FLASH BRIEF: CMMC (Cybersecurity Maturity Model Certification) 2.0 Proposed Rule — DoD (Department of Defense) Releases Official Informational Video

Classification: CRITICAL

Domain: CMMC Update

Date: February 14, 2024

Source: Federal Register / DoD CIO

---

TL;DR

The DoD Chief Information Officer has published an official informational video briefing on the CMMC 2.0 proposed rule, originally released for public comment on December 26, 2023. This video, presented by the Office of the Deputy CIO for Cybersecurity, provides authoritative guidance on the comprehensive assessment framework that will govern how defense contractors and subcontractors must implement security controls for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI (Controlled Unclassified Information)). The proposed rule introduces a scalable, three-tiered certification model with new CUI security requirements for priority programs—signaling that CMMC enforcement is transitioning from "proposed" to "imminent operational reality."

---

Key Points

• What Happened: DoD CIO released an official video overview of the CMMC 2.0 proposed rule on February 14, 2024, clarifying the assessment framework, certification tiers, and new CUI security requirements for priority defense programs.
• Who Is Affected: All defense contractors and subcontractors handling FCI or CUI—particularly those in aerospace, defense manufacturing, IT services, R&D, and critical technology sectors (NAICS 336411, 541330, 541512, 541715, 334511, 541714).
• Timeline: The proposed rule was published December 26, 2023, with a 60-day public comment period. Final rule publication is expected Q2–Q3 2024, with phased enforcement beginning 12–18 months post-publication. Contractors should assume CMMC clauses will appear in solicitations by late 2024.
• What Contractors Should Do NOW: (1) Audit current cybersecurity posture against NIST SP 800-171 (NIST Special Publication 800-171) and identify gaps; (2) Determine your required CMMC level based on contract CUI exposure; (3) Establish a System Security Plan (SSP) and Plan of Action & Milestones (POA&M); (4) Begin internal assessments or engage C3PAOs for Level 2/3 readiness; (5) Configure compliance tracking and proposal automation to flag CMMC-required solicitations.

---

Who Is Affected

Contract Vehicles

• GSA (General Services Administration) Schedules (IT 70, Professional Services)
• DoD IDIQ (Indefinite Delivery/Indefinite Quantity) vehicles: OASIS, OASIS+, SeaPort-NxG, ASTRO, JETS
• Agency-specific vehicles: NASA SEWP, Air Force NETCENTS-3, Army ITES-SW2
• All DoD prime and subcontracts involving CUI or FCI

NAICS Codes (Primary Impact)

• 336411 – Aircraft Manufacturing
• 541330 – Engineering Services
• 541512 – Computer Systems Design Services
• 541715 – R&D in Physical, Engineering, and Life Sciences (except Nanotechnology and Biotechnology)
• 334511 – Search, Detection, Navigation, Guidance, Aeronautical, and Nautical System and Instrument Manufacturing
• 541714 – R&D in Biotechnology (except Nanobiotechnology)
• 541519 – Other Computer Related Services
• 541690 – Other Scientific and Technical Consulting Services

Agencies

• Department of Defense (all components: Army, Navy, Air Force, Space Force, DLA, DARPA, MDA)
• Intelligence Community agencies (via DoD supply chain)
• NASA (for dual-use and defense-adjacent programs)
• Department of Energy (NNSA, defense-related R&D)

Contractor Segments

• Primes and Subs handling CUI (technical data, export-controlled information, operational plans)
• IT service providers managing DoD networks or cloud environments
• Manufacturing and supply chain partners with access to defense technical data
• R&D performers under SBIR/STTR, OTAs, and traditional contracts

---

Frequently Asked Questions

Q: What is the difference between CMMC 1.0 and CMMC 2.0?

CMMC 2.0 streamlines the original five-level model into three levels aligned with existing regulatory frameworks. Level 1 (Foundational) corresponds to FAR (Federal Acquisition Regulation) 52.204-21 basic safeguarding; Level 2 (Advanced) aligns with NIST SP 800-171 (110 controls) and requires third-party assessment for certain contracts; Level 3 (Expert) adds NIST SP 800-172 enhanced controls for programs handling critical national security information. The updated model reduces cost and complexity while maintaining rigor for high-risk contracts. Critically, Level 2 now permits annual self-assessments for most contracts, with C3PAO assessments required only for priority programs—but DoD retains authority to mandate third-party assessment at any level.

Q: When will CMMC certification become mandatory in solicitations?

