War Department begins implementing CMMC to protect service member data

The Cybersecurity Maturity Model Certification (CMMC) is the War/Defense Department’s standardized cybersecurity program for companies in its supply chain. It is designed to make sure any contractor or subcontractor that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) has actually put required security controls in place, not just promised to do so.

How it works, in simple terms:

• Tiered levels (3 levels):

  • Level 1 – Basic safeguarding of FCI: 15 basic security practices (like using strong passwords and limiting system access). Companies do an annual self‑assessment and submit an annual affirmation into the Supplier Performance Risk System (SPRS).
  • Level 2 – Advanced protection of CUI: Full implementation of the 110 security requirements in NIST SP 800‑171 (covering access control, incident response, encryption, auditing, etc.). Depending on the contract, companies either:
    • self‑assess every 3 years, or
    • undergo an independent assessment by an accredited third‑party (C3PAO), plus annual affirmations of continued compliance.
  • Level 3 – Expert protection for the riskiest programs: Adds 24 extra, more advanced requirements from NIST SP 800‑172 on top of Level 2. Assessments are performed by the government (DCMA’s Defense Industrial Base Cybersecurity Assessment Center) every 3 years, with annual affirmations.

• Assessments and records: Assessment results and affirmations are recorded in government systems (such as SPRS and eMASS), and a company’s CMMC “status” must be current to win and keep eligible contracts.

• Tied to contracts: Each new War/DoD contract that involves FCI or CUI will state the CMMC level required. A company cannot receive that award unless it already meets that level (or, in limited cases, has an approved conditional status plus a remediation plan).

• Limited use of Plans of Action & Milestones (POA&Ms): At Levels 2–3, only certain gaps can be temporarily left open under a POA&M, which must be fully closed (and re‑assessed) within 180 days or the conditional status expires.

Overall, CMMC turns previously self‑policed cybersecurity rules into a mix of self‑assessments, third‑party audits, and government audits, all directly linked to eligibility for War/DoD contracts.

Under earlier rules, most defense contractors only had to self‑attest that they followed required cybersecurity standards (like NIST SP 800‑171) when handling sensitive data, including service member information. CMMC strengthens protection of that data in several concrete ways:

• Verification instead of “trust only”:

  • For higher‑risk contracts (especially those involving CUI, where service member personnel, medical, or operational data often sits), companies must pass independent third‑party or government assessments at CMMC Levels 2–3 instead of relying purely on self‑attestation.
  • Assessment results are tracked in government systems (SPRS/eMASS), and a valid CMMC status becomes a condition of contract award and continued performance.

• Mandatory implementation of technical controls:

  • Level 2 requires full implementation of the 110 NIST SP 800‑171 controls, which include protections directly relevant to personal data (access control, encryption, audit logging, incident response, configuration management, etc.).
  • Level 3 adds selected NIST SP 800‑172 controls aimed at defending against advanced, targeted attacks that could expose high‑value or sensitive service member information.

• Continuous accountability:

  • Contractors must provide annual affirmations that they are still meeting requirements; Level 2–3 also allow only limited, time‑bound POA&Ms, which must be fully remediated within 180 days.
  • Loss or lapse of CMMC status can make a company ineligible for new awards and can create performance risk on existing work, giving contractors strong incentives to maintain protections over time.

Together, these changes are meant to reduce the chance that systems holding service member data are left with unaddressed security gaps, compared with the older model of largely unverified self‑attestations.

CMMC applies broadly across the U.S. defense industrial base to almost all organizations that handle War/DoD contract information, with limited exceptions.

Required to comply:

• Prime contractors and all tiers of subcontractors on War/DoD contracts, whenever their systems will process, store, or transmit:
  • Federal Contract Information (FCI), and/or
  • Controlled Unclassified Information (CUI).
• This includes small businesses, manufacturers, service providers, cloud/IT and managed service providers, and foreign suppliers when they handle FCI or CUI for a covered contract.
• The same CMMC level generally flows down from a prime to any subcontractor that handles the same type of information; subs that receive less‑sensitive data may be assigned a lower level.

Generally exempt or not covered:

• Providers of commercial‑off‑the‑shelf (COTS) products only (who do not otherwise process, store, or transmit FCI/CUI for the contract) are normally exempt from CMMC requirements.

In practice, the vast majority of non‑COTS contractors and subs in the defense supply chain that touch FCI or CUI will have to meet a specified CMMC level once the program is fully phased into contracts.

Yes. CMMC compliance is being phased in over multiple years through War/DoD contracts, with explicit phase dates and deadlines.

