By Payam Pourkhomami, President & CEO of OSIbeyond
The Department of Defense released its long-awaited Cybersecurity Maturity Model Certification program final rule (32 CFR Part 170) on October 11.
Announced in 2019 by the Pentagon as a response to growing cybersecurity threats targeting sensitive defense information, the CMMC program aims to establish a comprehensive framework to verify that defense contractors and subcontractors across the entire supply chain have implemented appropriate security controls for federal contract information, or FCI, and controlled unclassified information, or CUI.
With the final rule set to take effect on December 16, defense contractors are now facing an important timeline to understand and adapt to the changes introduced in this final version, which affect everything from implementation timelines and assessment requirements to the scope of managed service provider obligations.
Four-Phase Implementation
The actual rollout of CMMC requirements is divided into four phases and tied to the publication of the complementary 48 CFR Part 204 CMMC Acquisition rule, which will amend the Defense Federal Acquisition Regulation Supplement and establish how CMMC requirements will be contractually implemented through DOD solicitations and contracts.
The department estimates that full implementation across all defense contractors will take approximately seven years, given the volume of DOD solicitations and contract awards processed annually. That said, contractors don’t need to wait for the phased rollout to begin. They can voluntarily seek certification as soon as the 32 CFR Rule becomes effective.
Phase 1: Initial Self-Assessment Requirements
Phase 1 begins when the 48 CFR rule takes effect. This phase introduces CMMC Level 1 and Level 2 self-assessment requirements as a condition of contract award for all applicable contracts. During this phase, contractors handling FCI or CUI must demonstrate compliance through self-assessment.
Reflecting industry feedback about implementation challenges, the final rule extends Phase 1 by six months compared to the draft version. Given the volume of DOD solicitations and contract awards processed annually, the Department estimates that full implementation across all defense contractors will take approximately seven years.
Phase 2: Third-Party Assessment Introduction
Phase 2 starts one calendar year after Phase 1. During this phase, contractors handling CUI will need to obtain CMMC Level 2 certification from a certified third-party assessment organization, or C3PAO, as a condition of award for applicable contracts.
During this phase, the DOD maintains flexibility in how it implements these requirements. While C3PAO certification may be required at the time of initial contract award, the DOD can choose to allow some contractors to delay obtaining their certification until they reach their contract renewal or extension period to give them additional time to prepare when needed. Note that these exemptions are per-contract rather than per contractor. This means a subcontractor on a prime contract requiring certification will be unable to delay their assessment.
Phase 3: Expanded Assessment Requirements
The third phase makes third-party assessments more comprehensive by requiring Level 2 C3PAO certification not just for new contracts but also when contractors want to continue work under existing contracts through renewals or extensions. It starts one calendar year after Phase 2.
Phase 4: Full Implementation
The final phase commences one year after Phase 3 and represents full CMMC implementation. At this stage, the DOD will include CMMC requirements in all applicable solicitations and contracts, including option periods on contracts awarded prior to Phase 4.
Contractors handling only FCI will need to meet Level 1 requirements through self-assessment, while those managing CUI will be required to achieve either Level 2 or Level 3 certification through third-party assessment, depending on the sensitivity of the information they handle.
Assessment Scoring and POA&M
The final rule provides clarifications around assessment scoring and plans of actions & milestones, or POA&Ms.
For CMMC Level 2, contractors can achieve certification in one of two ways. They can either meet all security requirements outright or obtain a conditional CMMC status by achieving a minimum score of 80 percent of the required controls, effectively implementing at least 88 out of the 110 required security controls while including the remaining 22 in their POA&M.
However, there are important restrictions on which requirements can be included in the POA&M: they must be requirements that have a value of 1 point, and controls specified in § 170.21(a)(2)(iii) can’t be deferred. Examples include requirements related to:
- Controlling external connections for CUI data
- Managing public information containing CUI
- Escorting visitors in areas where CUI is present
- Maintaining physical access logs for CUI areas
- Managing physical access to CUI
The DOD has maintained a firm stance on POA&M timelines despite industry pushback during the comment period. Organizations must remediate all “NOT MET” requirements and complete a POA&M closeout assessment within 180 days of their initial assessment results being submitted to the Supplier Performance Risk System—a.k.a. SPRS—or enterprise Mission Assurance Support Service, a.k.a. eMASS. Additionally, they must submit affirmations at the time of each assessment, including closeouts, and annually thereafter.
For contractors seeking Level 1 certification, the DoD doesn’t permit any POA&Ms at all. Instead, they must fully implement all required controls from the start and submit their assessment results to SPRS in the same way as Level 2 contractors.
Additionally, the final rule introduces the concept of “enduring exceptions” to address situations where full compliance with certain CMMC security requirements is not feasible due to special circumstances or system limitations. These exceptions apply to systems such as:
- Those required to replicate the configuration of “fielded” systems
- Medical devices
- Test equipment
- Operational technology
- Internet of Things devices
- Government furnished equipment, or GFE
- And other specialized assets
Unlike POA&Ms, enduring exceptions don’t require an operational plan of action. However, they must be documented within the organization’s system security plan.
CMMC Level 2 Assessments
Under the CMMC framework, defense contractors handling CUI may need either a self-assessment or third-party certification to achieve Level 2 compliance. This two-track approach allows the to match assessment rigor to risk levels while balancing security needs with industry resources.
The DOD’s final rule establishes clear criteria for determining which path applies, including:
- The criticality of the associated mission capability
- The type of acquisition program or technology involved
- The potential impact if the CUI were to be compromised
- The consequences of exploiting information security deficiencies
- Specific DOD leadership requirements
As mentioned earlier, most contractors handling CUI will be able to demonstrate compliance through self-assessment during Phase 1. However, starting in Phase 2, the DOD will increasingly require C3PAO certification for contracts involving more sensitive CUI or critical programs.
