The CMMC final rule: Everything contractors need to know

Virgil

Virgil

Jan 02, 2025

We bet you have been feeling the pressure lately if you are a defense contractor or a supplier. What began as a phased rollout has been rife with twists, delays, shifting timelines, and changing requirements. Yet, all of it is just the rumbling before a true storm—the enforcement of the CMMC 2.0 final ruling.  

From the outlook, the message from CMMC’s final rule is very clear – compliance is not optional, it’s a necessity to stay in the business of the defense supply chain. This means that businesses already aligned with CMMC requirements have a competitive edge, while those lagging behind fall at the risk of being shut out of future opportunities entirely.

In this guide, we’ll simplify the final CMMC rule, summarize the deadline shifts, outline the timeline for complying, and clarify what it means for your business. 

So, stick with us as we dive deep into every aspect of CMMC’s final ruling. 

TL;DR

The CMMC 2.0 final rule reduces complexity by cutting down from five to three compliance levels, closely aligning with NIST 800-171 and 800-172 standards, and streamlining processes for defense contractors and their supply chains.
The rule broadens the scope of compliance, requiring prime contractors and subcontractors at all levels to meet specified cybersecurity standards, ensuring a tighter security posture across the defense industry.
CMMC 2.0 introduces a gradual implementation with specific start dates and compliance requirements for each phase, aiming for full industry compliance by the end of 2028, and emphasizing the importance of third-party assessments and continuous compliance monitoring.

What is CMMC’s final rule (in short)? 

As issued by the Department of Defense (DoD) in October 2024, the final ruling sets a benchmark for contractors who deal with Controlled Unclassified Information or Federal Contract Information to ensure they have the right process and guardrails in place to protect sensitive data across the supply chain. While this only applies to manufacturers, the rule extends to cover third-party collaborations, vendors, and any business playing a role in the supply chain. 

For organizations under the purview of level 1 and level 2, the CMMC final rule derives the set of regulations from the NIST – 800-171 data security standard. But for level 3, the final rule adds additional guidelines.  

The final rule trims down from 5 to 3 levels

The final ruling further amends the subsets of CMMC rules called 32-CFR and 48-CFR. One rule outlines the processes for assessments to begin, and the other lists the requirements needed inside every contract between DoD and businesses. 

As expected, 32-CFR still forms the basis of the CMMC ecosystem, governing the tiered model of the certification process, detailing the steps and requirements to achieve compliance and some guidelines for maintaining it. However, the tiers are reduced from 5 in CMMC 1.0 to 3 in CMMC 2.0, simplifying the processes for organizations. 

CMMC levels and requirements

Here’s a quick summary of the requirements of each level to determine your CMMC level.

CMMC Level 1

This level is meant for businesses that handle only the FCI, not the CUI. As the information handled by such entities doesn’t require the highest level of security, Level 1 draws 15 requirements from NIST 800-171. This means that businesses that are already aligned to NIST guidelines for defense contracts are pretty much already compliant and on track with CMMC’s final ruling. However, the standards are steep at level 2. 

CMMC Level 2

Level 2 of CMMC is meant for businesses that handle both FCI and CUI. This means these organizations need to adopt stringent security measures and validate them through third-party audits. The final rule derives 110 security practices from NIST 8001-171 with minimal additional recommendations from the DoD. 

CMMC level 3

When it comes to level 3, only the organizations that deal with highly sensitive defense projects need to adhere to additional security standards. These security standards not only include practices drawn from NIST 800-171 but also include more than 24 recommendations from NIST SP 800-172 to meet the security goals. Level 3 demands continuous self-assessments, third-party certifications, and an audit by DIBCAC every three years. 

The 48 CFR final rule widens the scope and tightens standards.

One of the biggest differences between the rules earlier, and the final rule is the scope. Earlier, subcontractors were not directly included but the new ruling includes both the prime contractors, the subcontractors, and everyone else in the supply chain in some capacity. 

DoD claims that passing down the requirements of CMMC to all subcontractors at every tier removes the burden off of the primary contractors and shares it across the ecosystem, which tightens the overall security posture of the industry and makes processes more efficient in the long run. 

However, the amendments do not stop here:

AspectBefore the Final RuleAfter the Final Rule
Applicability to SubcontractorsSubcontractors were not directly required to meet CMMC certification, but primes were responsible for compliance.Subcontractors are now required to comply with CMMC, and certification is needed based on the type of data they handle (FCI or CUI).
Cybersecurity CertificationContractors self-attested compliance (DFARS 252.204-7012).Requires formal third-party assessments for certification at specific maturity levels.
Level of DetailBased on NIST SP 800-171 compliance only.3-levels of requirements, drawing from NIST 800-171 and 800-172
Submission of DoD Unique IdentifiersContractors were not required to submit DoD UIDs unless specified by the contract.Contractors and subcontractors must submit DoD UIDs for any systems processing, storing, or transmitting CUI, ensuring compliance traceability.
Continuous Compliance and AffirmationNo formal continuous compliance affirmation system. Contractors self-attested, and there was limited enforcement.Continuous compliance affirmation is now mandatory. Contractors must submit UIDs and provide ongoing certification of compliance.
Regulation EnforcementLargely self-enforced with limited audit provisions.Formal enforcement through third-party certification.

CMMC Phased roll out: Then vs Now

With the release of CMMC 1.0, it was speculated that the phase 1 rollout in defense contracts and bids would start to be implemented in late 2023. However, the updated timeline suggests that the CMMC requirements will start to reflect in defense contractors by 16th December 2024.