The proposed rule is expected to be finalized in Q2–Q3 2024. Once published, DoD will phase in CMMC requirements over 12–18 months, prioritizing contracts involving CUI and critical technology areas. Contractors should expect to see DFARS (Defense Federal Acquisition Regulation Supplement) clauses requiring CMMC certification in solicitations by late 2024 or early 2025. However, DoD has signaled that certain high-priority programs may include CMMC requirements immediately upon final rule publication. Contractors without valid certification at the required level will be ineligible for contract award—no exceptions, no waivers.

Q: Do I need CMMC certification if I only handle Federal Contract Information (FCI), not CUI?

Yes, but only Level 1 certification, which corresponds to the 15 basic safeguarding requirements in FAR 52.204-21. Level 1 allows annual self-assessment with senior official affirmation—no third-party assessor required. However, if your contract involves any CUI (technical drawings, export-controlled data, operational information, proprietary research), you will need Level 2 (NIST SP 800-171, 110 controls). Misclassifying CUI as FCI is a False Claims Act risk. Review the CUI Safe CRM Guide (/insights/cui-safe-crm-guide) to ensure your systems properly segregate and protect CUI throughout the proposal and contract lifecycle.

---

Definitions

• CMMC (Cybersecurity Maturity Model Certification): A unified cybersecurity standard for defense contractors, replacing the patchwork of self-attestation with a tiered, third-party assessment framework to verify implementation of NIST SP 800-171 and SP 800-172 controls.
• CUI (Controlled Unclassified Information): Sensitive but unclassified information that requires safeguarding under Executive Order 13556 and 32 CFR Part 2002. Examples include technical data, export-controlled information, operational plans, and proprietary research funded by the government.
• FCI (Federal Contract Information): Information provided by or generated for the government under a contract that is not intended for public release. FCI requires basic safeguarding per FAR 52.204-21 (15 controls), a subset of NIST SP 800-171.
• NIST SP 800-171: National Institute of Standards and Technology Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Defines 110 security controls across 14 families (Access Control, Incident Response, System and Communications Protection, etc.). Compliance is mandatory for CMMC Level 2.
• C3PAO (Certified Third-Party Assessment Organization): An independent, accredited organization authorized to conduct CMMC Level 2 and Level 3 assessments. C3PAOs evaluate contractor environments against NIST controls and issue certifications valid for three years.
• SSP (System Security Plan): A formal document describing the security controls implemented in an information system, how they meet NIST requirements, and the system boundary. Required for CMMC Level 2 and Level 3 assessments.
• POA&M (Plan of Action & Milestones): A document identifying cybersecurity deficiencies, planned remediation actions, resources required, and target completion dates. Contractors may receive conditional certification with an approved POA&M, but must close gaps within specified timeframes.

---

Intelligence Response

How Cabrillo Club Operationalizes This Event

The Cabrillo Signals War Room detected this Federal Register posting within minutes of publication and automatically generated this flash briefing. The platform continuously monitors DoD policy channels, Federal Register updates, SAM.gov (System for Award Management) contract modifications, and agency cybersecurity guidance to ensure your team is never blindsided by regulatory shifts. When a CMMC-related event is detected, the War Room cross-references your active pipeline, saved searches, and contract vehicle registrations to identify immediate exposure.

The Cabrillo Signals Intelligence Hub has already flagged all active opportunities in your pipeline that involve CUI or defense technical data, tagging them with the required CMMC level based on contract language and NAICS code. Saved searches are now monitoring SAM.gov for solicitations containing DFARS 252.204-7012, DFARS 252.204-7021, and the forthcoming CMMC certification clause. When these clauses appear, you receive an instant alert with a pre-populated compliance checklist.

The Cabrillo Signals Match Engine has automatically rescored your opportunity pipeline, downgrading win probability for any contract requiring Level 2 or Level 3 certification if your current compliance posture is incomplete. This prevents your team from investing capture resources in opportunities you cannot legally pursue. For contracts where you are compliant, the Match Engine has elevated priority scores—CMMC certification is now a competitive differentiator, and early movers will dominate the next 18 months of solicitations.

Systems to Configure

• Cabrillo Signals War Room: Ensure your team's notification preferences include "CMMC Update" and "Cybersecurity Policy" event types. Configure Slack/Teams integration for real-time flash briefings.
• Cabrillo Signals Intelligence Hub: Create saved searches for solicitations containing DFARS 252.204-7012, DFARS 252.204-7021, and keywords "CMMC," "NIST SP 800-171," "CUI," "Controlled Unclassified Information." Set alerts to daily digest or instant push.
• Cabrillo Signals Match Engine: Update your company profile to reflect current CMMC certification status (Level 1 self-assessed, Level 2 in progress, Level 2 certified, etc.). The engine will automatically adjust opportunity scoring and flag contracts where certification is a go/no-go requirement.
• Proposal Studio (Proposal OS): Load CMMC compliance language into your win theme library. Create reusable compliance matrices for NIST SP 800-171 controls, SSP summaries, and POA&M narratives. Configure the AI proposal assistant to auto-populate cybersecurity sections with your current certification status and control implementation evidence.
• Proposal Studio Workflow Tracker: Add a mandatory gate at Stage 2 (Qualify) for CMMC eligibility check. Route all opportunities involving CUI to your cybersecurity lead for certification verification before proceeding to bid/no-bid decision.

