Published: March 14, 2025
Our new bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.
Featured Cyber News — Cybersecurity Maturity Model Certification (CMMC)
With the latest updates to the Cybersecurity Maturity Model Certification (CMMC) 2.0 in October 2024, compliance will soon be essential for any organization seeking to work with the U.S. Department of Defense (DoD). However, these cybersecurity standards are not limited to U.S. companies—organizations worldwide that provide services to the DoD or are part of its supply chain must also meet the CMMC compliance requirements.
What is CMMC 2.0?
The CMMC 2.0 is a cybersecurity framework that ensures businesses working with the DoD have the necessary safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
FCI includes government contract-related data that isn’t publicly available and requires basic security protections under FAR 52.204-21. On the other hand, CUI is marked or identified as sensitive information requiring protection under the CUI program, which enforces stricter safeguards by following NIST SP 800-171 security controls—this means that the government entity seeking private sector services or products is responsible for identifying what qualifies as CUI. Therefore, all CUI is FCI, but not all FCI is CUI. If your business’s services or products may fall under CUI, ask the DoD program manager who is responsible for the contract to confirm what applies.
First introduced in 2021, it wasn’t a contract requirement at that time. However, the Final Rule (October 2024) has made the CMMC compliance mandatory. This means that businesses will have to comply with the new requirements, once implemented, to secure new contracts, renew existing ones, or continue working with the DoD.
Key Changes in the Latest Version
The latest update to CMMC 2.0 has simplified compliance while strengthening cybersecurity. Here’s what’s new:
- Three Levels of Certification (reduced from five):
- Level 1 (foundational; self-assessed): Basic security requirements for FCI
- Level 2 (advanced; self-assessed, or assessed by the C3PAO–Certified Third-Party Assessor Organization): Protection of CUI, aligned with NIST SP 800-171
- Level 3 (expert; assessed by the DIBCAC–Defense Industrial Base Cybersecurity Assessment Center): Highest level of security required for critical DoD systems, with additional requirements from NIST SP 800-172
- Self-Assessments and Affirmations: Companies at Level 1 and some Level 2 contracts can self-certify annually, but a senior official must sign off on compliance.
- Enforced Through Contracts: CMMC is a condition of contract eligibility, which means that companies must meet its requirements to secure or maintain DoD contracts.
Who Needs to Comply?
The CMMC requirements apply to all businesses that work within the DoD supply chain, including the following:
- Prime Contractors: Businesses that directly contract with the DoD
- Subcontractors: Businesses that support prime contractors in any capacity
- Third-Party Service Providers: Businesses that process, store, or transmit FCI or CUI as third-party providers to DoD contractors
- Non-U.S. Organizations: Businesses overseas that contract with the DoD or handle FCI or CUI within the DoD supply chain
Three-Year Implementation Plan: What Small Businesses Need to Know
The requirements of the CMMC 2.0 Final Rule (32 CFR part 170) will roll out over three years, starting 60 days after the publication of the 48 CFR part 204 acquisition rule, which is expected by mid-2025. Here’s what to expect:
- Phase 1 (2025)
- CMMC Level 1 (self-assessment) and Level 2 (self-assessment) required for some contracts
- Some contracts may require Level 2 (C3PAO assessment) audits, but it’s not yet mandatory.
- Phase 2 (2026-2027)
- CMMC Level 2 (C3PAO assessment) required for many contracts handling CUI
- DoD may require Level 3 (DIBCAC assessment) for high-risk contracts.
- Phase 3 (2027-2028)
- CMMC Level 2 (C3PAO assessment) mandatory for all contracts handling CUI
- CMMC Level 3 (DIBCAC assessment) required for critical DoD programs
- Phase 4 (2028 and beyond)
- CMMC required for all new and renewed contracts—no exceptions
How to Prepare: A Quick Checklist
Small businesses should take action now to avoid disruptions in their DoD contract eligibility. Follow the quick checklist below to align with the CMMC 2.0 Final Rule:
- Determine Your Required Level: Check if your contract involves FCI or CUI and what CMMC level applies.
- Conduct a Self-Assessment: Use NIST SP 800-171/172 controls to check gaps in cybersecurity readiness.
- Develop a Compliance Plan: Improve security measures if Level 2 or 3 applies to your business, and find a CMMC-accredited C3PAO.
- Secure Your Systems: Implement multi-factor authentication (MFA), endpoint protection, and encryption to meet security requirements.
- Train Your Team: Educate employees on cyber threats, secure data handling, and phishing prevention.
Conclusion
For small businesses offering professional services to the DoD, the CMMC compliance is critical. That’s why these companies should start now to assess security gaps and prepare for upcoming requirements. By aligning with the upcoming CMMC 2.0 framework early, your business can remain competitive and secure DoD contracts in the future.
The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving cybersecurity requirements. We recommend you consider becoming an NCSS member to access a wide range of our services. For more information, visit our Small Business page.
References
https://dodcio.defense.gov/cmmc/About/
https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf
https://isoo.blogs.archives.gov/2020/06/19/%E2%80%8Bfci-and-cui-what-is-the-difference/
https://www.acquisition.gov/far/52.204-21
https://csrc.nist.gov/pubs/sp/800/171/r3/final
https://csrc.nist.gov/news/2021/nist-publishes-sp-800-172
https://prescientsecurity.com/blogs/cmmc-final-ruling-and-key-information
https://carbidesecure.com/resources/cmmc-what-canadian-organizations-need-to-know
https://www.osibeyond.com/blog/cmmc-final-rule-timeline/
https://ndisac.org/dibscc/cyberassist/cybersecurity-maturity-model-certification/level-1/
https://ndisac.org/dibscc/cyberassist/cybersecurity-maturity-model-certification/level-2/
https://ndisac.org/dibscc/cyberassist/cybersecurity-maturity-model-certification/level-3/
About the NCSS
The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.
The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.