What's Happening?
The Department of Defense (DoD) has issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government
contractors. Starting November 2026, contractors and subcontractors handling controlled unclassified information (CUI) will be required to certify at the highest CMMC Level 3 to protect against advanced persistent threats. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct these assessments, which necessitate a final CMMC Level 2 status as a prerequisite. Contractors must implement baseline security controls against NIST SP 800-171 rev. 2 and NIST SP 800-172, achieve a minimum assessment score of 80%, and annually affirm compliance with both Level 2 and Level 3 security controls. The rule establishes a phased implementation approach, with Level 3 certifications expected to be required in solicitations starting in Phase 2, beginning November 2026.
Why It's Important?
The implementation of CMMC Level 3 is crucial for enhancing cybersecurity measures within the Defense Industrial Base, particularly for contractors handling sensitive information. This move aims to safeguard controlled unclassified information (CUI) from advanced persistent threats, thereby strengthening national security. The requirement for Level 3 certification will impact approximately 1% of the Defense Industrial Base, with a significant portion being small businesses. These businesses will need to invest in cybersecurity infrastructure and compliance measures, potentially affecting their operational costs and contract eligibility. The annual affirmation of compliance ensures ongoing adherence to security standards, promoting a culture of cybersecurity vigilance across the industry.
What's Next?
As the phased implementation progresses, contractors and subcontractors must prepare for the upcoming requirements by achieving Level 2 (C3PAO) final status and closing out any outstanding Plans of Action and Milestones (POAMs). The DoD will have discretion to require Level 3 certifications for certain programs starting November 2026. Companies should begin planning and scheduling third-party assessments to meet these requirements. The ongoing compliance affirmation process will necessitate senior officials to attest to their company's adherence to security controls, ensuring accountability and transparency in cybersecurity practices.
Beyond the Headlines
The introduction of CMMC Level 3 certification highlights the growing importance of cybersecurity in government contracting. It underscores the need for robust security measures to protect sensitive information from sophisticated cyber threats. This development may lead to increased demand for cybersecurity expertise and services, as companies seek to meet the stringent requirements. Additionally, the focus on small businesses within the Defense Industrial Base could drive innovation and investment in cybersecurity solutions tailored to their needs, fostering a more resilient and secure industry landscape.