Notification Chain

• Capture Managers — Must immediately audit active pipeline for CUI exposure and required CMMC levels. Any opportunity requiring Level 2/3 certification without current compliance is a no-bid unless remediation can be completed before proposal due date.
• Cybersecurity/Compliance Lead — Responsible for gap analysis against NIST SP 800-171, SSP development, and C3PAO engagement. Must provide Capture with a realistic timeline for certification readiness.
• Proposal Managers — Need to integrate CMMC certification status into all DoD proposals. Certification (or credible path to certification) is now a discriminator in technical evaluation and past performance.
• Business Development / VP of Contracts — Should prioritize teaming arrangements with CMMC-certified partners for high-value opportunities where your certification is incomplete. CMMC status is now a teaming criterion.
• CFO / Finance — Must budget for C3PAO assessment costs ($15K–$150K depending on scope), remediation investments, and potential revenue loss from no-bid decisions on non-compliant opportunities.
• Legal / Contracts Administration — Review all active subcontracts for flowdown of DFARS cybersecurity clauses. Ensure subcontractors handling CUI are CMMC-compliant or have approved POA&Ms.

First 48-Hour Playbook

Hour 0–4 (Immediate Actions)

• Capture Team: Pull all active DoD opportunities from Cabrillo Signals Intelligence Hub. Filter for contracts involving CUI, technical data, or export-controlled information. Flag any solicitation with DFARS 252.204-7012 or language requiring NIST SP 800-171 compliance.
• Cybersecurity Lead: Retrieve your most recent NIST SP 800-171 self-assessment (SPRS score). If score is below 110, generate a gap analysis. If no assessment exists, this is a critical deficiency—begin immediately.
• Proposal Managers: Review all proposals in development. Add a compliance section addressing CMMC readiness. If certification is incomplete, include POA&M summary and timeline to certification.

Hour 4–12 (Assessment & Triage)

• Cybersecurity Lead: Determine required CMMC level for each flagged opportunity (Level 1 for FCI-only, Level 2 for CUI, Level 3 for critical programs). Cross-reference with your current certification status.
• Capture Managers: Conduct bid/no-bid review for any opportunity where required CMMC level exceeds current certification. If gap can be closed before contract award (typically 6–12 months), proceed with caution. If not, mark as no-bid and notify BD.
• BD/Contracts: Initiate teaming discussions with CMMC-certified partners for high-priority opportunities where your certification is incomplete. Draft teaming agreements with clear CUI handling and subcontractor flowdown language.

Hour 12–24 (Documentation & Planning)

• Cybersecurity Lead: If Level 2 certification is required, begin SSP development. Document system boundaries, control implementations, and any compensating controls. Schedule C3PAO engagement if third-party assessment is needed.
• Proposal Team: Load CMMC compliance narratives into Proposal Studio win theme library. Create reusable text for "Cybersecurity Approach," "NIST SP 800-171 Compliance," and "CUI Protection Measures."
• Legal/Compliance: Review all active subcontracts. Ensure DFARS 252.204-7012 is flowed down to any sub handling CUI. Notify subs of CMMC requirements and request certification status.

Hour 24–48 (Operationalize & Monitor)

• All Hands: Attend a 30-minute CMMC readiness briefing (led by Cybersecurity Lead). Review the CMMC Compliance Guide (/insights/cmmc-compliance-guide) and Compliant AI Proposal Guide (/insights/compliant-ai-proposal-guide) to understand how AI-assisted proposal tools must be configured to protect CUI.
• Capture/BD: Configure Cabrillo Signals Intelligence Hub saved searches to monitor for CMMC-related solicitations. Set alerts to daily digest.
• Finance: Budget for CMMC certification costs. Level 2 C3PAO assessments range from $15K (small, simple environments) to $150K+ (complex, multi-enclave systems). Plan for 6–12 month timeline from kickoff to certification.
• Executive Leadership: Decide on enterprise CMMC strategy—pursue certification in-house, engage a managed security service provider (MSP) for remediation, or adjust BD strategy to focus on FCI-only (Level 1) contracts until Level 2 readiness is achieved.

---