UPDATES TO THE CMMC WEBSITE WILL BE LIMITED DURING THE CMMC RULEMAKING PROCESS

About CMMC

Frequently Asked Questions

Now that CMMC 2.0 is published, will companies be required to comply with CMMC 1.0?
The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.

Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.
When will CMMC 2.0 be required for DoD contracts?
The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.
Why did the department make these changes?
The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.
How much will it cost to implement CMMC 2.0?
The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.

CMMC Proposed Rule Briefing

Video Briefing (February 2024)

Cybersecurity is a top priority for the Department of Defense.

The Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.

Overview of the CMMC Program

The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.

The CMMC 2.0 program has three key features:

Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors
Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

The Evolution to CMMC 2.0

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

Safeguard sensitive information to enable and protect the warfighter
Enforce DIB cybersecurity standards to meet evolving threats
Ensure accountability while minimizing barriers to compliance with DoD requirements
Perpetuate a collaborative culture of cybersecurity and cyber resilience
Maintain public trust through high professional and ethical standards

Key Features of CMMC 2.0

*** Comparison between CMMC Models 1.0 and the planned CMMC Model 2.0. The CMMC Model 2.0 is notional until rulemaking is completed. ***

With the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, the Department is introducing several key changes that build on and refine the original program requirements. These are:

Streamlined Model

Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards

Reliable Assessments

Reduced assessment costs: Allows all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments
Higher accountability: Increases oversight of professional and ethical standards of third-party assessors

Flexible Implementation

Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification
Added flexibility and speed: Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances

Rulemaking and Timeline for CMMC 2.0

The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.

While these rulemaking efforts are ongoing, the Department has suspended prior CMMC Piloting efforts.

The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.