CMMC Compliance Program Rule to Impact Customers with Federal Flow Down Data Requirements
The Department of Defense (DoD) has officially finalized the Cybersecurity Maturity Model Certification (CMMC) Program rule, aiming to enhance the protection of sensitive information, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Starting in 2025, CMMC compliance requirements will begin appearing in DoD contract solicitations, impacting contractors and subcontractors across the Defense Industrial Base (DIB), as well as other sectors including, but not limited to, Higher Education Research Institutes, Manufacturing, Aerospace and Defense, and Law Firms.
Key Highlights of the CMMC Final Rule
The finalized rule establishes a robust verification framework to ensure defense contractors implement and maintain the necessary security measures to protect FCI and CUI. The program introduces specific CMMC levels that organizations must achieve and sustain throughout the contract period to remain compliant.
This new CMMC rule signifies:
- Heightened accountability: Contractors must demonstrate adherence to required security measures.
- Alignment with NIST 800-171: Organizations will need to align their security programs with established cybersecurity standards.
- Proactive preparation: Compliance readiness will be key as CMMC compliance requirements start appearing in solicitations in 2025.
CMMC Levels and Assessment Requirements
| CMMC Status | Source & Number of Security Reqs. | Assessment Reqs. | Plan of Action & Milestones (POA&M) Reqs. | Affirmation Reqs. |
|---|---|---|---|---|
| Level 1 (Self) | 15 required by FAR clause 52.204–21. | Conducted by Organization Seeking Assessment (OSA) annually. Results entered into SPRS (or its successor capability). |
Not permitted. | After each assessment. Entered into SPRS. |
| Level 2 (Self) | 110 NIST SP 800–171 R2 required by DFARS clause 252.204–7012. | Conducted by OSA every 3 years. Results entered into SPRS (or its successor capability). CMMC Status valid for 3 years from CMMC Status Date. |
Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days. Final CMMC Status valid for 3 years. |
After each assessment and annually thereafter. Assessment lapses if not affirmed. Entered into SPRS. |
| Level 2 (C3PAO) | 110 NIST SP 800–171 R2 required by DFARS clause 252.204–7012. | Conducted by C3PAO every 3 years. Results entered into CMMC eMASS (or successor capability). CMMC Status valid for 3 years from Status Date. |
Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days. Final CMMC Status valid for 3 years. |
After each assessment and annually thereafter. Assessment lapses if not affirmed. Entered into CMMC eMASS. |
| Level 3 (DIBCAC) | 110 NIST SP 800–171 R2 required by DFARS clause 252.204–7012. 24 selected from NIST SP 800–172 Feb2021. |
Pre-requisite Level 2 (C3PAO) Status required. Conducted by Defense Contract Management Agency (DCMA) DIBCAC every 3 years. Results entered into eMASS. |
Permitted as defined in § 170.21(a)(3) and must be closed out within 180 days. Final CMMC Status valid for 3 years. |
After each assessment and annually thereafter. Level 2 (C3PAO) affirmation continues. Entered into eMASS. |
Source: Federal Register
What This Means for You
Understanding how the new CMMC rule applies to your organization’s contracts and operations is critical. Planet Technologies’ compliance and cybersecurity experts are ready to help you:
- Assess your current CMMC compliance status.
- Develop a clear, actionable plan to meet CMMC requirements.
- Stay ahead of evolving cybersecurity standards and deadlines.
CMMC Compliance: Get Prepared Today
Don’t wait to get started. This effort will require time, effort, and resources to demonstrate a commitment to protecting the DoD’s sensitive information, and to gain a competitive edge in the defense market or other impacted sectors. Reach out to Planet Technologies to ensure your organization is ready for the upcoming changes.
Schedule a Meeting: Email us at [email protected] to learn how the finalized CMMC rule will impact your organization and how we can help you stay compliant.
