Skip to main content
cyberTAP a service of the Technical Assistance Program
Contact Us

What Do You Mean New CMMC Updates?

DATE: April 10, 2025

TAGS:

Prior to the beginning of this year the Department of Defense released a new set of Cybersecurity Maturity Model Certification (CMMC) guidelines.  

So, what is the CMMC? 

The CMMC program is a way to verify that contractors have taken the correct security measures in order to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  

FCI is any information or data that is provided by or for the government. This information is not to be shared with the public. For example, let’s say a cybersecurity group is working on a government contract and they are trying to set up a timeline to cover all of the contract. Any emails between members of this contracted group about said project count as FCI. CUI, like FCI, is information processed for or by the government but unlike FCI this information is not classified. While this information is not classified, it needs to be protected for national security reasons. For example, a healthcare group could be providing services related to a federal healthcare program. These records would count as CUI because they present an identity theft risk.  

What Happens Now? 

The CMMC program allows the DoD to confirm that their contractors or subcontractors are correctly guarding this information. As new threats emerge, the CMMC adapts, and new rules or protocols are put in place. The newest CMMC guidelines were put into effect December 16th, 2024, but the reality is that it will take about 6 months to a year for them to finalize revisions. Once the revisions are completed then these rules will start appearing on contracts.  

Because the CMMC program only dates back to 2010, there have been several rounds of revisions and rule updates. We are currently in Phase 1 of the newest ‘final rule’ of the CMMC. Phase 1 gives contractors time to comply before the ‘final rule’ becomes fully enforced. In 2021 the DoD announced the biggest revision yet that included three major changes.  

  • “Tiered Model: CMMC requires companies entrusted with Federal contract information and controlled unclassified information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also describes the process for requiring protection of information flowed down to subcontractors.  
  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.  
  • Phased Implementation: Once CMMC rules become effective, certain DoD contractors handling FCI and CUI will be required to achieve a particular CMMC level as a condition of contract award. CMMC requirements will be implemented using a 4-phase implementation plan over a three-year period.” 

(Pulled from the Federal Register) 

With each new rule or revision there is a clear purpose. The purpose always boils down to enhancing cybersecurity for the U.S. government and its contractors. The newest program rule is titled 32 CRF part 170 CMMC Program Rule. This includes three certification levels for CMMC contractors as well as the implementation of a 4-phase program.  

Levels 

Level 1 of the certification requires 15 foundations cybersecurity hygiene techniques to be implemented. Level 2 requires contractors handling CUI to follow an additional 110 security practices that have been outlined by NIST, more specifically NIST SP 800-171 guidelines. Level 3 is geared towards organizations handling the most sensitive information. At this level there are 134 additional controls that must be followed. These were also pulled from NIST SP 800-171 as well as NIST SP 800-172. This level also requires highly detailed documentation of ongoing assessments and certifications. 

Phases 

As previously mentioned, Phase 1 began when this rule was published but it will extend into mid 2025. This phase gives contractors and subcontractors time to adhere to their applicable levels. Not all contractors are required to be at Level 3, most will only need to get to Level 1 or 2. Phase 2 will begin one year from the publishing of the final rule and will require Level 2 to be achieved by applicable organizations. As you might imagine, Phase 3 is the same except Level 3 will need to be implemented. Phase 4 will begin another year later and by then all contractors and subcontractors will need to be at their applicable level and all contract solicitations will include these required levels. 

Before any contract can be awarded, the contractors must go through an assessment process to ensure they have reached the appropriate CMMC level. 

What Does This Mean for You? 

If you are a DoD contractor handling FCI or CUI, then you will need to implement the processes outlined above. Because we are in Phase 1 the best step to take is assessing your current cybersecurity posture. From there you will need to set up an assessment from a Certified Third-Party Assessment Organization as suggested by the DoD. 

As the Department of Defense continues to prioritize cybersecurity through the implementation of the CMMC program keep in mind that the rollout of this new rule will take some time, but it is a critical step toward securing sensitive federal information. For more information on how this may impact your organization, we recommend you visit the Federal Register for the full 32 CRF part 170 CMMC Program Rule. 

About the author

Hope Trampski

Student Assistant

htrampsk@purdue.edu

Sign up for the newsletter

Topics

Recent Articles

Return to main content

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2021 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Technical Assistance Program

Trouble with this page? Disability-related accessibility issue? Please contact Technical Assistance Program at tap@purdue.edu.