Overview
The Department of Defense (DoD) published the final rule on the Cybersecurity Maturity Model Certification (CMMC) Program on October 15, 2024. This final rule, establishes the CMMC Program to verify that contractors have implemented required security requirements necessary to safeguard FCI and CUI. The CMMC Program rule is effective December 16, 2024. A separate rule on Assessing Contractor Implementation of Cybersecurity Requirements, when finalized, will enable DoD to require a specific CMMC level in solicitations or contracts as a condition of contract award.
The CMMC Program is a scalable assessment framework primarily intended to verify contractors and supplier compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting when a contractor or supplier receives, creates, processes, stores, or transmits FCI or CUI on its information systems. CMMC requirements will apply to contractors and suppliers at all tiers that receive, create, process, store, or transmit FCI or CUI on their information systems for acquisitions greater than the micro-purchase threshold (currently $10,000) and will also apply to the acquisition of commercial items. There is an exception for acquisitions solely for commercially available off-the-shelf items, a term narrower than commercial items. It is important to note that compliance with CMMC will be a condition of contract award.
Basic protection of FCI will require self-assessment at CMMC Level 1. General protection of CUI will require either a self-assessment or a certification assessment by a CMMC Third-Party Assessment Organization (C3PAO) at Level 2. A higher level of protection from advanced persistent threats will be required for some CUI and require an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) at CMMC Level 3. If GDMS’ contract requires CMMC Level 2 certification assessment by a C3PAO, GDMS’ suppliers receiving, creating, processing, storing, or transmitting CUI will also be required to have a CMMC Level 2 certification assessment by a C3PAO. All CMMC levels require initial and annual affirmations of compliance by the contractor’s or supplier’s senior level representative responsible for ensuring the contractor’s compliance with the CMMC Program requirements.
Notwithstanding CMMC applicability, suppliers who handle FCI or CUI must continue to comply with the following requirements:
DoD anticipates a phased implementation of the CMMC Program beginning in early to mid-2025. To prepare for implementation of the CMMC Program, all USG contractors, including suppliers, must be working towards full compliance with FAR 52.204-21 and DFARS 252.204-7012 security requirements. As an example, if a supplier currently has a Plan of Action and Milestones (POAM) to address CMMC requirements that it has not fully implemented, the supplier should quickly complete and close the open requirements. Under the CMMC Program to be implemented, POAMs will be allowed on a very limited basis and must be closed within 180 days of the assessment. Moreover, suppliers receiving, creating, processing, storing, or transmitting FCI or CUI must have a minimum assessment score of 88. There is no process for contractors to request waivers of the CMMC Program requirements.
As part of the CMMC Program, GDMS will be responsible for confirming that its suppliers have completed the required assessments based on the CMMC level required by the USG and have submitted the initial and annual affirmations by the supplier’s senior level representative including the required reporting in the Supplier Performance Risk System (SPRS). GDMS will require its suppliers to certify at least annually to compliance with the CMMC Program requirements. This is a condition precedent for GDMS to award future purchase orders or subcontracts with CMMC requirements to its suppliers.
Accordingly, GDMS encourages its suppliers to become familiar with the final CMMC Program rule, to monitor the regulatory developments for the proposed CMMC Acquisition rule, and to be prepared to comply with the CMMC requirements Please refer to DoD's CMMC site or your local Procurement Technical Assistance Centers (PTACs)for additional information.
Cyber Security Maturity Model Certification (CMCC) Resources:
