Rebooting Cyber Protection: Preparing for CMMC 2.0

The Pentagon’s revised Cybersecurity Maturity Model Certification (CMMC) policy comes into effect this month, starting the clock on a four-year phase-in of requirements across all defense department contracts that involve handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).?

While regulations detailing unified standards for cybersecurity across defense contracts are expected to come into force in mid-2025, requirements are already being imposed by some prime contractors. With cyber attacks and data theft on the rise, compliance and certification with the new benchmarks will become a condition of contract award for thousands of suppliers.

Now is the time for preparation.?

AlixPartners sees value in not simply approaching these as compliance requirements. Revised policies—if prudently followed—can lead to better business outcomes. Turning this moment from a chore to a competitive advantage, however, won’t happen by accident.?

The Department of Defense’s newly published CFR 32 codifies the policy elements of what’s been dubbed CMMC 2.0, which come into force on December 16. Meanwhile, CFR 48 (the proposed rule embedding the cybersecurity health requirements) is expected to be effective by mid-2025.

Understanding what’s coming

The three tiers of requirements under CMMC 2.0 replace the existing self-assessment for companies handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This means many will now need to secure approval from the limited but growing pool of third-party assessors, creating a potential bottleneck for companies to navigate. Importantly, the cost of and access to compliance certification?will become a competitive tool.

Uncertainties remain over the final composition of CFR 48, including a 72-hour notification requirement for reporting "lapses in information security," remediation of noncompliance, and an appeals process.

While CMMC 2.0 rolls out under a phased approach (starting mid-2025 and continuing through 2028), The Department of Defense reserves the right to accelerate implementation. Under the current mode, solicitations will be managed based on compliance across the three certification levels tied to the sensitivity of data being handled.

Level 1: Companies handling FCI includes 17 requirements with an annual self-assessment and annual affirmation.

Level 2: Companies handling FCI includes 110 requirements aligned with the National Institute of Standards and Technology Special Publication (SP) 800-171. This level requires a triennial third-party assessment and annual affirmation for select programs.

Level 3: Comprises 134 requirements based on NIST SP 800-171 and SP 800-172, with a triennial assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center and annual affirmation.

*The Department of Defense reserves the right to accelerate implementation

Needed: clear, cohesive guidance

We see several critical areas requiring further clarification, including:

• Responsibility of Prime contractors in verifying the compliance status of subcontractors at any given point.
• Mechanisms for tracking changes in compliance status between certification periods, which range from one to three years, remain unclear. This creates potential gaps in accountability.
• Guidance is needed to address how compliance lapses will be managed, whether through corrective plans of action and milestones facilitated by C3PAOs or?through ?government auditors.
• Liability in the event of data loss involving controlled information. While the Defense Industrial Base response model could potentially provide a framework, a definitive approach has yet to be established.
• Access to the Supplier Performance Risk System data for relevant stakeholders remains an open question, as does clarification around reimbursement of costs associated with government assessments, particularly for Level 3 compliance.

There are also questions regarding the use of classified models to meet or exceed Controlled Unclassified Information requirements when National Institute of Standards and Technology 800-171/172 controls may not fully address these needs.?

Potential conflicts in System Security Plans between varying classification levels further underscore the need for clear, cohesive guidance to ensure consistent cybersecurity practices across all levels of compliance.?

Addressing these unresolved areas will be essential to support prime contractors, subcontractors, and assessment bodies in meeting the new standards effectively. Companies will need to contemplate these issues as they go through their compliance journey via the steps outlined below.

Critical steps

The journey to CMMC 2.0 compliance starts here:

1. Understand the requirements and familiarize yourself with the CMMC framework to determine which certification level applies to each of your contracts. This may involve reviewing relevant defense department documents and guidelines.
2. Conduct a gap analysis. Evaluate your existing cybersecurity practices and planned changes against CMMC 2.0 requirements. Identify areas that need improvement and develop a roadmap toward compliance.
3. Develop and implement robust cybersecurity policies and procedures that align with CMMC 2.0. These include elements of access control, incident response, and risk management. All employees will also need to be trained on cybersecurity best practices and the importance of compliance.
4. Identify and select a CMMC Third-Party Assessment Organization to evaluate your compliance and issue the certification.
5. Build in sustainability and improvement: After certification, maintain compliance through ongoing monitoring, audits and updates to cybersecurity measures as threats evolve. Once new policies and procedures are deployed, they need to contemplate the issues above to ensure companies remain compliant even as the requirements evolve to address emerging threats and changes to the regulatory environment. ?

Be ready to bid

Compliance is more than just a regulatory requirement: It's a vital component of a comprehensive cybersecurity strategy. For aerospace and defense firms, obtaining and maintaining CMMC 2.0 certification is non-negotiable.

This is a critical step toward better safeguarding sensitive information, securing valuable contracts, and building industry trust. By actively embracing the CMMC 2.0 framework, these companies can significantly bolster their cybersecurity resilience and contribute to enhancing national security.

Senior leaders across organizations need a partner to adequately fast-track the journey to CMMC compliance. Assessing where you need to be and how long the journey to get there is one challenge. Creating a roadmap to turning this moment into a competitive advantage in a fast-moving development in the industry will, in the end, separate the winners from the losers.

Working through the appropriate levels, determining the scope of the assessment and preparing for C3PAO/DCMA DIBCAC audits will be prudent for most organizations. Also determining the data impacts and ensuring only the FCI and CUI data necessary for compliance is addressable. This will have the ancillary effect of determining what if any downstream controls are required of supply chain vendors.?? ? ?

At AlixPartners, we partner with senior leaders across organizations to fast-track their journey to CMMC compliance. We’re here to help navigate this critical undertaking.

Contact the authors: Ben Brooks , Stanley A. , Joseph Freeh , and Dean Weber

Originally published as "The A&D Minute" on December 12, 2024: https://www.alixpartners.com/insights/102jra2/rebooting-cyber-protection-preparing-for-cmmc-2-0/