What's Happening?
The Department of Defense (DoD) has issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program. This program is designed
to enhance cybersecurity measures for contractors and subcontractors handling controlled unclassified information (CUI). Starting November 2026, these entities may be required to certify at the highest CMMC Level 3, which involves stringent security controls against advanced persistent threats. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct Level 3 assessments, requiring a minimum assessment score of 80% and annual compliance affirmations. The phased implementation will begin with Level 1 and Level 2 self-assessments, progressing to Level 3 certifications in subsequent years.
Why It's Important?
The implementation of the CMMC program is crucial for safeguarding sensitive government information from cyber threats. By requiring contractors to meet rigorous cybersecurity standards, the DoD aims to protect national security interests and ensure the integrity of defense-related data. This move is particularly significant for small businesses, which constitute a large portion of the Defense Industrial Base and may face challenges in meeting these requirements. The program's emphasis on advanced threat protection highlights the growing importance of cybersecurity in government contracts, potentially influencing industry standards and practices.
What's Next?
As the CMMC program rolls out, contractors and subcontractors will need to prepare for the upcoming certification requirements. This includes closing out any Plans of Action and Milestones (POAMs) and achieving the necessary assessment scores. The DoD will have discretion to require Level 3 certifications for certain programs starting in Phase 2. Companies must also retain records of assessment artifacts for six years and provide annual compliance affirmations. The financial implications of certification, particularly for small businesses, will be a key consideration as the program progresses.