The CMMC Rule is Final & Posted by the DoD
Here’s a concise overview of the recent developments regarding the Cybersecurity Maturity Model Certification (CMMC) Program.
Welp, it’s official— and Phase 1 is now in effect. If you’re a defense contractor and you haven’t started preparing for CMMC requirements, you’re already behind. Now’s the time to ensure compliance and protect your eligibility for DoD contracts. Proactive steps include reviewing current contracts to determine the required CMMC level, implementing necessary cybersecurity controls, and planning for the appropriate assessments.
If you aren’t familiar with CMMC, you can check out our blog, What Phase 2 Means and How to Get Ready, where we outline what it is, why you’ll have to do it, why you should work with a cybersecurity consultant, and the tools for compliance.
Final Rule Publication and Effective Date:
- The U.S. Department of Defense (DoD) published the final rule for CMMC 2.0 on October 15, 2024
- This rule will become effective on December 16, 2024.
The CMMC 2.0 Framework Levels:
- Level 1 (Foundational): Focuses on 15 basic cyber hygiene practices for handling Federal Contract Information (FCI). Organizations are required to conduct annual self-assessments.
- Level 2 (Advanced): Aligns with the 110 controls outlined in NIST SP 800-171 to protect Controlled Unclassified Information (CUI). Depending on the contract, this may require self-assessment or third-party certification every three years.
- Level 3 (Expert): Designed for the most sensitive contracts, incorporating additional NIST SP 800-172 controls. Requires both third-party certification and government-led assessment every three years.
“The most important thing is to get NIST SP 800.171 compliant,
as this is the foundation of CMMC 2.0 Level 2 Certification.”
— Darren Gallop, CEO & Founder, Carbide Secure (CMMC Registered Practitioner)
In our webinar, “How to Streamline CMMC 2.0 Compliance,” we outlined what manufacturers need to be CMMC 2.0 compliant, including how to budget for it and when. The big takeaway is that CMMC 2.0 is necessary for all organizations in the DoD’s supply chain that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
© Datanomix & Carbide. All Rights Reserved.
If you’re curious about your software vendors, CMMC 2.0 is necessary for all vendors in the DoD’s supply chain that handle FCI and CUI, whether in the cloud or on-premise. If they do touch CUI, ask whether they comply with the 110 requirements of DFARS 252.204-7012/NIST SP 800-171 and whether they have any third-party certifications such as SOC 2, ISO 27001, or FedRAMP (if they sell to any federal agencies).
The Phased Implementation Timeline:
Phase 1—November 10, 2025 (now in effect): CMMC Level 1 and Level 2 self-assessment requirements began appearing in new DoD solicitations as a condition of contract award. The DoD has discretion to require third-party (C3PAO) Level 2 certification on prioritized contracts during this phase.
Phase 2—November 10, 2026: Third-party C3PAO-assessed Level 2 becomes the default for contracts involving CUI. Self-assessments stop counting for CUI work. Level 3 assessments become available at DoD’s discretion
Phase 3 — November 10, 2027: Level 2 (C3PAO) becomes a condition for option exercises on existing contracts, not just new awards. Level 3 (DIBCAC) assessment requirements become mandatory in applicable solicitations.
Phase 4 — November 10, 2028: Full implementation. CMMC requirements apply to all applicable DoD contracts, solicitations, and option periods above the micro-purchase threshold where FCI or CUI is handled.
You can visit the official DoD CMMC program page for more detailed information and resources.
BUILT FOR CMMC 2.0
G-Code Cloud + DNC
The G-code piece of your CMMC plan. Traceability, compliance, and control — all in a GovCloud-hosted platform.
