CMMC (Cybersecurity Maturity Model Certification) Program Final Rule — Action Kit

Event Classification: CRITICAL

Domain: CMMC Update

Impact: All DoD (Department of Defense) contractors and subcontractors handling FCI or CUI (Controlled Unclassified Information)

---

Immediate Actions (This Week)

• [ ] Identify all active DoD contracts and subcontracts — Create an inventory listing contract numbers, CUI/FCI handling status, current DFARS (Defense Federal Acquisition Regulation Supplement) 7012 compliance posture, and contract period of performance dates
• [ ] Determine required CMMC level for each contract — Review solicitation language and contract clauses to identify whether Level 1, Level 2, or Level 3 certification will be required
• [ ] Assess current cybersecurity posture — Conduct a gap analysis against NIST SP 800-171 (NIST Special Publication 800-171) (for Level 2) or NIST SP 800-172 (for Level 3) to identify immediate vulnerabilities
• [ ] Notify executive leadership and board — Brief C-suite and governance bodies on compliance timeline, budget implications, and business continuity risks
• [ ] Freeze system changes in CUI environments — Implement change control procedures to prevent configuration drift before assessment
• [ ] Review subcontractor flow-down requirements — Audit all subcontracts to ensure CMMC clauses are properly incorporated and subcontractors understand their obligations

Short-Term Actions (30 Days)

• [ ] Engage a CMMC Third-Party Assessor Organization (C3PAO) — For Level 2+ requirements, begin vetting and contracting with an authorized assessor; confirm their accreditation status in the CMMC Marketplace
• [ ] Develop a System Security Plan (SSP) — Document your information system boundaries, security controls implementation, and CUI data flows per NIST SP 800-171 requirements
• [ ] Implement priority remediation — Address high-severity gaps identified in your initial assessment, focusing on access controls, incident response, and audit logging
• [ ] Establish a Plan of Action and Milestones (POA&M) — For any controls not yet implemented, document remediation timelines and resource requirements (note: POA&Ms are no longer acceptable for contract award under CMMC, but are critical for internal tracking)
• [ ] Train your capture and proposal teams — Ensure BD staff understand how to respond to CMMC requirements in proposals and can articulate your certification status accurately
• ] **Update your CRM and opportunity tracking** — Tag all DoD opportunities with required CMMC levels and flag contracts where certification timing may impact your ability to bid (see our [CUI-Safe CRM Guide (/insights/cui-safe-crm-guide) for secure data handling)
• [ ] Review insurance and cyber liability coverage — Consult with your broker to ensure policies cover CMMC assessment costs and potential breach scenarios

Long-Term Actions (90+ Days)

• [ ] Complete formal CMMC assessment — Schedule and execute your C3PAO assessment for Level 2/3, or complete self-assessment for Level 1; obtain certification and upload to Supplier Performance Risk System (SPRS)
• [ ] Establish continuous monitoring program — Implement ongoing security control validation, quarterly internal audits, and annual reassessment planning to maintain certification status across contract periods of performance
• [ ] Integrate CMMC into capture processes — Build CMMC level requirements into your bid/no-bid criteria, gate reviews, and teaming partner evaluation scorecards
• ] **Develop CMMC-compliant proposal content** — Create reusable compliance matrices, security architecture diagrams, and past performance narratives that demonstrate your certification status (reference our [Compliant AI Proposal Guide (/insights/compliant-ai-proposal-guide) for AI-assisted content generation that maintains security)
• [ ] Establish supplier certification tracking — Build a database of subcontractor CMMC levels, expiration dates, and assessment types to ensure flow-down compliance
• [ ] Plan for triennial recertification — Budget for reassessment costs and schedule internal readiness reviews 6 months before certification expiration

---

Compliance Checklist

This final rule establishes verification requirements across three CMMC levels. Your specific obligations depend on the level specified in your contract:

CMMC Level 1 (FCI Protection)

• [ ] Implement all 17 practices from FAR (Federal Acquisition Regulation) 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
• [ ] Complete annual self-assessment and affirm compliance in SPRS
• [ ] Maintain assessment records for 3 years
• [ ] Flow down requirements to subcontractors handling FCI

CMMC Level 2 (CUI Protection)

