20 Key Takeaways from the CMMC Final Rule for SMBs

The U.S. Department of Defense (DoD) has recently finalized the Cybersecurity Maturity Model Certification (CMMC) rule on October 15, 2024, and it’s crucial for small and medium businesses (SMBs) in the defense industrial base to understand how these changes affect them. Cybersecurity is no longer optional if you’re working with the DoD, and the CMMC final rule aims to standardize and strengthen how contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

If you’re a small business working with the defense sector, here are the top 20 key takeaways from the CMMC final rule that you need to know:

Overview of CMMC Final Rule

The CMMC final rule establishes a three-tiered certification system, ensuring SMBs in the defense sector meet standardized cybersecurity requirements. Here’s a breakdown of the key takeaways, starting with certification levels.

1. CMMC Certification Levels

CMMC 2.0 has three certification levels, with full compliance required by 2025. Level 1 covers basic cybersecurity for FCI, Level 2 follows NIST SP 800-171 for CUI, and Level 3 adds stricter security and audits. The DoD’s 2025 Cybersecurity Fund helps SMBs with costs, while new guidelines address cloud security and AI threats. Compliance now aligns with global standards like ISO 27001:2025.

2. Assessment Types for Each Level

Each certification level now follows stricter assessment rules under 2025 DoD requirements. Level 1 still allows self-assessments but must be submitted through the AI-powered SPRS portal. Level 2 requires third-party audits for CUI-related contracts, using tools like MITRE Caldera. Level 3, for high-risk programs, mandates rigorous audits with DCMA oversight and supply-chain checks. To support SMBs, the DoD’s 2025 Cybersecurity Fund helps cover costs, and ISO 27001:2025 reciprocity simplifies global compliance.

3. Phased Implementation Plan

​The Department of Defense (DoD) has updated the Cybersecurity Maturity Model Certification (CMMC) implementation timeline to provide contractors with additional time to comply. The revised phased approach is as follows:​

• Phase 1: Commencing in early to mid-2025, upon finalization of the second part of the CMMC rule under 48 C.F.R. Part 204, the DoD will begin including CMMC Level 1 and Level 2 self-assessment requirements in new solicitations. During this phase, contractors are required to conduct self-assessments and affirm compliance with the respective CMMC levels when bidding on new contracts; formal certification is not yet mandatory.​
• Phase 2: Starting approximately one year after Phase 1 (early to mid-2026), the DoD will require CMMC Level 2 certifications from contractors handling Controlled Unclassified Information (CUI) as a condition for contract awards. Contractors should obtain the necessary certifications by this time to remain eligible for relevant DoD contracts.​
• Phase 3: Beginning one year after Phase 2 (early to mid-2027), the DoD will enforce CMMC Level 2 certification requirements for exercising option periods on applicable contracts awarded after the CMMC rule’s effective date. Additionally, CMMC Level 3 requirements will start appearing in solicitations for contracts involving the most sensitive CUI.​
• Phase 4: Initiating one year after Phase 3 (early to mid-2028), the DoD will incorporate CMMC requirements into all applicable solicitations and as a condition for exercising option periods on relevant contracts, regardless of their award date. At this stage, all contractors and subcontractors must possess the appropriate CMMC certifications to engage in DoD contracts.​

This extended timeline offers contractors additional time to understand and implement the necessary cybersecurity measures, ensuring compliance with the CMMC requirements.

4. Certification Validity and Annual Affirmation

Once certified, a company’s CMMC status is valid for three years. However, to maintain this status, annual affirmations are required to verify that cybersecurity practices are consistently implemented. This means that achieving CMMC compliance isn’t a one-time effort but requires ongoing vigilance.

5. Plan of Action and Milestones (POA&M)

​Under the Cybersecurity Maturity Model Certification (CMMC) program, if a company does not meet all cybersecurity requirements during an assessment, it may be granted a “Conditional Status.” To achieve this status for Level 2, contractors must attain a minimum score of 88 out of 110 and develop a Plan of Action and Milestones (POA&M) to address unmet requirements.

The POA&M outlines specific steps to remediate identified security gaps and must be completed within 180 days. This approach allows small and medium-sized businesses (SMBs) to continue competing for contracts while actively working towards full compliance.

Failure to close out all POA&Ms within the 180-day timeframe results in the expiration of the Conditional Status, rendering the contractor ineligible for additional awards requiring CMMC Level 2 certification until full compliance is achieved. ​

6. Requirements for Subcontractors

​Prime contractors are responsible for ensuring that their subcontractors comply with the appropriate Cybersecurity Maturity Model Certification (CMMC) level when handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

This requirement, known as “flow-down,” mandates that prime contractors include CMMC obligations in their contracts with subcontractors to maintain the integrity of the defense supply chain.​

The required CMMC level for subcontractors depends on the type of information they handle:​

• Subcontractors Handling Only FCI: Must achieve at least CMMC Level 1, which involves implementing basic cybersecurity practices.​
• Subcontractors Handling CUI: Must attain at least CMMC Level 2, aligning with the 110 controls outlined in NIST SP 800-171.​

Failure of a subcontractor to comply with the necessary CMMC requirements can jeopardize the prime contractor’s eligibility for Department of Defense (DoD) contracts. Therefore, it is essential for prime contractors to:​

1. Communicate Requirements: Clearly convey CMMC obligations to all subcontractors.​
2. Verify Compliance: Regularly assess and document subcontractors’ CMMC statuses.​
3. Provide Support: Assist subcontractors in achieving and maintaining the required CMMC levels.​

Proactively managing these aspects, prime contractors can ensure that their entire supply chain remains compliant, thereby safeguarding sensitive information and maintaining eligibility for DoD contracts.

Managing Third Parties and Service Providers

Compliance extends beyond your organization, subcontractors and service providers must also meet CMMC standards. Proactively managing them helps prevent compliance gaps and security risks. Here’s how:

7. Self-Assessment vs. Third-Party Assessment

​Under the Cybersecurity Maturity Model Certification (CMMC) framework, assessment requirements vary based on the level of certification:​

• Level 1 (Foundational): Organizations handling Federal Contract Information (FCI) are required to perform annual self-assessments to verify compliance with 15 basic safeguarding practices outlined in FAR clause 52.204-21.​
• Level 2 (Advanced): Organizations managing Controlled Unclassified Information (CUI) must implement 110 security requirements aligned with NIST SP 800-171 Revision 2. Assessment requirements for Level 2 vary:​
  • Critical National Security Information: Requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years.​
  • Non-Critical Information: Allows for annual self-assessments, reducing costs for smaller businesses that may not be able to afford third-party assessments.​
• Level 3 (Expert): Designed for organizations handling highly sensitive information and facing advanced persistent threats, Level 3 requires compliance with additional practices from NIST SP 800-172. Assessments at this level are conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.​

This tiered assessment approach ensures that organizations implement appropriate cybersecurity measures corresponding to the sensitivity of the information they handle, while also considering the resources and capabilities of smaller businesses.

8. Cloud Providers and FedRAMP Requirements

​Cloud Service Providers (CSPs) handling Controlled Unclassified Information (CUI) must meet FedRAMP Moderate or equivalent compliance standards. Small and medium-sized businesses (SMBs) using such services should verify that their CSPs meet these standards to ensure data security and maintain Cybersecurity Maturity Model Certification (CMMC) compliance. Non-compliance by a CSP can jeopardize the security of sensitive information and affect your organization’s CMMC certification.​

9. Using Managed Service Providers (MSPs) and External Service Providers (ESPs)

​Under the Cybersecurity Maturity Model Certification (CMMC) framework, Managed Service Providers (MSPs) and External Service Providers (ESPs) that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of your business must meet the necessary compliance requirements corresponding to the sensitivity of the information they manage.​

Compliance Requirements

MSPs and ESPs managing FCI must follow CMMC Level 1 requirements, which focus on basic safeguarding practices. For providers handling CUI, compliance with CMMC Level 2 is necessary, aligning with the 110 security controls outlined in NIST SP 800-171.

Assessment Participation

If an MSP or ESP processes, stores, or transmits CUI within their own systems, they must obtain independent CMMC certification. However, if they support your organization’s environment where CUI is present but do not handle it directly, their role will be assessed as part of your CMMC evaluation. This assessment includes reviewing shared responsibility matrices and system security plans to ensure all security requirements are met.

Recommendations

To maintain compliance across your supply chain, clearly communicate CMMC obligations to all subcontractors, regularly verify their compliance status, and provide necessary support to help them achieve and maintain the required CMMC levels.

10. Scoping Information Systems

To comply with CMMC, organizations need to determine which of their systems are within the scope of CMMC requirements. This includes identifying all systems that process, store, or transmit FCI or CUI. Understanding which systems are subject to assessment is crucial for an SMB’s compliance strategy. Proper scoping helps businesses allocate resources efficiently and focus on securing critical information systems.

11. Scoring and Maintaining Compliance

The Cybersecurity Maturity Model Certification (CMMC) scoring methodology assesses the implementation of security practices within an organization, categorizing each practice as “MET,” “NOT MET,” or “NOT APPLICABLE.” Achieving a “MET” status across all applicable practices is essential for compliance and certification.​

Scoring Details:

• Level 1: Organizations must fully implement all 17 basic safeguarding requirements to achieve a “MET” status. No Plans of Action and Milestones (POA&Ms) are permitted; all requirements must be met entirely.​
• Level 2: The scoring is based on 110 security requirements, each assigned a value of 1, 3, or 5 points, reflecting its importance. The maximum achievable score is 110. For each unmet requirement, the corresponding point value is deducted from the total score, which can result in a negative score.​

Continuous Improvement:

Understanding your organization’s CMMC score and promptly addressing deficiencies is crucial to maintain eligibility for Department of Defense contracts. The scoring methodology encourages continuous improvement, allowing businesses to track progress over time and stay ahead of evolving cybersecurity threats.

12. Importance of Incident Response Plans

Developing and implementing an incident response plan is crucial under the CMMC framework. SMBs must be able to detect, respond to, and recover from cyber incidents effectively. Contractors must notify the Contracting Officer within 72 hours of any lapses in information security or changes in CMMC status. Having an incident response plan in place helps mitigate damage during a breach and can be a determining factor in maintaining certification.

Implementing Controls Based on NIST 800-171

NIST 800-171 outlines essential security controls to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC framework integrates these controls to help SMBs meet compliance and strengthen cybersecurity.

Below are key measures to reduce risks and maintain eligibility for government contracts.

13. Employee Training and Awareness

Employee training and awareness programs are essential components of maintaining cybersecurity within an organization. The Cybersecurity Maturity Model Certification (CMMC) framework emphasizes continuous training to ensure all employees understand their roles in protecting sensitive information. Regular training sessions help reduce human error, a significant cybersecurity vulnerability.

Key Aspects of Employee Training Under CMMC:

1. Security Awareness: All personnel should be informed about security risks associated with their activities and the organization’s policies, standards, and procedures.
2. Role-Based Training: Employees must receive training tailored to their specific roles, ensuring they can effectively carry out their information security-related duties.
3. Insider Threat Awareness: Training programs should include content on recognizing and reporting potential indicators of insider threats.

Implementing these training initiatives fosters a culture of security awareness, enhances the organization’s cybersecurity posture, and aligns with CMMC requirements.

14. Multi-Factor Authentication (MFA)

MFA is required under CMMC and adds security by requiring two or more verification factors, such as a password, security token, or biometric verification. CMMC mandates MFA for:

• Privileged accounts: Required for both local and network access.
• Non-privileged accounts: Required for network access.

SMBs must enforce MFA for all accounts handling FCI or CUI to stay compliant and prevent unauthorized access, even if passwords are compromised.

15. Regular Vulnerability Assessments

Conducting regular vulnerability assessments is a key component of the CMMC requirements. Vulnerability assessments help identify weaknesses in your systems that could be exploited by cyber attackers. SMBs must conduct these assessments regularly to identify and fix vulnerabilities before they can be used in an attack.

16. Configuration Management

Configuration management involves maintaining the security of IT systems throughout their lifecycle. Under CMMC, SMBs must establish and maintain baseline configurations for information systems, as well as implement security configurations that minimize vulnerabilities.

17. Encryption Requirements

Encryption of data at rest and in transit is a critical requirement of the CMMC framework. SMBs must ensure that sensitive data, especially CUI, is encrypted using industry-standard encryption methods to protect it from unauthorized access.

18. Access Control Policies

CMMC requires businesses to implement strict access control policies. This involves ensuring that only authorized individuals have access to systems and information that contain FCI or CUI. SMBs must establish policies that define who can access specific information and under what circumstances.

19. Monitoring and Logging

Monitoring and logging are important for detecting unauthorized activity and ensuring compliance. Under CMMC, businesses must maintain logs of system activity and regularly review them to detect and respond to potential security incidents. Effective monitoring helps identify issues before they escalate into significant security breaches.

20. Physical Security Measures

Physical security is a critical component of the Cybersecurity Maturity Model Certification (CMMC) framework, ensuring that access to systems and data is restricted to authorized personnel. To comply with CMMC requirements, small and medium-sized businesses (SMBs) should implement the following measures:​

• Secure Facilities: Lock all entrances, exits, windows, server rooms, and wiring closets to prevent unauthorized access.​
• Access Control Systems: Utilize badge readers, biometric scanners, or keycards to limit facility access to authorized individuals. Maintain an inventory of these access devices and ensure they are assigned appropriately.​
• Visitor Management: Require visitors to sign in upon arrival, issue identifiable visitor badges, and ensure they are escorted at all times within the facility.​
• Monitoring: Install surveillance cameras at key entry points and sensitive areas to monitor and record physical access. Regularly review these logs to detect and respond to unauthorized access attempts.​

Implementing these physical security measures, SMBs can protect sensitive information and comply with CMMC requirements.

Final Thoughts

The Final Rule takes effect on December 16, 2024, with a separate rulemaking process for the associated contract clause. For SMBs in the defense sector, compliance with the CMMC Final Rule is a necessity, not an option. While the new requirements may seem daunting, they are designed to ensure that sensitive information is adequately protected throughout the supply chain. By understanding these 20 key takeaways and planning accordingly, SMBs can take the necessary steps to achieve and maintain compliance while securing their position within the defense industry.

About Bright Defense

Bright Defense can help SMBs in the Defense Industrial Base (DIB) achieve CMMC Level 1 and Level 2 compliance efficiently and effectively. By leveraging compliance automation from Drata and secure Controlled Unclassified Information (CUI) management through PreVeil’s CUI Enclave, Bright Defense simplifies the path to compliance. Drata’s automated compliance platform streamlines the auditing process, ensuring that your organization meets key cybersecurity requirements without excessive manual effort. Meanwhile, PreVeil’s CUI Enclave provides an end-to-end encrypted environment for managing CUI, meeting strict DoD standards.

Take the first step towards ensuring your compliance today. Partner with Bright Defense and benefit from a comprehensive solution that integrates the best of compliance automation and secure information handling. Contact us to learn more about how we can support your CMMC journey.

FAQ