Have Defense Contracts? Breaking Down the CMMC Rule for You

In an era where cybersecurity threats are increasingly sophisticated, the Department of Defense (DoD) is taking decisive action to protect critical data through the Cybersecurity Maturity Model Certification (CMMC) – a framework designed to enhance the overall security of sensitive information. The purpose of CMMC is to verify that defense contractors comply with existing protections for federal contract information (FCI) and controlled unclassified information (CUI), ensuring that this information is protected at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats. The publication of the CMMC Program’s final rule marks a significant step toward enforcing cybersecurity standards for defense contractors.

With the requirement for compliance starting likely around mid-2025, contractors have a clear timeline to prepare for these new regulations.This three-year phased approach aims to prevent last-minute rushes to comply, allowing organizations time to effectively align their cybersecurity practices with the new standards. Many defense contractors may need the extra time, because many DoD contracts may require a CMMC Level 2 certification. This level of certification involves an official and independent third-party audit to be awarded DoD contracts, which is a big change from the current practice of self-attestation of cybersecurity compliance and comes with a substantial cost.

As the implementation of CMMC rolls out, defense contractors will need to assess their current cybersecurity posture and develop compliance strategies to avoid potential issues when seeking their CMMC certifications and bidding on federal contracts.

Below, you will find some key statistics and industry terms about the CMMC program, which will help familiarize you with this monumental change in how government contracts for the Department of Defense will be awarded going forward.

How Can You Prepare

With the CMMC Program Rule now finalized, defense contractors should focus on preparing for their CMMC certification assessments. Although the CMMC program won't take effect until the CFR 48 rule is enacted, contractors should prioritize CMMC compliance now, as preparing for and completing assessments can be time-consuming.

The significance of the publication of the CMMC Program Rule is that Certified Third-Party Assessment Organizations (C3PAOs) will soon be able to conduct official CMMC compliance audits, giving contractors (that are prepared to be assessed) the advantage to have their certification process complete prior to any enforcement requirements.

Once CMMC requirements are incorporated into solicitations, contractors who do not meet the necessary CMMC compliance requirements will be ineligible for contract awards, option periods or extensions. While program managers may request waivers for CMMC requirements in certain cases, such waivers are anticipated to be uncommon.

The rollout timeline for CMMC to be required in DoD contracts will occur in four phases over the course of three-plus years, starting from the effective date of the contractual requirement rule, which is expected to begin in mid-2025.

Expected CMMC Phased Rollout

• Phase 1: Starts when contractual requirement rule is final; Lasts 12 months, requires only Level 1 and 2 self-assessments for contracts
• Phase 2: Begins immediately following the end of Phase 1; Lasts 12 months and adds the requirement of Level 2 certification assessments for new contracts
• Phase 3: Begins immediately following the end of Phase 2; Lasts 12 months and includes Level 2 certification assessments for contract option periods, along with Level 3 certification assessments for all applicable contracts
• Phase 4: Begins immediately following the end of Phase 3; Requires CMMC certifications for all DoD contracts

Since the DoD will ultimately specify which CMMC Level will be required in a solicitation, defense contractors and subcontractors should review their active defense contracts now to determine whether they currently possess, store, or handle CUI or FCI. This is a likely indicator of the CMMC Level they should aim to achieve certification for.

Deltek’s Role in Supporting CMMC Requirements

Navigating the intricacies of CMMC compliance can be overwhelming and challenging. It’s neither a quick nor an inexpensive process. With the right support, this process can be smoother and more effective. As an industry leader, Deltek stands ready to be your trusted partner, offering comprehensive solutions and expert guidance to help you meet all CMMC requirements.