Cybersecurity Maturity Model Certification: Your Top 5 Questions Answered

Government contractors must soon meet new Cybersecurity Maturity Model Certification (CMMC) requirements to bid on Department of Defense (DoD) contracts.

Learn some of the key updates to the CMMC framework and how these changes may impact your organization.

1. What are the risks of not achieving Cybersecurity Maturity Model Certification?

Organizations failing to achieve the certification under DoD’s CMMC program face several significant risks. Without certification, organizations will be ineligible to bid on or renew contracts or grants with the DoD, leading to a significant loss of revenue or grant funding, lost business opportunities, and an inability to compete for DoD work.

Lacking certification or noncompliance can also result in reputational damage, legal repercussions, and financial liabilities from data breaches and security incidents. Noncompliance can also come with penalties as identified in recent news regarding cybersecurity violations and fraud.

2. How will CMMC 2.0 impact businesses and subcontractors?

The new model aims to balance the need for robust cybersecurity with the practical realities faced by businesses and subcontractors, making compliance more achievable and beneficial.

The phased rollout gives small and midsize businesses more time to adjust and comply with the new requirements. While compliance costs can be a concern, all organizations subject to the rule can manage expenses by reducing the scope of systems that receive DoD data, using compliance automation tools and seeking cost-effective managed security services.

3. What is the timeline for implementing CMMC 2.0?

The implementation of CMMC 2.0 follows a phased approach to help organizations gradually comply with the new requirements.

• December 16, 2024 — CMMC final rule becomes effective
• February 28, 2025 — SPRS self-assessment for Level 2 available
• Expected mid-2025 — Publication of CMMC acquisition rule
• 60 days after acquisition rule — Phase 1 – If required, solicitations will include requirements for level 1 or 2 self-assessment
• 12 months after phase 1 start — If required, solicitations will require Level 2 certification
• 24 months after phase 1 start — If required, solicitations will require Level 3 certification
• 36 months after phase 1 start — All solicitations will require the applicable level of CMMC requirements

4. What steps should companies take to prepare for CMMC 2.0?

Understand the requirements

Familiarize yourself with the specific requirements for the CMMC level your organization needs to achieve. CMMC 2.0 has three levels, each with different cybersecurity practices and assessment requirements. The types of data you receive under the contract — Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) — will ultimately determine the required assessment level.

Develop a system security plan

Create a detailed system security plan (SSP) outlining the boundaries of your systems, any associated interconnections with external systems, and how your organization will implement and maintain required cybersecurity practices. This plan should include policies, procedures, and controls to protect sensitive information.

Implement necessary controls

This may involve updating or implementing software and other technologies, enhancing access controls, and improving incident response capabilities. It’s critical to scope and implement controls that cover all assets of the information system that may transmit, process, or store FCI and CUI information. Additional assets may need to be included in scoping depending on their proximity to sensitive assets.

Train your team

Train your team on new cybersecurity practices and how to maintain compliance. Regular training and awareness programs can help reinforce the importance of cybersecurity.

Monitor and maintain compliance

Continuously monitor your cybersecurity practices to maintain ongoing compliance with CMMC requirements. Regular audits and updates to your SSP can help keep your organization secure and compliant.

5. How will CMMC 2.0 be enforced and monitored?

The DoD will integrate CMMC requirements into contracts, making certification an enforced condition to win a bid. Level 3 assessments will be led by the Defense Industrial Base Cybersecurity Assessment Center every three years.

Organizations are expected to continuously monitor their cybersecurity practices to enable ongoing compliance. This includes real-time security dashboards, frequent log and event reviews, and anomaly detection.

Failure to meet CMMC 2.0 compliance requirements can result in disqualification from DoD contracts and may lead to substantial fines (e.g., under the False Claims Act, fines can be as high as $10,000 per control). After a violation, organizations may incur significant costs to remediate and achieve compliance, including expenses related to updating systems, training staff, and implementing necessary cybersecurity measures.