DoD Issues CMMC 2.0 Proposed Rule — December 26, 2023

Executive briefing: On 26 December 2023 the U.S. Department of Defense (DoD) released a proposed rule in the Federal Register to implement Cybersecurity Maturity Model Certification (CMMC) 2.0. The rule would require more than 220,000 defense contractors and subcontractors to meet specified NIST SP 800-171 or 800-172 controls, undergo triennial third-party assessments at higher levels, and report scorecards through the Supplier Performance Risk System.

Key proposals

• Three-tier model. CMMC Levels 1, 2, and 3 align with FAR 52.204-21, NIST SP 800-171, and NIST SP 800-172 respectively, with assessment requirements ranging from annual self-assessments to third-party certifications.
• Phased rollout. DoD plans a phased implementation over three years beginning in 2025, ultimately making CMMC a prerequisite for award of applicable contracts.
• Enhanced reporting. Contractors must submit assessment scores and plans of action into SPRS within 30 days and maintain continuous monitoring of corrective actions.

Control alignment guidance

• NIST SP 800-171 Rev. 2. Conduct a gap analysis against the 110 controls, prioritising multi-factor authentication, encryption, and configuration management requirements.
• NIST SP 800-172. Critical programs should evaluate advanced requirements such as enhanced logging, segmentation, and adversary emulation testing.
• Contract management. Update supplier agreements and flow-down clauses to ensure subcontractors meet the required CMMC level and reporting cadence.

Operational recommendations

• Establish a CMMC governance office to manage readiness assessments, third-party audit scheduling, and POA&M remediation.
• Automate evidence collection and continuous monitoring dashboards mapped to CMMC practices to streamline assessor reviews.
• Engage procurement teams early to identify contracts likely to include CMMC clauses during the phased rollout.