As a DoD contractor, you already know that the evolution of CMMC compliance has been filled with twists and turns, from 1.0 to 2.0. Now, the long-awaited final rule is here and reflects the DoD’s effort to balance strict cybersecurity requirements with the practical needs of its contractors, whether you are a large firm, a medium-sized business, or a small mom-and-pop shop.
The final rule, published in the Federal Register on October 15, 2024, went into effect on December 16, 2024, and codifies the requirements from CMMC 2.0, while addressing the feedback from DoD contractors. It still maintains the simplified three-tiered structure that establishes clear processes for certification and enforcement. It also lays out a phased implementation roadmap to help contractors adapt without disrupting supply chain operations.
The final CMMC rule is broad, with more than 470 pages of guidance and regulations. It’s certainly a heavy, but necessary burden, to read the entire regulations, but in the meantime, here are some key takeaways that contractors should know about the final rule.
Program Structure
The final rule keeps the three levels of certification that were simplified in CMMC 2.0:
Level 1, the “basic cybersecurity” level, requires that contractors processing, storing or transmitting federal contract information (“FCI”) must comply with the 15 existing cybersecurity standards in the Federal Acquisition Regulation’s (“FAR’s”) existing “Basic Safeguarding of Covered Contractor Information Systems” clause. Contractors with Level 1 requirements also must submit, through an Affirming Official, an annual affirmation of their CMMC compliance.
Level 2 applies to contractors handling controlled unclassified information (“CUI”), and requires contractors to implement the 110 security controls under revision 2.0 of NIST SP 800-171. (In May 2024, NIST finalized a new version of SP 800-171, but the new version will be incorporated in future amendments to the rule.) While some contractors at Level 2 may self-attest their CMMC compliance, most will be required to have independent third parties (“CMMC Third-Party Assessment Organizations” or “C3PAO”) assess their compliance. These third-party assessments are valid for three years, although contractors with Level 2 self-assessment or third-party certification requirements must still file annual affirmation of compliance.
Level 3 applies to contractors that handle CUI associated with “a critical program or high value asset.” Those companies must be Level 2 certified and must meet 24 additional security requirements from NIST’s SP 800-172 standard in addition to the SP 800-171 requirements. Assessments of Level 3 compliance will be conducted by the DOD’s Internal Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC. Like Levels 1 and 2, contractors with Level 3 requirements also must submit an annual affirmation of compliance.
Eligibility Impacts
Certification is now a condition of award, meaning contractors must achieve compliance before securing a contract rather than during the bidding process. A notable update in the final rule is the introduction of conditional certification. Contractors who score at least 80% on their initial assessment can receive temporary certification but must address deficiencies within 180 days. Failure to do so may result in fines or contract termination. Additionally, a senior organizational official must affirm compliance, certifying that the organization continues to meet applicable requirements. This affirmation increases accountability, exposing individuals to personal liability and organizations to potential False Claims Act violations.
Timeline for Implementation
The CMMC final rule went into effect on December 16, 2024, but the full implementation is expected to begin sometime in mid-2025. Here’s the proposed timeline.
- Phase 1 (by March/April 2025): Level 1 and 2 self-assessments required.
- Phase 2 (by March 2026): C3PAO certification required for new contracts.
- Phase 3 and 4 (by March 2027 and 2028): CMMC requirements applied to option periods of existing contracts.
Keep in mind that the DoD may insert CMMC requirements earlier for critical contracts if needed.
Self-Assessment Artifact Retention
Organizations conducting self-assessments must retain artifacts as evidence for six years from the CMMC Status Date. This applies to both Level 1 and Level 2 self-assessments, ensuring they meet the same rigor as third-party assessments. Evidence must cover all assessment objectives (AOs) for every practice at the specified level. This new requirement emphasizes the need for robust documentation and long-term retention, which could surprise many organizations.
CMMC Certification for MSPs
While many Managed Service Providers (MSPs) may not require Level 2 certification as previously anticipated, they remain within the scope of their OSC clients’ assessments. The rules around External Service Providers (ESPs) and Security Protection Data (SPD) are complex and evolving, with more details to follow in future updates.
VDI Endpoints
Virtual Desktop Infrastructure (VDI) endpoints configured to disallow processing, storage, or transmission of FCI/CUI beyond basic keyboard, video, and mouse interactions are considered out of scope. Such endpoints require no additional documentation. This is excellent news for organizations leveraging VDI to minimize their compliance scope. However, if an endpoint can save CUI locally (e.g., for printing), it becomes a CUI Asset and is part of the scope.
Run, Don’t Walk to Compliance
The final rule leaves no room for complacency. Cyber threats targeting sensitive government information are persistent and increasingly sophisticated. Non-compliance isn’t just a procedural misstep; it’s a vulnerability in national security. Beyond safeguarding your place in the competitive DoD ecosystem, adhering to CMMC reinforces trust with the government and primes your organization for broader cybersecurity excellence.
Contractors who act swiftly can leverage the phased timeline to spread out costs and avoid last-minute rushes. Ignoring these updates will undoubtedly lead to heightened risks—from disqualification in procurement processes to devastating data breaches.
How Can CKSS Help?
The CMMC process is complicated. That’s why you shouldn’t go it alone. CKSS specializes in supporting DoD contractors through their cybersecurity compliance journeys. With a robust suite of CMMC lifecycle offerings, we ensure you are audit-ready while minimizing disruptions to your operations. Here’s how:
- Gap Analysis: We’ll conduct a thorough assessment of your current cybersecurity posture to identify deficiencies against CMMC requirements.
- Remediation Planning: Our tailored strategies ensure that your organization’s systems, policies, and processes align with the appropriate CMMC level.
- Continuous Monitoring: Our lifecycle approach includes ongoing support and updates, keeping your systems secure and compliant over time.
- Documentation: Assistance with documented guidelines, operational steps, policies, and a comprehensive system security plan.
- Ongoing Assessment: Partnering with select C3PAO’s to provide 3rd party assessments.
Partner with CKSS to navigate the complexities of CMMC compliance confidently. Our expertise reduces the stress of audits and enables you to focus on your core mission: delivering excellence to the Department of Defense.
The first step is scheduling a No-Obligation Consultation to assess your current systems and evaluate your existing Third-Party Action Plan. Our team is here to provide you with the answers you need.
Contacting CKSS
You probably have questions, and our team is here to provide you with the answers you need.
Call us anytime at 443.464.1589 or contact our team online today.
Have questions about Compliance?
