CMMC Final Rule: 5 Key Takeaways for SMBs

EXECUTIVE BRIEF

The final Cybersecurity Maturity Model Certification (CMMC) rule is now in effect, providing clarity and actionable requirements for businesses across the Defense Industrial Base (DIB). From managing Controlled Unclassified Information (CUI) to understanding certification levels, here’s what small-to-medium-sized defense contractors must know to stay compliant, safeguard sensitive information systems, and remain competitive under the CMMC program.

Five key takeaways:

• Most defense contractors handling CUI will need to become Level 2 (C3PAO) certified.
• CMMC certification is required to accept award of new defense contracts. 
• Plans of Action and Milestones (POA&M) are allowed but should not be the goal.
• C3PAOs can begin assessing defense contractors.
• While External Service Providers (ESPs) are not required to become CMMC certified, those who are can reduce the scope and costs of their customers’ audits.

Dig deeper and continue reading below.

What Is the CMMC Final Rule?

The CMMC final rule establishes a mandatory framework for protecting Federal Contract Information (FCI) and CUI. The U.S. Department of Defense (DoD) published the proposed rule on December 26, 2023. Now released in the Federal Register, the rule enforces cybersecurity standards derived from NIST (National Institute of Standards and Technology) SP 800-171. Codified under Defense Federal Acquisition Regulation Supplement rules (DFARS rules) and the Code of Federal Regulations (CFR), the CMMC 2.0 framework features three certification levels with phased implementation from 2025 to 2028.

Is CMMC Rulemaking Complete?

CMMC rulemaking is officially final, and CMMC 2.0 is now being implemented across the DIB. With mandatory assessments and phased rollouts, contractors need a clear plan to comply. Department of Defense (DoD) contracts will begin including CMMC requirements starting Q2 2025, with full implementation by 2028.

What Is CMMC 2.0?  

CMMC 2.0 is the streamlined version of the original framework, designed to simplify compliance while maintaining robust security. It features three certification levels:

• CMMC Level 1 – Foundational (FCI): Basic cybersecurity requirements with annual self-assessments
• CMMC Level 2 – Advanced (CUI): Compliance with 110 NIST SP 800-171 controls, assessed by CMMC Third-Party Assessment Organizations (C3PAOs)
• CMMC Level 3 – Expert (CUI): Advanced security measures, evaluated by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

What You Need to Know

1. Most prime contractors will require a Level 2 (C3PAO) certification for CUI subcontractors. 

Why does this matter to you? There are technically two Level 2 certifications available to subcontractors. However, if your prime contractor is required to be either Level 2 (DIBCAC) or Level 2 (C3PAO) certified, all subcontractors handling CUI will be required to become Level 2 (C3PAO) certified as well.  

Rule Subsection: §170.23  

2.  SMBs will have to be CMMC-certified to accept award of new contracts.  

How does this impact you? CMMC certification is now a condition of contract award. However, the DoD believes it is paramount to national security for SMBs to become compliant since 73% of the DIB are small-to-medium-sized contractors.  While the upfront investment may seem significant, compliance ensures eligibility for lucrative DoD contracts, protecting national security and securing your business’s future.  

To help offset the costs, many SMB contractors plan to bake the CMMC-associated costs into their proposals.  

  Keep in mind: Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) before the award of a CMMC Level 1 contract or subcontract.

3.  Plan of Action & Milestones are allowed but should not be the goal. 

What you need to know about POA&Ms: Yes, CMMC levels 2 and 3 do allow for POA&Ms, but only for conditional certification status. All requirements that are scored as “not met” are identified in a POA&M. Conditional status is better than failing your certification assessment, but it is not something you should shoot for. Conditional status requires contractors to remediate all controls listed on the POA&M and pass a closeout assessment within 180 days of their conditional status being posted. 

Additionally, not all controls are allowed to be listed on your POA&M document. Only “less critical controls” (those that score as 1 point of your SPRS) are permitted.  

4.  Third-party assessments are scheduled to begin on December 16, 2024.  

When should you schedule your audit? It is better to be early than late. However, it is important to make sure you are allotting enough time to address any deficiencies and prepare for your audit. Our advice is to begin with a self-assessment and gap analysis, determine how long your remediation and preparation efforts will take, and schedule your audit with some cushion time. A great starting point is the CMMC Readiness Signal, a free resource from ISI to help determine your current compliance posture. 

