Key Takeaways
- CMMC is a mandatory prerequisite for DoD contracts, with phased implementation over three years.
- Prime contractors must ensure subcontractors comply with the required CMMC levels.
- Non-compliance results in ineligibility for DoD contracts, making CMMC certification crucial for defense contractors.
How CMMC Will Be Included in DoD Contracts
The Cybersecurity Maturity Model Certification (CMMC) is set to become a critical requirement for all Department of Defense (DoD) contracts, ensuring heightened cybersecurity across the defense supply chain. With implementation occurring in a four-phase rollout over three years, contractors must adhere to specific CMMC levels based on the sensitivity of the information they handle.
Discover the full assessment process here.
1. CMMC as a Contractual Requirement
Once fully integrated into DoD solicitations, contracts will specify the required CMMC Level and assessment type (self-assessment, third-party, or government-led). Contractors must achieve the designated CMMC Level to be eligible for award.
- Contracting officers will verify compliance through Supplier Performance Risk System (SPRS) entries and CMMC certification status.
2. CMMC Certification Levels
The CMMC framework consists of three security levels: Level 1 (Self): For contractors handling Federal Contract Information (FCI), requiring compliance with 15 basic cybersecurity practices.
- Level 2 (Self or C3PAO): For contractors handling Controlled Unclassified Information (CUI), requiring all 110 NIST SP 800-171 security controls.
- Level 3 (DIBCAC): For highly sensitive CUI contracts, requiring an additional 24 security controls from NIST SP 800-172.
3. Assessment & Compliance Requirements
- Level 1: Requires annual self-assessments.
- Level 2: Requires triennial self-assessments or third-party assessments by a Certified Third-Party Assessment Organization (C3PAO).
- Level 3: Requires assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). For a deeper dive into requirements, see here.
4. Contract Modifications
Existing DoD contracts may incorporate CMMC requirements through bilateral modifications after negotiation, ensuring ongoing compliance.
Flow-Down Requirements for Subcontractors
CMMC mandates that prime contractors ensure subcontractors meet the appropriate CMMC requirements based on the information they handle. This flow-down requirement strengthens cybersecurity across the entire supply chain. Learn how to handle non-compliance issues among subcontractors here.
Worried about ensuring subcontractor compliance?
Sign up for early access to our all-in-one CMMC tool, and be first to see how it helps prime contractors manage flow-down requirements seamlessly.
1. Minimum CMMC Levels for Subcontractors
A. Subcontractors handling only FCI: Require CMMC Level 1 (Self).
B. Subcontractors processing CUI: Must meet the same certification level as the prime contractor:
- Level 2 (Self) for self-assessed contracts.
- Level 2 (C3PAO) for contracts requiring third-party assessments.
- Level 3 (DIBCAC) if the prime contractor is at this level.
2. Prime Contractor Responsibility
- Prime contractors must verify that subcontractors have valid CMMC certification before awarding subcontracts.
- Compliance status must be recorded in SPRS.
3. Assessment and Affirmation
- Subcontractors must undergo the same certification process as prime contractors at their designated level.
- Affirmations and compliance updates must be submitted annually.
4. Plans of Action & Milestones (POA&M)
- Subcontractors not meeting all required controls may still be eligible for contract award if they achieve a minimum 80% compliance score.
- Outstanding requirements must be remediated within 180 days through a follow-up assessment.
Final Thoughts
The CMMC framework is reshaping the defense supply chain by ensuring all contractors and subcontractors implement robust cybersecurity practices. Failure to comply means ineligibility for DoD contracts, placing responsibility on prime contractors to verify and enforce compliance among their subcontractors.
For an overview of how CMMC evolved from previous regulations, see here.
Protect your contracts and secure your supply chain. Join our email list for updates on our cost-effective portal, designed to streamline compliance and help your team stay competitive in the defense market.
