In recent months, we’ve received numerous inquiries from local Hawaii-based companies— both those already engaged in Department of Defense (DoD) contracts and those aspiring to participate — regarding the latest Cybersecurity Maturity Model Certification (CMMC) rulemaking. This evolving regulatory landscape is understandably raising concerns and questions about compliance implications.
To address these needs, we’ve consolidated the insights, updates, and guidance we’ve been sharing into this comprehensive blog post. Our aim is to deliver the most current information available while distilling the essential CMMC requirements, empowering your organization with a clear roadmap to achieve and maintain compliance.
On September 10, the U.S. Department of Defense (DoD) released its final rule for the Cybersecurity Maturity Model Certification (CMMC) program, which applies to defense acquisitions. This rule updates the Defense Federal Acquisition Regulation Supplement (DFARS) and introduces additional cybersecurity obligations for defense contractors who manage sensitive information—including storing, processing, or transmitting it—while fulfilling contract requirements.
1.Key Points for Defense Contractors
- The CMMC program will be rolled out across four phases, starting November 10. This implementation affects defense contracts and solicitations, except those dealing solely with commercially available off-the-shelf products.
- Contractors and their subcontractors will be required to demonstrate their adherence to cybersecurity standards using the CMMC program’s updated assessment and affirmation process, if their contracts or solicitations involve handling federal contract information (FCI) or controlled unclassified information (CUI) on their systems.
- Defense contractors who are not actively pursuing CMMC compliance may jeopardize their chances of securing future contracts in the defense sector.
2.The CMMC Program Under 32 C.F.R. 170
On December 16, 2024, the Department of Defense officially implemented the Cybersecurity Maturity Model Certification (CMMC) program in federal regulation (32 C.F.R. Part 170). This initiative is part of the DoD’s broader effort to strengthen cybersecurity across the defense industrial base and ensure better protection of FCI and CUI. By meeting CMMC requirements, contractors and suppliers demonstrate their commitment to safeguarding sensitive data and maintaining the integrity of defense operations. Under these new regulations, organizations must assess and certify their information systems before they can be considered for defense contracts.
Understanding CMMC Levels and Assessments
The Cybersecurity Maturity Model Certification (CMMC) sets the rules for how defense contractors need to protect sensitive government data. To get certified, a contractor’s systems have to pass a cybersecurity review, and the requirements depend on what kind of information they work with.
There are three CMMC levels, each with its own set of standards and ways to check if you meet them. The Department of Defense (DoD) decides which level is needed for each contract and spells it out in the contract documents. Here’s what each level means:
- Level 1 – Basic Protection for FCI: This level is for contractors who deal with FCI. To qualify, contractors must do a self-assessment every year to show they’re following basic security requirements (from FAR 52.204-21). After completing the assessment, they report the results through the Supplier Performance Risk System (SPRS).
- Level 2 – Protecting CUI: Level 2 is for contractors who handle CUI. They have to follow 110 security practices listed in NIST SP 800-171 Rev. 2. Depending on the contract, contractors might either do an annual self-assessment (called Level 2 Self) or have a certified third-party organization (C3PAO) perform the review. Third-party certifications last for three years.
- Level 3 – Advanced Security for Sensitive CUI: Level 3 is for contracts that involve the most sensitive CUI and require stronger protection against advanced cyber threats. To reach this level, contractors first need to get Level 2 certified by a third-party (C3PAO). Afterward, they’re assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to see if they meet 24 extra controls from NIST SP 800-172. These reviews also happen every three years.
The DoD hasn’t fully defined which contracts will need Level 3, but it’s likely to apply to work involving national security or other highly sensitive projects.
Conditional CMMC Status and POAMs
If a contractor’s information system doesn’t meet every requirement during a CMMC assessment, there’s still hope—sometimes, a conditional CMMC status is possible. For Level 2 or 3, contractors can lay out a plan of action and milestones (POAM) to fix any gaps, as long as they get everything sorted out within 180 days. The good news is that under DFARS 204.7502 rules, you might be able to win a contract while you’re in this conditional status.
But there are some important catches. First, you must finish all the items in your POAM within 180 days, or you’ll lose that conditional status altogether. Also, keep in mind that POAMs aren’t an option for Level 1. And before you get a conditional CMMC status, you need to hit a minimum score and meet all “critical requirements” during your first assessment.
CMMC Unique Identifiers
Whenever a contractor’s cybersecurity systems are assessed, the results get reported to the Department of Defense’s Supplier Performance Risk System (SPRS). Each assessment receives a special CMMC unique identifier (UID) from SPRS. If a contract says you need a certain CMMC level, you’ll have to include a list of your UIDs with your proposal. And as SPRS creates new codes for fresh assessments, it’s important to keep your UID list up to date.
Ongoing Compliance Affirmation
Getting certified at a CMMC level isn’t the end of the road, you also have to regularly confirm that you’re still meeting the requirements. A senior company representative, called the affirming official, submits your CMMC level confirmation electronically in SPRS upon achievement and annually thereafter. If there’s ever a cybersecurity incident, you’ll need to report it following the rules in DFARS 252.204-7012, which covers how to safeguard sensitive defense information and report cyber events.
3. How CMMC Applies to Defense Contracts
When CMMC Requirements Come Into Play
CMMC requirements aren’t for everyone — they apply specifically to Department of Defense (DoD) contracts. If your organization works with other federal agencies, you’ll want to review those agencies’ cybersecurity standards instead, since each one sets its own requirements.
