Pentagon Officially Implements CMMC Requirements In Contracts
- Ken Larson
- 15 minutes ago
- 3 min read
“DEFENSE SCOOP” By Mikayla Easley
“The Pentagon has posted the much-anticipated updated rule that will require contracts to implement Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards moving forward, marking the near end of a years-long effort to enforce CMMC 2.0 cybersecurity standards for defense contractors.”
____________________________________________________________________________
“The final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) was posted to the Federal Register for public inspection and will officially take effect Nov. 10, according to the document. The mandate’s publication marks the near end of a years-long effort to enforce new cybersecurity standards set by the CMMC program for defense contractors.
“We expect our vendors to put U.S. national security at the top of their priority list,” Katie Arrington, who is performing the duties of Pentagon chief information officer, said in a statement. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
The CMMC program is a three-tiered cybersecurity framework that requires contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of compliance based on how sensitive the info they’re handling is. The Department of Defense — which the Trump administration has rebranded as the Department of War — created the program to ensure contractors are safeguarding Pentagon data stored on their systems from adversaries.
The DFARS amendment follows the department’s final rule change for CMMC 2.0 that was published in October 2024 and went into effect a couple of months later in December. While that rule established the program into federal law, the new mandate will obligate Pentagon contracting officers to include cybersecurity requirements based on the framework’s tiers in program solicitations and contracts.
The rule emphasizes that vendors won’t be eligible for contract awards, task orders or delivery orders if they do not meet the required CMMC standards.
Getting CMMC across the finish line has been an arduous and controversial effort. The program was developed by the first Trump administration but immediately faced opposition from industry — which claimed the framework was overcomplicated and would put undue regulatory burdens on companies.
In response, the Pentagon restructured its original CMMC proposal into a pared-down framework known as CMMC 2.0, reducing the number of assessment levels from five to three as a way to simplify the compliance process for small- and medium-sized vendors.
The revised framework allows contractors to self-assess their cybersecurity compliance if they are handling less sensitive FCI categorized under CMMC Level 1 or CMMC Level 2. More sensitive CUI data denoted as CMMC Level 2 will require a verification check done by a certified third-party assessor organization (C3PAO), while CUI documents considered CMMC Level 3 will require certification from the Defense Industrial Base Cybersecurity Assessment Center (DIPAC).
CMMC 2.0 also introduces “plans of action and milestones” (POA&Ms), allowing vendors that do not meet all of the framework’s standards to receive a conditional certification for 180 days as they work to reach compliance. The amended DFARS rule clarified that a POA&M will only be given to vendors who must reach Level 2 or Level 3 standards.”
ABOUT THE AUTHOR:
Mikayla Easley reports on the Pentagon’s acquisition and use of emerging technologies. Prior to joining DefenseScoop, she covered national security and the defense industry for National Defense Magazine. She received a BA in Russian language and literature from the University of Michigan and a MA in journalism from the University of Missouri. You can follow her on Twitter @MikaylaEasley
Comments