Menu
Log in
Log in


CMMC Final Rule: Key Changes and Their Impact on Defense Contractors

01/31/2025 11:35 AM | Mardi Humphreys (Administrator)


The Cybersecurity Maturity Model Certification (CMMC) program, designed by the Department of Defense (DoD) to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), has undergone significant updates between its proposed rule in December 2023 and its final rule in October 2024. These changes reflect the DoD’s effort to balance cybersecurity requirements with practical considerations for contractors. With the final rule taking effect on December 16, 2024, understanding these changes is critical for contractors preparing for assessment.

One of the most important changes in the final rule is the introduction of a clearly defined phased implementation plan. The proposed rule hinted at a gradual rollout but lacked specific milestones or timelines. The final rule addresses this by implementing a four-phase plan. Phase 1 introduces mandatory self-assessments for contractors handling FCI. Phase 2 brings in Level 2 certifications for select contracts involving CUI. Phase 3 extends certification requirements to high-priority programs through Level 3 assessments. Finally, Phase 4 marks the full implementation of CMMC requirements across all applicable DoD contracts. This structured approach ensures contractors have the time to adapt while the DoD scales its assessment capabilities. Initial estimates state that approx. 80,000 defense contractors require Level 2 Certification, so with the implementation of a phased rollout, the accreditation body and ecosystem should be able to stretch with the initial demand of assessments.

Flexibility for Level 2 compliance has also been enhanced in the final rule through the introduction of conditional certification. Under the proposed rule, contractors were required to fully implement all 110 NIST SP 800-171 Rev 2 controls before achieving certification. The final rule now allows for conditional certification if contractors meet at least 80% of these requirements, provided they address gaps through a Plan of Action and Milestones (POA&M). This conditional status enables contractors to bid on contracts while granting them 180 days to close security gaps. However, failure to meet this deadline results in certification expiration, demonstrating that while the rule allows flexibility, it does not compromise accountability.

The role of POA&Ms has been significantly refined. The proposed rule permitted their use but lacked clear guidelines on timelines and follow-ups. The final rule establishes firm deadlines, requiring all security gaps documented in POA&Ms to be resolved within 180 days. A POA&M closeout assessment is then mandated to verify compliance before final certification is granted. This change ensures that contractors address vulnerabilities promptly, mitigating the risks of long-standing cybersecurity weaknesses.

The certification levels themselves have been clarified in the final rule. While the proposed rule outlined the three levels of CMMC, the final rule provides greater detail on the assessment processes and their frequency. Level 1 now mandates annual self-assessments for contractors handling FCI, with results reported in the Supplier Performance Risk System (SPRS). Level 2 introduces a distinction between self-assessments and third-party assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs). For Level 3, which is required for contractors handling critical CUI, assessments will be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), with Level 2 certification as a prerequisite.

Another area of improvement is the tracking and affirmation of compliance. The proposed rule required annual affirmations from senior officials but did not elaborate on enforcement or tracking mechanisms. The final rule enforces these affirmations across all certification levels, with contractors required to submit them annually through SPRS. Failure to affirm compliance results in the automatic lapse of certification, reinforcing the need for continuous cybersecurity maintenance rather than viewing CMMC as a one-time achievement.

The integration of SPRS and the CMMC Enterprise Mission Assurance Support Service (eMASS) is another key update. While the proposed rule primarily relied on SPRS for self-assessment score submissions, the final rule expands this functionality. SPRS is now used for Levels 1 and 2 (Self) assessments, while eMASS is designated for third-party assessments at Level 2 (C3PAO) and Level 3. Assessment results are automatically transmitted to SPRS from eMASS, creating a seamless and centralized compliance tracking system.

Scoping requirements have also been expanded and clarified in the final rule. The proposed rule provided limited guidance on defining in-scope systems and the role of External Service Providers (ESPs). In contrast, the final rule introduces clear scoping categories, including Contractor Risk Managed Assets, Security Protection Assets, and Specialized Assets. It also requires ESPs to meet equivalent CMMC security requirements when processing CUI but does not stipulate ESPs obtain the same level CMMC certification of their clients. These changes enhance clarity and ensure that contractors appropriately define the scope of their cybersecurity efforts.

As the CMMC program evolves, contractors must prepare to align their cybersecurity programs with these updated requirements. The final rule reinforces the DoD’s commitment to safeguarding national security through a robust, scalable, and enforceable cybersecurity framework. For contractors, the path to compliance is not only a contractual obligation but a critical step in strengthening their resilience against cyber threats. Now is the time to act, ensuring readiness for the challenges and opportunities that the CMMC program brings.

Eric Parsley is a cybersecurity executive specializing in Governance, Risk, and Compliance (GRC). He is a vCISO for Expedient Technology Solutions offering cybersecurity focused MSP/MSSP Services. Eric holds a Master’s degree in Cybersecurity & Information Assurance and is a CMMC Certified Assessor.


Meet Our Partners

Our Cornerstone Partners share a common goal: to connect, strengthen, and champion the technology community in our region. A Technology First Partner is an elite member leading the support, development, and expansion of Technology First services. In return, Partners improve community visibility and increase their revenue. Make a difference in our region and your business. 

Become A Partner

Cornerstone Partners



1435 Cincinnati St, Ste 300, Dayton Ohio 45417

Info@TechnologyFirst.org
937-229-0054

Cancellation Policy | Event Terms and Conditions | Privacy Statement | Inclement Weather Policy