Within the DoD, CMMC only applies to contracts where your team will handle FCI or CUI as part of the work. So, if you’re storing, processing, or transmitting that kind of sensitive data, you’ll need to meet the right CMMC level before you can move forward.
There’s one big exception worth noting — commercial off-the-shelf (COTS) products. If a contract is just for pre-made products that are sold on the open market, CMMC requirements don’t apply. That’s because those items aren’t tied to sensitive defense information.
How the DoD Is Rolling Out CMMC
In order to facilitate a smoother transition for contractors and minimize significant disruptions, the DoD will implement CMMC in four distinct phases over an extended period. This gradual rollout gives organizations time to adjust and build up their cybersecurity programs without getting overwhelmed.
Here’s a quick look at what to expect:
- Phase 1 (starting November 10): The DoD begins requiring CMMC Level 1 and Level 2 self-assessments for certain contracts and solicitations.
- Phase 2 (one year later): The DoD starts requiring third-party assessments (C3PAO) for CMMC Level 2 contracts.
- Phase 3 (one year after Phase 2): The DoD adds CMMC Level 3 assessments, which are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
- Phase 4 (one year after Phase 3): Full implementation — CMMC applies to all applicable contracts and solicitations.
It’s also important to remember that the DoD can adjust the timeline if needed — meaning they can move faster or slower depending on how ready the industry is.
CMMC DFARS Clauses Made Simple
The Department of Defense has updated its acquisition rules to include two new DFARS clauses, making CMMC requirements clearer for contractors:
- DFARS 252.204-7025: Notice of Cybersecurity Maturity Model Certification Level Requirements
- This clause is part of the contract solicitation — basically, it lets potential contractors know what CMMC level they’ll need for each information system that will handle sensitive data. The levels might be CMMC Level 1 (Self-Assessment), CMMC Level 2 (Self-Assessment or Third-Party Assessment), or CMMC Level 3 (assessed by DIBCAC). If you don’t have both a current CMMC assessment and proof in the Supplier Performance Risk System (SPRS) that you’re staying compliant, you won’t be eligible for the contract. If you’re given a “conditional” CMMC status, you’ll also need to close out any Plans of Action and Milestones (POAMs) as required. Plus, when you submit your proposal, you’ll have to include a list of your system UIDs (unique identifiers from SPRS), and keep that list updated as you add new systems.
- DFARS 252.204-7021: Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements
- This clause shows up in the contract itself. It spells out that you need to have — and maintain — the right CMMC level for your systems. If you use subcontractors who will handle sensitive information, you’ll need to make sure they meet the CMMC requirements, too. Contractors are only allowed to use systems that meet the required CMMC level (or higher) when it comes to handling FCI or CUI.
In short: These clauses make sure everyone handling sensitive DoD information is up to speed with cybersecurity requirements, and that responsibility flows down to any partners or subcontractors you work with.
4. Anticipated Outcomes and Key Points
If you’re working in the defense industry, here’s what you need to know: the Department of Defense estimates nearly 338,000 contractors and subcontractors will be impacted by the CMMC program in just four years. Most companies (about 62%) will need to meet CMMC Level 1, while 35% will be required to have a Level 2 certificate, assessed by a third-party organization (C3PAO).
The phased rollout might make things feel a little less overwhelming at first—especially as changes begin this November, but don’t wait to get ready. The CMMC framework is quickly becoming a core part of the DFARS rules, and staying ahead is key if you want to remain competitive in defense contracting. In short: proactive preparation now will save you headaches down the road, helping you meet requirements and keep your business moving forward.
Next Steps: Staying Ahead with CMMC
Understanding What CMMC Means for Your Organization
If you’re already working with the Department of Defense—or hoping to in the future—staying on top of CMMC requirements isn’t just important, it’s essential. If you fall short, you could miss out on valuable contracts. Start by looking over your current and previous contracts to see what types of sensitive information your team has handled. This step will help you figure out which CMMC level applies to you and what you need to do next.
Keeping Up with Cybersecurity
Getting ready for CMMC isn’t just about passing a one-time assessment. It’s about keeping good cybersecurity habits throughout the entire life of each contract. Make sure you’ve got clear steps for tracking your compliance, watching your systems, and regularly updating the person in charge of your organization’s CMMC status. Setting up this kind of structure makes everyone more accountable and helps make those annual SPRS affirmations a lot easier and more accurate.
Making Sure Subcontractors Are on Board
Have subcontractors working on your projects? It’s your job to check that they’re up to speed with CMMC before you give them any work. Don’t stop there—keep checking in throughout the contract. Start conversations early about which CMMC level applies and what’s expected. This ensures your team and partners know their compliance responsibilities clearly.
How to Stay Competitive for the Long Haul
What sets the best defense contractors apart? They’re the ones who start preparing early, keep their systems current, and make communication a priority. By staying proactive, you’ll be better positioned to stay compliant and win contracts for the long term.
Your Partner in Reaching CMMC Compliance
If you feel overwhelmed, you’re not alone. Intech Hawaii is here to walk you through every part of the CMMC process. Their experts can help you figure out where you stand, spot any gaps, and put together a plan that works. With their support, you’ll have a strong cybersecurity foundation—not just for your next assessment, but for every contract that comes after.
Ready to get started? Reach out to Intech Hawaii today and take the first step toward confident CMMC compliance.