It’s important to note that a Level 2 C3PAO certification automatically satisfies any contract requirements for Level 2 self-assessment within the same assessment scope, but the reverse is not true. That means a Level 2 self-assessment can’t be used to fulfill requirements for contracts that specifically require C3PAO certification. Both assessment types remain valid for three years, though contractors must submit annual affirmations to maintain their status.
To maintain independence and prevent conflicts of interest, the final rule explicitly prohibits any CMMC Ecosystem members from participating in a Level 2 certification assessment if they have served as consultants to prepare the organization for CMMC assessment within the previous three years. The assessment team must include a lead certified CMMC assessor—or CCA—a regular CCA, and a third CCA serving in a quality assurance capacity.
External Service Provider Requirements
One of the most significant changes in the final rule affects external service providers, or ESPs, including managed service providers, known as MSPs, and managed security service providers, dubbed MSSPs.
Simplified Assessment Requirements for ESPs
In a major departure from earlier versions, the final rule eliminates the requirement for CMMC assessment or certification of ESPs that do not process, store, or transmit CUI. Instead, these services will be evaluated as part of their defense contractor clients’ assessment scope. This change significantly reduces the compliance burden for many MSPs and other service providers who support defense contractors without directly handling controlled information.
Nonetheless, ESPs that don’t handle CUI can still pursue CMMC certification as a source of competitive advantage since certified ESPs may be able to help reduce assessment complexity and costs for their clients.
Documentation and Responsibility Requirements
The final rule introduces new documentation requirements for ESP relationships. Defense contractors must:
- Document the ESP relationship and services in their system security plan.
- Maintain documentation from the ESP that includes a service description detailing provided services, and a customer responsibility matrix, or CRM, clearly delineating security control responsibilities between the ESP and the contractor.
These requirements apply to all ESP relationships where the ESP processes, transmits or stores CUI or security related data on their own systems.
Additional Clarifications for Different ESP Service Scenarios
The requirements associated with several common ESP service scenarios have been clarified in the final rule:
- Staff augmentation: ESPs providing only on-site staff augmentation, where the contractor supplies all processes, technology and facilities, do not require CMMC assessment.
- Virtual desktop infrastructure: The rule introduces a specific provision for VDI solutions. When an ESP’s VDI solution is configured to prevent storage, processing, or transmission of CUI beyond basic keyboard, video and mouse inputs, the endpoint devices are considered out of scope for assessment.
- Cloud service management: An ESP can manage third-party cloud services on behalf of a contractor without being classified as a CSP themselves. This distinction helps clarify assessment requirements for MSPs that help clients leverage cloud solutions.
- Remote access: When using contractor-provided equipment, the contractor’s policies and procedures apply. When using ESP equipment with VPN, the equipment falls within the contractor’s assessment scope and must meet requirements for external access and network connection.
Changes to Asset Classification
Some of the most impactful modifications introduced by the final rule lie in the nuanced ways the DOD now defines and treats different types of IT assets within contractor environments.
Security Protection Assets
The DOD has substantially revised the definition and assessment requirements for SPAs in response to industry concerns about overly broad requirements. Specifically, the final rule removes the phrase “irrespective of whether or not these assets process, store, or transmit CUI” from the SPA description.
Instead of requiring comprehensive assessment against all 110 CMMC Level 2 controls or obtaining FedRAMP authorization, security tools will now be evaluated based on their specific security functions. For example:
- Antivirus software will be assessed on its ability to detect and prevent malware.
- Firewalls will be evaluated on their effectiveness in controlling network traffic.
- Security monitoring tools will be checked for their capability to detect and log security events.
This represents a significant reduction in compliance burden compared to the draft rule and serves as an additional confirmation that MSPs and MSSPs are not subject to assessment or certification requirements when they only store security-related data or provide security functions without handling CUI.
Virtual Desktop Infrastructure
The final rule provides welcome clarity on how virtual desktop infrastructure solutions fit into the assessment scope. Specifically, endpoints hosting VDI clients are considered out of scope when they are configured to prevent:
- Processing of FCI/CUI
- Storage of FCI/CUI
- And transmission of FCI/CUI beyond basic keyboard, video and mouse inputs
Contractors can leverage this information to isolate CUI handling to specific environments while keeping end-user devices out of scope.
Contractor Risk Managed Assets
In the final rule, the DOD emphasizes the CRMA designation “is not intended to reduce the level of protection and the CMMC security requirements which apply to the assets.” A new note in the scoping guide explicitly states that CRMA assets must “prepare to be assessed against CMMC Level 2 security requirements.”
Considering that the CRMA category was originally created to reduce the assessment burden based on the DOD’s risk tolerance, this represents a substantial shift from the draft rule’s treatment of CRMAs. In practice, CRMAs are now much closer to CUI assets in terms of compliance requirements and assessment scrutiny. In fact, at CMMC Level 3, CRMAs are treated identically to CUI assets and must meet all security requirements without exception.
Conclusion
The CMMC final rule maintains the program’s core objective of protecting sensitive defense information, but the DOD has made meaningful adjustments to address industry concerns and practical implementation challenges. As the defense industrial base prepares for the program’s phased implementation over the coming years, these modifications will help shape how organizations approach their cybersecurity practices and partner relationships in support of the nation’s defense mission.
If you need more information or want to get started with CMMC compliance, download the CMMC Compliance Starter Manual. This guide provides a step-by-step checklist to help you identify and gather the necessary information before beginning the compliance process.