Key timing and phases:

• Program/legal basis:

  • The core CMMC program structure is set out in 32 CFR Part 170 (final “program rule” issued in late 2024).
  • The DFARS acquisition rule and the key contract clause DFARS 252.204‑7021 were finalized on September 10, 2025, with an effective date of November 10, 2025; this is what allows contracting officers to start putting CMMC levels into contracts.

• Phase 1 (Nov 10, 2025 – Nov 9/10, 2026):

  • Contracting officers may include CMMC Level 1 and Level 2 self‑assessment requirements in selected new solicitations and contracts.
  • Focus is on getting companies to perform and report self‑assessments and affirmations into SPRS.

• Phase 2 (Nov 10, 2026 – Nov 9, 2027):

  • DoD/War solicitations and contracts may start to require Level 2 third‑party (C3PAO) assessments where appropriate.

• Phase 3 (overlapping period around Nov 10, 2026 – Nov 9, 2027, per implementing guidance):

  • Selected higher‑sensitivity programs may begin requiring Level 3 government‑led assessments (DCMA DIBCAC), alongside Level 2 C3PAO assessments.

• Phase 4 (beginning Nov 10, 2028):

  • For all War/DoD contracts that require systems to process, store, or transmit FCI or CUI, the appropriate CMMC level must be included as a condition of award.
  • COTS‑only contracts remain generally exempt.

Thus, CMMC requirements appear in a growing share of new solicitations between late 2025 and late 2028; by late 2028, being at the required CMMC level is effectively mandatory for all applicable contracts.

Yes. CMMC introduces new assessment and compliance obligations that carry real costs, which can be significant for small and specialized contractors, although the program has been adjusted in part to reduce that burden.

New requirements and potential impacts:

• Direct assessment and affirmation costs:

  • DoD’s own cost projections for CMMC 2.0 show that:
    • A Level 1 self‑assessment and affirmation is estimated at roughly $4,000–$6,000 per year per entity.
    • A Level 2 self‑assessment (triennial) plus annual affirmations is estimated at more than $37,000 for small entities and nearly $49,000 for larger entities (over a 3‑year cycle).
    • A Level 2 third‑party (C3PAO) certification assessment plus affirmations is projected at about $105,000 for small entities and $118,000 for larger entities per 3‑year cycle.
    • Level 3 requirements add substantial additional engineering and maintenance costs (DoD estimates hundreds of thousands to millions of dollars over time for small vs. large entities).

• Implementation/upgrade costs:

  • DoD assumes many NIST 800‑171 controls are already required, but in practice many small and niche contractors may need to invest in new tools, managed services, staff time, and consulting to actually meet the controls and prepare for assessments.

• Program changes meant to ease burden, especially for small businesses:

  • CMMC 2.0 reduced the model from 5 levels to 3 and re‑introduced self‑assessments for Level 1 and some Level 2 contracts.
  • The Office of Small Business Programs and Project Spectrum offer free training, self‑assessment tools, and advisory support targeted to small and medium‑sized firms.
  • Policymakers have discussed measures such as potential tax credits or other support to offset CMMC costs for smaller contractors.

In short, CMMC will impose new, sometimes substantial compliance and audit costs, particularly on small and specialized defense contractors, even as the 2.0 design attempts to moderate those impacts and offer support resources.

Responsibility for CMMC policy and program execution now sits primarily with the War/Defense Department’s Chief Information Officer (CIO) and the dedicated CMMC program office under that CIO, with additional roles for other offices in assessments and contracting.

Key organizations and officials:

• DoD/War Chief Information Officer (CIO):

  • The DoD CIO is the lead office overseeing the CMMC program, including its structure, cybersecurity requirements, and oversight of professional and ethical standards for assessments.
  • Responsibility for CMMC was explicitly shifted from the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) to the DoD CIO as part of CMMC 2.0.

• CMMC Program Office under the CIO:

  • Manages the overall program, guidance, and phased implementation (including the “Phased Implementation of CMMC Requirements Has Begun!” initiative noted on the CIO’s CMMC site).

• Defense Contract Management Agency (DCMA) – Defense Industrial Base Cybersecurity Assessment Center (DIBCAC):

  • Conducts Level 3 government‑led assessments and plays a central role in auditing high‑risk contractors.

• Contracting community (through DFARS clauses):

  • Implementation in individual contracts is enforced via DFARS clauses such as 252.204‑7021, which contracting officers must include and enforce once CMMC levels are required.

Together, the CIO/CMMC Program Office sets and oversees the program, DCMA DIBCAC performs top‑tier government audits, and contracting officers enforce compliance via contract terms and award eligibility.