling sensitive data related to national defense meet specific cybersecurity standards. By achieving CMMC certification, these businesses demonstrate their commitment to maintaining the integrity and confidentiality of critical information.

The certification process involves a thorough assessment of a company’s cybersecurity practices, which are categorized into different levels based on the complexity and sensitivity of the data they handle. This not only fosters a more secure environment for federal contract information and controlled unclassified information but also plays a vital role in reinforcing the nation’s overall security infrastructure. As a result, securing a CMMC certificate is not just about compliance; it is about contributing to the broader effort of protecting national interests against cyber threats and ensuring that adversaries cannot exploit vulnerabilities within the defense supply chain.

CMMC 2.0 Timeline and Implementation Phases

The implementation of CMMC requirements will follow a phased approach as outlined in the DoD CMMC 101 Brief. Phase 1 (Initial Implementation) begins at the 48 CFR Rule Effective Date, where applicable solicitations will require Level 1 or 2 Self-Assessment. Phase 2 begins 12 months after Phase 1 start, where applicable solicitations will require Level 2 Certification. Phase 3 begins 24 months after Phase 1 start, where applicable solicitations will require Level 3 Certification. Phase 4 (Full Implementation) begins 36 months after Phase 1 start, and all solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award. It’s important to note that in some procurements, the DoD may implement CMMC requirements in advance of the planned phases.

Key Components of the CMMC 2.0 Framework

CMMC Levels

The CMMC model consists of three progressive levels of cybersecurity maturity. Level 1 focuses on the protection of FCI and consists of 15 security requirements aligned with FAR 52.204-21, requiring annual self-assessment and affirmation. Level 2 targets the protection of CUI and incorporates all 110 security requirements from NIST SP 800-171 Rev 2, requiring either C3PAO certification assessment every 3 years or self-assessment every 3 years for select programs, plus annual affirmation. Level 3 enhances protection of CUI with 134 requirements (110 from NIST SP 800-171 plus 24 from NIST SP 800-172), requiring DIBCAC certification assessment every 3 years and annual affirmation.

CMMC Domains

The CMMC model spans 14 domains that align with the security requirement families in NIST SP 800-171 Rev 2: Access Control (AC), Awareness & Training (AT), Audit & Accountability (AU), Configuration Management (CM), Identification & Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

CMMC Scoring Methodology

CMMC includes a defined scoring methodology for each level. Level 1 has no score required; requirements are either MET or NOT MET. For Level 2, security requirements are valued 1, 3, or 5 points with a range of –203 to 110, with a minimum passing score of 88. At Level 3, all security requirements are valued 1 point with a maximum score of 24, and requires a prerequisite Level 2 score of 110.

Security Benefits of CMMC 2.0 Implementation

Implementing CMMC offers significant security benefits for organizations. The framework provides a comprehensive protection approach to safeguarding sensitive information by addressing controls across multiple cybersecurity domains. It establishes standardized security baselines that apply across the DIB, creating a uniform level of protection for DoD information. CMMC enhances supply chain security by requiring certification at all tiers of the supply chain, helping mitigate vulnerabilities that could be exploited through third-party relationships. The model’s tiered approach allows for security controls appropriate to the sensitivity of information handled, avoiding unnecessary overhead for contractors that don’t process CUI. Annual affirmations and periodic assessments ensure continuous monitoring and ongoing compliance rather than point-in-time evaluations.

DoD Contractor and Subcontractor Risks of Noncompliance

Organizations that fail to achieve appropriate CMMC certification face several significant risks. From a contractual and business perspective, without the required CMMC level, contractors cannot be awarded DoD contracts that specify CMMC requirements. Prime contractors must ensure subcontractors meet CMMC requirements, potentially losing key suppliers if they can’t comply. As CMMC becomes fully implemented, non-certified contractors will be excluded from a significant portion of DoD procurement opportunities. Regarding regulatory and legal risks, noncompliance with CMMC requirements in existing contracts could result in contract termination or other remedies. Failed assessments could lead to formal security findings that require remediation. Failure to close Plans of Action and Milestones (POA&Ms) within the required 180 days results in expired CMMC status. In terms of data security risks, organizations without adequate cybersecurity controls are more susceptible to breaches affecting FCI and CUI, and weak security practices in the supply chain can create entry points for threat actors targeting DoD information.

Requirements for CMMC Implementation

Organizations seeking CMMC certification must prepare by determining which CMMC level applies based on the type of information processed (FCI or CUI), identifying systems and components that process, store, or transmit FCI or CUI, developing required documentation such as System Security Plans (SSPs) and POA&Ms, and preparing for third-party assessment by a C3PAO or DIBCAC for Level 2 or 3.