Why does early preparation matter? Certified Third-Party Assessment Organizations (C3PAOs) will play a pivotal role in verifying compliance. Early scheduling is key to ensuring readiness.  Defense contractors need to adapt to the CMMC program rule proactively. Early planning ensures:

• Avoiding disruptions in the procurement process
• Securing eligibility for lucrative government contracts
• Meeting phased requirements for CMMC compliance efficiently

ISI Insight:  SMBs should allocate 9–12 months for preparation, depending on their current CMMC status. ISI offers security controls and expert-managed services to streamline this process. 

5.  CMMC-certified managed IT providers can reduce scope and cost. 

Why does this matter to you? The final rule does not require External Service Providers (ESPs), including Cloud Service Providers (CSPs) to be CMMC-certified. However, working with non-certified ESPs will broaden your scope which will likely increase the cost due to the increased risk and unpredictability.  

On the other hand, choosing a CMMC-certified Managed IT provider simplifies your scope, and poses less risk. With fewer assets and a predictable environment, your audit will likely take less time and, in turn, cost less. 

 Clip from our CMMC Final Rule Webinar explaining potential cost savings. 

How ISI Supports Your Compliance Journey

Achieving CMMC certification isn’t just about meeting cybersecurity requirements; it’s about gaining a competitive edge. Non-compliance could result in lost contracts, reputational damage, and legal risks under the False Claims Act.

ISI brings 15+ years of experience in cybersecurity compliance and has supported over 900 contractors. Our tailored services include:

• CMMC & NIST Compliance Services: Streamline your path to meeting security requirements.  
• Managed IT: Scalable IT infrastructure designed for DoD contractors.
• Proprietary Tools: Our advanced Security Control platform accelerates readiness with automated workflows and compliance tracking. 

By integrating solutions across the supply chain, ISI helps clients meet the demands of CMMC assessments, mitigate risks, and gain a competitive edge.

Did you know? ISI has completed over 180 NIST SP Gap Assessments and supported 900+ contractors in their compliance journeys. Our security control platform greatly reduces administrative burdens by automating compliance processes.

Learn how ISI can support your organization during its compliance journey. 

FAQ 

When will CMMC requirements begin to appear in DoD contracts?  

CMMC contract requirements can begin as early as Q2 2025. This will largely be focused on Level 1 (Self-Assessment), but the DoD is allowed to add Level 2 (C3PAO) certifications during this period as well for certain contracts. To mitigate any risk of losing lucrative defense contracts, it is in your best interest to become CMMC compliant as early as possible. Starting Q2 2025, solicitations will include CMMC requirements. Early compliance ensures readiness for phased implementation.

How do I know if my organization handles CUI?  

There are two quick ways to determine if your organization handles CUI:  

• Check your contracts to see if there is a DFARS 7012 clause. If so, you are required to be able to process, store, or generate CUI.  
• Check your DD254 in sections 10 and 11 to see what your organization is contractually obligated to handle.  

How can I find a C3PAO to conduct my CMMC assessment?  

When you are ready to schedule your assessment, go to the CyberAB.org website to find a list of certified CMMC 3rd-Party Assessment Organizations (C3PAOs) who can conduct your assessment. We highly encourage our customers to interview at least three C3PAOs before choosing one. 

Do I need to become CMMC certified if I am a non-possessing facility?  

Yes, even if you are a non-possessing facility, CMMC certification will be a contractual obligation for contractors mainly through flow-down requirements (e.g. DFARS 7012, 7019, 7020, 7021). 

How do I find a C3PAO?

Use CyberAB.org to locate certified CMMC assessors. Interview multiple C3PAOs to select the best partner for your organization.

What is the annual affirmation requirement in the CMMC program?

The CMMC final rule requires contractors to submit an annual affirmation of their cybersecurity status. This declaration confirms that a company maintains compliance with the required CMMC level and continues to meet all security requirements. Annual affirmation helps the DoD monitor and enforce accountability by ensuring contractors uphold their cybersecurity measures throughout the contract period. The organization’s senior leadership or designated compliance officer must submit the affirmation as part of the company's ongoing compliance obligations under the CMMC program rule. Failure to submit could lead to a lapse in certification status, potentially jeopardizing eligibility for DoD contracts and triggering penalties under the False Claims Act.