The Final Rule on CMMC: A Guide for Defense Contractors

The Department of Defense has finalized the rules for the CMMC framework through the “final rule.” In March 2025, CMMC will be a contractual requirement for companies handling Controlled Unclassified Information. Therefore, it’s clear that contractors in the defense industrial base need to adopt this final CMMC standard. 

This article explains the assessment categories under CMMC and provides a roadmap to help organizations prepare for certification.

 

The CMMC 2.0 Levels Explained

The final rule for CMMC outlines three levels of cybersecurity maturity, which isn’t news to anyone following the program’s evolution. However, this new rule divides these three levels into four assessment categories, including the self-assessment option at Level 2.

 

Level 1 (Self-Assessment)

This level ensures basic cyber hygiene practices to protect Federal Contact Information (FCI). At this level, contractors must follow 17 practices outlined in NIST Special Publication 800-171, covering key areas such as access control, authentication, physical security, and routine maintenance.

More importantly, these organizations can undergo self-assessment, assuming they can manage CMMC reporting requirements internally. Annual self-assessments must be signed by a senior official, affirming the organization’s compliance with these practices.

 

Level 2 (Self-Assessment)

Organizations in this category handle CUI that does not pertain to critical national security. At this level, contractors must implement the entirety of NIST SP 800-171 (all 110 controls) but can undergo self-assessment… but only with the express permission of the CMMC AB. Self-assessments reduce the financial burden of compliance and simplify the certification process.

A senior official documented and affirmed self-assessments, demonstrating accountability and transparency in cybersecurity practices.

 

Level 2 (C3PAO Assessment)

Organizations in this category manage CUI critical to national security, requiring an independent review by certified assessors (C3PAOs). These assessments ensure higher scrutiny to avoid biases in reporting and provide confidence in an organization’s ability to protect sensitive information.

A successful C3PAO assessment validates the organization’s compliance, allowing it to handle critical CUI securely.

 

Level 3 (DIBCAC Assessment)

The highest level of CMMC certification is reserved for organizations involved in national defense operations and protects contractors from the most advanced threats in the wild, including APTs. At Level 3, contractors will implement all 110 controls in NIST SP 800-171 alongside additional advanced controls from NIST SP 800-172. 

The Defense Industrial Cybersecurity Assessment Center manages assessment here. DIBCAC assessments are conducted directly by the DoD, ensuring that Level 3 organizations meet the most stringent requirements.

 

What Are Some Concerns With the Final CMMC Rule?

The final CMMC rule has triggered several significant concerns that contractors have expressed in public comments:

• Complexity and Implementation Challenges: Commenters were concerned that the final CMMC rule remained quite complex, even after years of optimization. This included issues with the standard itself (and its implementation) and their understanding of the CMMC governance structure. 
• Cost and Resource Implications: The costs of CMMC are still rather high, especially for companies conducting third-party assessments. Many respondents highlighted the financial and resource burdens associated with achieving CMMC for small and medium-sized enterprises. 
• Timeline for Compliance: Contractors argued that organizations simply would not have enough time to achieve compliance without dedicating significant resources. 
• Alignment with Existing Standards: Many businesses are looking for unified compliance approaches to reduce complexity and redundancy, and some contractors argued that there wasn’t enough synergy between CMMC and existing federal standards or major frameworks like ISO 27001. existing cybersecurity standards. Commenters suggested that recognizing current certifications could streamline the process and enhance adoption.
• Impact on Supply Chain Dynamics: The digital supply chain is already a major concern for contractors. CMMC places an upstream burden on third-party vendors working with these contractors to meet data privacy requirements. While supply chain security is critical in our modern age, it also creates the issue of large providers essentially dictating compliance to smaller partners.

These concerns underscore the complexities of implementing the CMMC framework and highlight the need for clear guidance, support, and flexibility to ensure successful adoption across the Defense Industrial Base.

 

Preparing for CMMC Certification

To achieve CMMC compliance, organizations must take a proactive approach to cybersecurity. Here’s a roadmap to help contractors prepare:

• Identify Your Required Level: Review your contracts to determine whether you handle FCI, CUI, or highly sensitive national security information. This will clarify the appropriate CMMC level and assessment category for your organization.
• Perform a Gap Analysis: Evaluate your current cybersecurity practices against the requirements of your designated CMMC level. Identify deficiencies in policies, processes, or technical controls.
• Implement Necessary Controls: Based on your gap analysis, deploy the required controls, focusing on key areas like access management, incident response, configuration management, and data protection.
• Develop Documentation: Create a System Security Plan (SSP) detailing your cybersecurity posture. If gaps remain, include a Plan of Action and Milestones (POA&M) to outline how you will address them.
• Conduct Assessments: Schedule the appropriate assessment type, whether it is a self-assessment (Levels 1 or 2), third-party assessment (Level 2), or DIBCAC assessment (Level 3). 
• Maintain Compliance: Compliance is an ongoing effort. Systems must be continuously monitored for vulnerabilities, updated documentation, and adaptations to evolving threats.

 

Key Challenges and Opportunities

While CMMC compliance presents challenges, particularly for small and medium-sized businesses, it also provides opportunities for growth and resilience. By meeting these rigorous standards, organizations enhance their cybersecurity posture, protect sensitive data, and position themselves as reliable partners within the DIB.

Organizations can streamline compliance by leveraging technology and external resources:

• Automated Compliance Tools: Platforms like Continuum GRC automate control mapping, monitoring, and reporting, reducing administrative overhead.
• Managed Security Service Providers: Outsource compliance and monitoring tasks to MSSPs for expert guidance and reduced burden.
• Employee Training: Regular training ensures staff understand cybersecurity protocols, reducing the risk of human error.

 

There’s No Time to Wait. Work With an Established CMMC C3PAO: Lazarus Alliance

The final rule on CMMC is a critical step toward securing the defense supply chain and safeguarding national security interests. Organizations that act now to comply with these requirements will ensure compliance and gain a competitive edge in the defense contracting landscape.

To learn more about how Lazarus Alliance can help, contact us. 

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!

[wpforms id=”137574″]