The DoD unveils the Cybersecurity Maturity Model Certification Program: A primer for defense contractors

Why it matters

The rule lays out requirements and standards designed to enforce protection of sensitive, unclassified information that is shared by DoD with its contractors and subcontractors. For defense contractors that do work with the DoD, CMMC compliance is imperative to understanding the key points of this comprehensive rule, including:

• Streamlined levels for compliance

The CMMC model has been condensed from five levels to three:

Level 1 focuses on basic safeguarding of Federal Contract Information (FCI).

Level 2 requires broader protection measures for Controlled Unclassified Information (CUI).

Level 3 includes additional requirements to protect against Advanced Persistent Threats (APTs).

• Assessment requirements

The rule introduces a structured approach for assessments, which ensure contractors and subcontractors have implemented necessary cybersecurity standards: Self-assessments are allowed for Level 1 and parts of Level 2. Third-Party Assessment Organizations will conduct independent assessments for higher levels.

• Clarification on subcontractor responsibilities

Clear guidelines have been established regarding subcontractors’ roles in achieving CMMC compliance. Prime contractors must ensure that their subcontractors meet relevant cybersecurity requirements based on the sensitivity of information being handled.

• Enhanced oversight and transparency

Increased oversight mechanisms ensure consistency in certification processes conducted by assessors. Measures for greater transparency aim to boost stakeholder confidence in certified entities' integrity.

What they say

Alexander W. Major, Partner, Co-Leader, Government Contracts, McCarter & English, LLP

“While the Final Rule doesn’t include much in terms of surprises when describing the ‘cookie jar’ DoD insists the DIB possesses, it does highlight the challenges that continue to plague DoD in addressing the CUI ‘cookies’ DoD insists be placed in it. The Final Rule is a long-gestating example of DoD attacking the technology while leaving the root cause of cybersecurity incidents—human error—relatively unscathed.”

What we say

The impact of the new rule on the defense industrial base will be significant. While initial compliance efforts may involve increased costs, these investments are crucial in mitigating risks associated with data breaches and intellectual property theft that could otherwise lead to far greater financial losses. By mandating uniform cybersecurity standards across all tiers of contractors and subcontractors, market dynamics within the DIB are expected to shift towards greater trustworthiness and reliability among participants handling sensitive information.

The bottom line

The phased implementation plan along with POA&M flexibility aims at reducing burdens particularly on small businesses while maintaining high-security standards essential for overall defense integrity. By enforcing robust cybersecurity practices uniformly across all involved entities, this rule significantly strengthens supply chain resilience against sophisticated cyber threats targeting both large primes as well as smaller sub-tier suppliers within DIB ecosystems. The finalization of the CMMC Program rule represents a critical milestone in protecting defense infrastructure from evolving cyber threats by establishing consistent cybersecurity practices across a vast supply chain landscape comprising hundreds-of-thousands of enterprises.