On January 31, 2020, the Department of Defense (DoD) issued the widely anticipated final version (v.1) of its Cybersecurity Maturity Model Certification (CMMC) Model. The version followed seven drafts and multiple rounds of comments from the contracting community. In the lead up to the release, DoD representatives walked back the timing for full implementation of CMMC. Contractors will all need to be certified in the coming years, but concerns about a mad scramble towards certification of the entire defense industrial base in calendar year 2020 have now been allayed.

As we have previously described, CMMC represents a major pivot in DoD’s approach to cybersecurity compliance. First, contractors and subcontractors will no longer self-certify their compliance with security requirements but instead will have their IT systems evaluated for compliance by neutral third-party evaluators. Second, all contractors and subcontractors will now need to meet some level of certification and all will need to be evaluated, not just those companies that generate, possess, transmit, or store “covered defense information.”

When the CMMC was first announced in the summer of 2019, the timing for implementation was ambitious. DoD stood by the aggressive timeline until very recently when it became clear that it was simply not going to be possible to have the program up and running in full this year. Now, DoD has indicated it will take a slower approach – described by Undersecretary of Defense for Acquisition and Sustainment Ellen Lord as a “crawl, walk, run” toward CMMC. The new standards will be phased in over the next five years so that, by fiscal year 2026, all DoD contracts will include CMMC requirements. The requirements will first start to be included in a limited number of requests for information around June of this year, and then in requests for proposals in September or October. See here for a complete video of the DoD presentation with commentary by Undersecretary Lord and others.

DoD has helpfully created a briefing chart and series of appendices available here that provide additional guidance and references.