DoD issues DFARS interim rule to roll out CMMC assessments

The Department of Defense published the interim rule implementing the Cybersecurity Maturity Model Certification (CMMC) framework on 29 September 2020, establishing requirements for defense contractors to achieve third-party certification of cybersecurity practices before receiving contracts involving controlled unclassified information.

CMMC Framework Structure

Five maturity levels establish progressive cybersecurity capability requirements, from Level 1 basic safeguarding through Level 5 advanced practices. Each level builds upon the previous, incorporating additional practices and processes to address evolving cyber threats and protect now sensitive information.

Level 1 (Basic Cyber Hygiene) requires 17 practices derived from FAR 52.204-21, covering basic access controls, identification procedures, and physical protection measures. Self-assessment is permitted at this level for contracts not involving CUI.

Level 2 (Intermediate) adds 55 practices serving as a transition between Levels 1 and 3, incorporating selected NIST SP 800-171 requirements. This level addresses contractors beginning CUI protection efforts but not yet achieving full 800-171 setup.

Level 3 (Good Cyber Hygiene) requires all 110 NIST SP 800-171 controls plus 20 additional practices, establishing the baseline for CUI protection that most defense contractors handling sensitive information must achieve.

Levels 4 and 5 add preventive cybersecurity practices addressing advanced persistent threats, including threat hunting, incident response improvement, and continuous security improvement processes for contracts involving the most sensitive defense information.

Third-Party Assessment Requirements

Certified assessors accredited by the CMMC Accreditation Body (CMMC-AB) must evaluate contractor cybersecurity practices and issue certifications. The assessment process verifies both practice setup and process maturity across applicable domains.

Assessment scope covers contractor networks, systems, and facilities processing, storing, or transmitting federal contract information and controlled unclassified information. Organizations must define assessment boundaries clearly and document information flows.

Certification validity lasts three years, requiring periodic reassessment to maintain compliance. Contractors must also report significant cybersecurity incidents or changes that might affect certification status.

Contract Integration

DFARS clause 252.204-7021 requires contractors to maintain CMMC certification at the level specified in solicitations as a condition of contract award. Prime contractors must flow down CMMC requirements to subcontractors based on CUI handling responsibilities.

Phased setup began with pilot programs in late 2020, with broader rollout planned for 2021-2025. Contractors should monitor solicitation requirements and begin certification efforts based on anticipated contract requirements.

Supply chain implications require prime contractors to assess subcontractor cybersecurity capabilities and ensure appropriate certifications before engaging suppliers for CUI-related work. This creates cascading compliance requirements throughout defense supply chains.

Cost and Resource Considerations

Assessment costs vary based on organizational size, complexity, and target certification level. Small businesses should budget for pre-assessment gap analysis, remediation efforts, and formal certification assessment fees.

Implementation timeline for organizations not currently meeting NIST 800-171 requirements may require 12-24 months of preparation, including policy development, technical control setup, and staff training before certification assessment.

Resource allocation should address personnel training, security tool deployment, documentation development, and ongoing compliance monitoring to maintain certification status throughout contract performance periods.

Guidance for teams

If you are affected, begin with gap assessments against target CMMC levels, prioritizing remediation of highest-risk deficiencies. Documentation of policies, procedures, and control setups is essential for assessment readiness. Engagement with CMMC consultants and assessors early in the process can identify issues before formal assessment.