The Race to CMMC Compliance: Understanding the DoD’s New Implementation Plan

Everything you need to know about the DoD’s new CMMC implementation plan, and how to prepare.

The DoD just released a proposed rule for implementation of all CMMC requirements by October 1, 2026. The plan will be implemented in four phases:

Upon revision to DFARS 252.204-7021, CMMC Model Certification Requirements, DoD will include CMMC Level 1 and 2 self-assessments in all applicable DoD contracts as a condition of award. Within six months, CMMC Level 2 certification assessments will be included in DoD contracts as a condition of award. One year after phase 2, DoD will include CMMC Level 3 certification assessments in DoD contracts as a condition of award. By 10/1/2026, CMMC program requirements will be included in all applicable DoD solicitations and contracts.

Depending on which CMMC level you fall into, this may not give you a lot of time to make sure you understand, implement, operationalize, and assess all the controls required to be eligible for federal contract awards.

“What is different about current contracting requirements and the new proposed rule?”

Right now, contractors who will be processing, transmitting, or storing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must implement security requirements defined in FAR 52-204-21 or DFARS 252.204-7012, respectively. The biggest change with the implementation of this phased approach is that now, the DoD will be able to verify that contractors are complying with those requirements. Depending on the sensitivity of the information and the specific contract, that could mean a self-assessment, C3PAO assessment, or DoD assessment. There are also new requirements for senior officials to affirm continuing compliance with applicable CMMC level controls.

“How do I know which assessment I have to complete?“

The type of assessment will be defined by your CMMC level, which is described in the DoD contract. The requirements for each CMMC level are as follows:

CMMC Level 1

Phase 1 - begins when DFARS 252.201-7021 is revised

• Contractors must implement the 15 security requirements required by FAR 52.204-21

• New: Contractors must verify through a self-assessment that all 15 security requirements have been implemented. This self-assessment must be performed annually, and results must be uploaded to the Supplier Performance Risk System (SPRS)

• New: A senior official must annually affirm continuing compliance with the security requirements, and the affirmation must be uploaded to the SPRS

CMMC Level 2

If self-assessment permitted, then will need to be completed in Phase 1. If C3PAO assessment required, then will be completed in Phase 2 - begins six months after phase 1, NLT 10/1/2024

• Contractors must implement the security requirements required by DFARS 252.204-7012, which align with NIST SP 800-171 (as of 12/27/2023, this includes the 110 requirements from NIST 800-171 revision 2)

• New: Contractors must verify through either a self-assessment or third party C3PAO assessment that all security requirements have been implemented. The contract will specify which type of assessment is required. Self-assessments must be completed on a triennial basis, and results must be uploaded to the SPRS. The C3PAO certification lasts up to three years, and the C3PAO will upload assessment results into the CMMC Enterprise Mission Assurance Support Service (eMASS).

  • All contractors at CMMC Level 2 are required to document a System Security Plan (SSP), which will serve as the foundation for the self-assessment. Hive Systems has developed an SSP template aligned with the new NIST SP 800-171 revision 3 requirements, available for download on our website.

  • New: Certain requirements will be allowed to have a Plan of Action and Milestones (POA&M). This allows contractors to still have the opportunity to be awarded contracts if they are conditionally self-assessed or certified; however, POA&Ms must be remediated within 180 days.

• New: A senior official must affirm continuing compliance with the security requirements after every assessment, after POA&Ms are closed out, and annually thereafter. The affirmation must be uploaded to the SPRS.

CMMC Level 3

Phase 3 - begins one year after phase 2, NLT 10/1/2025

• Contractors must implement the security requirements of CMMC Level 2, plus the additional 24 selected security requirements from NIST SP 800-172.

• New: Contractors must verify through DoD assessment that all security requirements have been implemented. The DoD certification lasts up to three years, and the DoD assessor will upload assessment results into the eMASS.

• New: Certain requirements will be allowed to have a Plan of Action and Milestones (POA&M). This allows contractors to still have the opportunity to be awarded contracts if they are conditionally self-assessed or certified; however, POA&Ms must be remediated within 180 days.

• New: A senior official must affirm continuing compliance with the security requirements after every assessment and annually thereafter. The affirmation must be uploaded to the SPRS.

The deadline for CMMC compliance through this new phased approach is rapidly approaching. If you need help understanding the requirements for your CMMC level, operationalizing the controls in your organization’s unique environment, or documenting your SSP, Hive Systems can help! Download our CMMC Level 2 SSP template and contact us today.