PhasePrevious rulingUpdated  ruling (Final Rule)Key highlights
Phase 1 Start DateLate 2023December 16, 2024The new start date represents a strategic delay to align with updated regulatory environments and gives organizations additional time to understand and adapt to baseline compliance requirements under CMMC.
Phase 1 Duration and requirementsApproximately 6 monthsThis initial phase will last for one year and will primarily involve self-assessments for CMMC Level 1 and 2 organizations
Phase 2 Start DateMid-20242026The two-year postponement in Phase 2 reflects a significant recalibration of compliance timelines, possibly due to feedback from industry stakeholders or changes in cybersecurity threat landscapes
Phase 2 RequirementsPrimarily self-assessmentThird-party assessments for Level 2 by assessors like C3PAOThird-party assessments would be necessary to win contracts. organizations must be NIST 800-171 compliant before assessments. 
Phase 3 Start DateEarly 20252027The postponement to 2027 offers a considerate timeline for businesses and supply chain partners to prepare for more stringent Level 3 regulations, facilitating a smoother transition and allowing for necessary adjustments in cybersecurity practices and infrastructure.
Phase 3 RequirementsIntroduction of Level 3 assessmentsContinued Level 2 and introduction of Level 3Instead of third-party assessors, DoD will assess level 3 contractors themselves. Organizations must adhere to additional requirements from NIST SP 800-17.
Phase 4 Start DateLate 2025End of 2028Contractors will be required to maintain continuous compliance and report on their cybersecurity posture regularly including triannual audits by DoD. 
Full Compliance RequirementExpected by late 2025Full compliance is required across all contracts by the end of 2028

As the CMMC deadline shifts, businesses must act now

As the new rules of CMMC are bound to introduce changes in the supply chain, vendor contracts, assessor partnerships, and internal processes of the businesses, DoD has introduced the phased rollout of CMMC to enable a smoother transition. 

Even though the four phases proposed originally remain, phase 1 witnesses an extension of up to 6-12 months in total. From its estimated final review around May of 2025, phase 1 will mark its formal beginning. 

However, it should be noted that DoD has begun to include CMMC in contract solicitations since December 16th, 2024. This solicits a bilateral agreement between the supplier and the DoD as soon as 48 CFR Part 204 is officially finalized. 

ESPs might no longer need their certification 

Amidst the tightening regulations, ESPs get relief as they are not expected to apply for their certification as long as they don’t handle Controlled Unclassified Information (CUI) or Security Protection Data (SPD), and whether they are Cloud Service Providers (CSPs) or non-CSPs.

When the ESP processes, stores, or transmits:For a Cloud Service Provider (CSP):For a Non-Cloud Service Provider (Non-CSP):
CUI with or without SPD:Must comply with FedRAMP requirements as defined in 48 CFR 252.204–7012ESP’s services are included in the Organization Seeking Assessment’s (OSA) scope and will be evaluated as part of the overall assessment
SPD without CUI:Services are included in the OSA’s assessment scope and will be evaluated as Security Protection Assets
Neither CUI nor SPD:Does not qualify as an ESP under the CMMC definition

Get CMMC ready in weeks with Sprinto

Cut down CMMC effort with NIST 800 control crosswalks

CMMC 2.0 derives its recommendations and standards from NIST 800-171 and NIST 800-172. As defense contractors and suppliers, you might already comply with a particular data security standard like ISO, NIST CSF, or FedRAMP. That’s where you can save time by cross-mapping and cross-using controls to use progress towards one framework to comply with the final rule of CMMC requirements. 

Sprinto comes ready with predefined mapping criteria and out-of-the-box, ready-to-use compliance programs that not only accelerate your journey to complying with NIST CSF, FedRAMP, and other frameworks but also let you automatically reuse your progress towards one framework to comply with others.

With Sprinto, you can test control once and satisfy compliance across many. Moreover, continuous compliance monitoring keeps CMMC Phase 4 ready from the get-go. And no matter your level of data processing, Sprinto automatically collects audit-grade evidence of control performance, streamlining both self-assessments and third-party audits for CMMC compliance.   

FAQ

How is the CMMC Final rule different from CMMC 1.0?

The CMMC Final Rule introduces a streamlined and flexible approach compared to CMMC 1.0. It simplifies requirements, reduces assessment levels to three, and aligns closely with NIST 800-171 for Level 2, emphasizing self-assessments and third-party validations.

What are the phases in the CMMC Final rule?

The CMMC Final Rule will roll out in phases: initial voluntary assessments, a pilot program for select contractors, and full implementation where CMMC requirements are included in all applicable DoD contracts.

What determines your CMMC level status?

Your CMMC level status depends on the sensitivity of the Controlled Unclassified Information (CUI) you handle and the maturity of your cybersecurity practices, verified through self-assessments, third-party assessments, or government-led evaluations.

How soon will CMMC be required?

The CMMC Final Rule is expected to begin enforcement in late 2024, with a phased rollout over 2025, requiring defense contractors to comply with CMMC requirements to bid on applicable contracts.

What’s the difference between the 32 CFR and 48 CR final rule?

32 CFR governs the overall CMMC program framework, while 48 CFR integrates CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS), directly impacting contract requirements and enforcement.

Virgil
Virgil is a marketer at Sprinto who combines his media savvy with his cybersecurity expertise to craft content that truly resonates. Known for simplifying complex cybersecurity and GRC topics, he brings technical depth and a storyteller’s touch to his work. When he’s not busy writing, he’s likely exploring the latest in cybersecurity trends, debating geopolitics, or unwinding with a good cup of coffee.

How useful was this post?

5/5 - (6 votes)