Pentagon Suspends CMMC Phase Two Requirements

by Anika Shah - Technology
0 comments

The U.S. Department of Defense (DoD) has finalized its Cybersecurity Maturity Model Certification (CMMC) 2.0 rule, officially published in the Federal Register on October 15, 2024. The rule establishes a phased implementation schedule for defense contractors to meet rigorous cybersecurity standards, with the first phase of requirements set to begin in early 2025 rather than November 2024.

The CMMC 2.0 Implementation Timeline

The final rule mandates that defense contractors must comply with specific cybersecurity assessments to handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). According to the Department of Defense, the rollout follows a three-year phased approach:

The CMMC 2.0 Implementation Timeline
  • Phase 1 (Starting early 2025): New solicitations will begin including CMMC requirements for Level 1 and Level 2 self-assessments.
  • Phase 2 (Starting 2026): Solicitations will incorporate CMMC Level 2 certification requirements for third-party assessments.
  • Phase 3 (Starting 2027): Requirements for CMMC Level 3 certification—the highest tier—will begin appearing in solicitations.
  • Full Implementation (2028): All defense contracts will be required to include the appropriate CMMC level requirements.

Cybersecurity Requirements by Level

The CMMC framework is tiered to match the sensitivity of the data a contractor manages. The Office of the Under Secretary of Defense for Acquisition and Sustainment outlines three primary levels:

Cybersecurity Requirements by Level
  • Level 1 (Foundational): Requires annual self-assessments for contractors handling FCI. This level covers 15 basic security requirements derived from FAR Clause 52.204-21.
  • Level 2 (Advanced): Designed for contractors handling CUI. This level aligns with NIST SP 800-171 and requires either a self-assessment or a third-party assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO), depending on the specific contract.
  • Level 3 (Expert): Required for contractors handling the most sensitive CUI. This level is based on a subset of NIST SP 800-172 requirements and will involve assessments led by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Why the DoD Updated the Framework

The transition from CMMC 1.0 to 2.0 reflects a shift toward streamlining compliance costs for small businesses while maintaining a robust security posture. The DoD’s official guidance notes that the 2.0 version reduces the number of levels from five to three and allows for Plans of Action and Milestones (POA&Ms) in limited circumstances to achieve certification. This change addresses feedback from the Defense Industrial Base regarding the administrative burden of the original 2020 proposal.

Urgent Update: CMMC Phase 2 Suspended by Dept. of War CIO

Impact on Defense Contractors

Contractors currently working with the DoD must review their existing data handling protocols to determine which CMMC level applies to their work. Because CMMC requirements will be written into new solicitations, companies that fail to meet the certification standards by the time of contract award will be ineligible for those specific defense contracts.

The DoD emphasizes that this rule is a mandatory condition of contract award. Organizations are encouraged to visit the CMMC Accreditation Body website to identify authorized C3PAOs for future assessments, ensuring they are prepared before the phased requirements reach their specific contract vehicles.

Related Posts

Leave a Comment