Technical Requirements

Technical implementation varies by CMMC level, but common requirements include implementing proper access management for users, systems, and external connections, applying appropriate safeguards for data at rest and in transit, establishing system auditing, threat detection, and incident response capabilities, maintaining secure baseline configurations and controlling changes, and conducting regular testing and evaluation of security controls.

Best Practices for Implementing and Maintaining CMMC 2.0 Compliance

Implementing and maintaining CMMC 2.0 compliance requires a strategic approach and ongoing commitment. One of the most critical best practices is to start the certification process as early as possible. With the publication of 32 CFR and 48 CFR if your organization has not started the CMMC compliance journey, the time is now. Given the comprehensive nature of the CMMC requirements, achieving compliance can be a time-consuming process. Starting early ensures that organizations have adequate time to implement necessary changes and address any challenges that arise.

We recommend embracing the following best practices to ensure both a smooth implementation of processes and procedures required for CMMC certification as well as maintaining CMMC compliance once your organization achieves CMMC certification, regardless of which CMMC maturity level you’re seeking.

1. Engage Leadership in the CMMC Compliance Process

Engaging leadership is crucial for successful CMMC implementation. Securing buy-in from top management ensures that adequate resources are allocated to the certification process and that cybersecurity becomes a priority across the organization. Leadership support also helps in fostering a culture of security throughout the company.

2. Continually Assess Your Cybersecurity Readiness and CMMC Compliance

Regular self-assessments are essential for maintaining CMMC compliance. Organizations should continuously evaluate their cybersecurity posture against CMMC requirements, even after achieving certification. These assessments help identify areas for improvement and ensure that security practices remain effective in the face of evolving threats.

3. Train Employees on Cybersecurity Best Practices

Implementing a robust training program is another key best practice. All employees should be educated on cybersecurity best practices and CMMC requirements relevant to their roles. This training should be ongoing and updated regularly to address new threats and changes in the CMMC program.

4. Document Your CMMC Compliance Efforts

Thorough documentation is critical for CMMC compliance. Organizations should maintain detailed records of security practices, policies, and procedures. This documentation not only supports the certification process but also helps in maintaining consistency in security practices across the organization.

5. Stay Informed of Changes to CMMC Framework

Staying informed about CMMC program changes and updates is essential for maintaining compliance. The cybersecurity landscape is constantly evolving, and the CMMC program may be updated to address new threats or requirements. Organizations should designate individuals responsible for monitoring these changes and adapting security practices accordingly.

6. Leverage Existing Cybersecurity Frameworks

Leveraging existing cybersecurity frameworks can streamline the CMMC implementation process. Many organizations may already have implemented measures to comply with other standards such as NIST SP 800-171. Aligning CMMC efforts with these existing frameworks can help reduce duplication of effort and ensure a more comprehensive approach to cybersecurity.

7. Engage Cybersecurity Experts

Engaging cybersecurity experts can provide valuable guidance throughout the CMMC implementation process. This may involve working with CMMC consultants or certified third party assessment organizations (C3PAOs) who can offer insights into best practices and help navigate the complexities of the certification process.

8. Monitor Traffic and Systems to Ensure CMMC Compliance is Maintained

Implementing continuous monitoring tools and processes is crucial for maintaining CMMC compliance. These tools can help organizations track their security posture in real time, identify potential vulnerabilities, and respond quickly to security incidents.

9. Cultivate a Security Culture

Fostering a culture of security is perhaps the most important best practice for CMMC compliance. This involves encouraging all employees to prioritize cybersecurity in their daily activities, promoting open communication about security issues, and recognizing and rewarding good security practices.

CMMC 2.0 Is Here

The Cybersecurity Maturity Model Certification program represents a significant shift in how the Department of Defense ensures the protection of sensitive unclassified information within its supply chain. With the publication of 48 CFR as a final rule, the CMMC program now has a clear regulatory foundation through DFARS clause 252.204-7021, supported by the program structure outlined in 32 CFR Part 170. The three-level framework provides a scalable approach to security, with requirements tailored to the sensitivity of information being handled. Organizations must achieve appropriate certification levels through either self-assessment or third-party assessment, depending on their CMMC level. Implementation will occur over four phases, with full implementation required 36 months after the rule’s effective date. To prepare, organizations should conduct gap assessments, develop comprehensive security documentation, implement risk-based remediation, establish supply chain verification processes, and maintain continuous compliance practices. By following the best practices outlined in this guide, defense contractors can effectively navigate the CMMC requirements, maintain their eligibility for DoD contracts, and contribute to the enhanced security posture of the Defense Industrial Base.

Additional Resources

• Blog Post CMMC Compliance for Small Businesses: Challenges and Solutions
• Blog Post If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist
• Blog Post CMMC Audit Requirements: What Assessors Need to See When Gauging Your CMMC Readiness
• Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
• Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance