The CMMC framework provides a mechanism for DOD to verify contractor and sub-contractor compliance with cybersecurity requirements for protecting federal contract information (FCI) and controlled unclassified information (CUI).

The DOD is in the final stages of the rulemaking process and could begin phased implementation starting in late 2024.

With limited exceptions, the proposed rule indicated CMMC will be required for any business globally in the US DoD supply chain, to include prime contractors, sub-contractors, and supply chain partners if they have FCI or CUI requirements.

The US Defense Department’s Regulatory Impact Analysis indicated an estimated 220,000 US companies will be impacted by the CMMC final rule. It is unknown how many Australian and other international defense industrial base partners may be impacted.

If starting from a minimal cybersecurity baseline, compliance with NIST 800-171 rev2 can take 12-18 months. The number of systems within the scope of an assessment and documentation preparation all play key roles in assessment readiness timelines.

Your organisation’s CMMC compliance and assessment requirements will depend on the sensitivity of the data you’ll be working with. The proposed rule identifies the following three levels:

Level 1 – Federal Contract Information (FCI) 

• Standard to be Met:  FAR Clause 52.204–21 
• Number of Requirements: 15 
• Assessment Type: Self-Assessment 
• Affirmation Requirement: Senior official from prime contractor and any applicable subcontractor required to annually affirm continuing compliance with the specified security requirements.  

Level 2 – Controlled Unclassified Information (CUI) 

• Standard to be Met: NIST SP 800–171 rev 2 
• Number of requirements: 110  
• Assessment Type: Self-Assessment or Third Party Certification – to be identified in contract 
• Affirmation: A senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter.  

Level 3 

• Prerequisite: Must meet Level 2 certification before Level 3 
• Standard to be Met: NIST SP 800–171 rev 2 + 24 selected requirements from NIST SP 800-172 
• Number of requirements: 110 + 24 = 134 total  
• Assessment Type: Self-Assessment or Third Party Certification – to be identified in contract 
• Affirmation: A senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter.  

Based upon the proposed rule and the recent class deviation announcement by DOD, CMMC is expected assess compliance against NIST SP 800-171 rev2.

Federal contract information (FCI) is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled unclassified information (CUI) is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

The National Archives and Records Administration (NARA) is the Executive Agent (CUI EA), which issues guidance to US Executive branch departments and agencies that handle unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.

The CUI program applies to not only Defense information but also other organizational index groups: critical infrastructure, export controls, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation.

Yes, rev3 of NIST SP 800-171 is forthcoming but the US DoD on 2 May 2024 issued a Defense Federal Acquisition Regulation Supplement (DFARS) class deviation that will require contractors, who are subject to DFARS clause 252.204-7012, to comply with NIST SP 800-171 revision 2, instead of the version of NIST SP 800-171 in effect at the time a solicitation is issued.

The proposed rule does not include Australian standards, such as the Essential 8 or an Infosec Registered Assessors Program (IRAP) assessment. However, the proposed rule reserved space to allow for other standards acceptance. No timeline for reciprocity with international standards was included in the proposed rule.