Preparing for Cybersecurity Maturity Model Certification Compliance: Requirements for Defense Contractors in 2025

According to an article by the firm Baker & Hostetler, the Department of Defense (DoD) has finalized the Cybersecurity Maturity Model Certification (CMMC) Program, setting a new compliance path for the Defense Industrial Base (DIB). The CMMC Rule, effective December 16, 2024, will begin phased implementation in FY 2025, with contractors needing to certify at levels based on contract requirements by FY 2028.

The initial phases allow for Level 1 self-certifications, progressing to Level 3 certifications under third-party assessments (C3PAO and DIBCAC). Contractors and their subcontractors must achieve the required certification levels before contract awards, likely pushing prime contractors to require compliance from subcontractors.

For external service providers (ESPs), the article notes that the DoD has simplified compliance by allowing these providers to be assessed alongside the Organizations Seeking Certification (OSC). However, stricter rules apply if contractors use ESPs as Cloud Service Providers (CSPs) handling Covered Defense Information (CDI). In such cases, CSPs must be FedRAMP Authorized or meet FedRAMP-equivalent standards, as evidenced by Third Party Assessment Organizations (3PAO) assessments.

The rule also mandates a six-year retention of certification artifacts, reflecting the statute of limitations for the False Claims Act. This requirement extends to annual self-certifications and third-party assessments, supporting evidence retention if government scrutiny arises.

In parallel, a new FAR CUI rule will extend NIST 800-171 requirements to non-DoD government contractors, though specifics remain forthcoming. The article suggests that DoD contractors should begin aligning their cybersecurity frameworks with NIST 800-171, while both DoD and non-DoD contractors might consider participating in regulatory feedback to influence the final rule’s development. Early preparation for the Cybersecurity Maturity Model Certification will help contractors streamline certification once these requirements become active.