• [ ] Implement all 110 security requirements from NIST SP 800-171 Rev 2
• [ ] Achieve assessment score of 110 points (all practices implemented)
• [ ] Undergo C3PAO assessment (for High and Critical priority acquisitions) or self-assessment (for other acquisitions)
• [ ] Submit assessment results to SPRS within 30 days
• [ ] Maintain certification for 3 years
• [ ] Implement continuous monitoring and incident response per DFARS 252.204-7012
• [ ] Report cyber incidents to DoD within 72 hours
• [ ] Flow down Level 2 requirements to subcontractors handling CUI

CMMC Level 3 (Advanced/Persistent Threats)

• [ ] Implement all NIST SP 800-171 requirements (110 practices)
• [ ] Implement subset of NIST SP 800-172 enhanced security requirements
• [ ] Undergo government-led assessment by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
• [ ] Demonstrate advanced threat hunting and incident response capabilities
• [ ] Maintain certification per government direction
• [ ] Flow down Level 3 requirements to critical subcontractors

Program-Wide Requirements (All Levels)

• [ ] Register in SPRS and maintain current assessment data
• [ ] Include CMMC level and assessment type in representations and certifications
• [ ] Notify Contracting Officer of any changes in certification status within 30 days
• [ ] Maintain assessment documentation and evidence for audit
• [ ] Ensure subcontract agreements include appropriate CMMC flow-down clauses
• [ ] Verify subcontractor certifications before contract award

---

Resources

• Primary Regulation: Federal Register — CMMC Program Final Rule (https://www.federalregister.gov/public-inspection/2024-23697/cybersecurity-maturity-model-certification-cmmc-program) (32 CFR Part 170)
• DFARS Case 2019-D041: Assessing Contractor Implementation of Cybersecurity Requirements
• NIST SP 800-171 Rev 2: Protecting Controlled Unclassified Information in Nonfederal Systems
• NIST SP 800-172: Enhanced Security Requirements for CUI
• DoD CMMC Program Office: https://dodcio.defense.gov/CMMC/ (https://dodcio.defense.gov/CMMC/)
• CMMC Marketplace: Directory of authorized C3PAOs and assessors
• SPRS Portal: https://www.sprs.csd.disa.mil/ (https://www.sprs.csd.disa.mil/)
• Cabrillo Club Resource: CMMC Compliance Guide (/insights/cmmc-compliance-guide) — Complete implementation roadmap

---

How Cabrillo Club Automates This

Cabrillo Signals War Room has already detected this final rule publication and delivered this briefing to your dashboard within minutes of Federal Register posting. The War Room continuously monitors DoD policy issuances, DFARS updates, and CMMC Program Office guidance so you're alerted to implementation deadlines, assessment scope changes, and enforcement actions before they impact your contracts. Every DoD solicitation is automatically scanned for CMMC level requirements and flagged when new contract vehicles adopt certification mandates.

Cabrillo Signals Match Engine is now rescoring your entire DoD opportunity pipeline based on this rule's implementation timeline. Opportunities requiring Level 2 or Level 3 certification are automatically weighted against your current assessment status, and match scores adjust in real time as you update your CMMC posture in the platform. The engine flags contracts where certification timing may prevent you from bidding and prioritizes opportunities aligned with your current compliance level.

Cabrillo Signals Intelligence Hub tracks which DoD agencies, NAICS codes, and contract vehicles are adopting CMMC requirements first. Configure saved searches to monitor SAM.gov (System for Award Management) for solicitations mentioning "CMMC Level 2" or "NIST SP 800-171" in your target markets, and receive instant alerts when new RFPs drop that match your certification profile. The Hub's agency intelligence module shows you which Program Executive Offices are early adopters versus laggards, helping you time your certification investment strategically.

Proposal Studio (Proposal OS) maintains a compliance matrix library that maps your implemented security controls to NIST SP 800-171/172 requirements and generates first-draft responses to CMMC-related proposal sections. When an RFP includes cybersecurity requirements, Proposal OS auto-populates your SSP summary, certification status, and continuous monitoring approach using your assessment data. The AI engine references your past performance on CUI-handling contracts to build credibility narratives around your security posture.

Proposal Studio Workflow Tracker automatically triggers a compliance gate review whenever your team marks an opportunity as requiring CMMC Level 2+. The workflow routes certification verification to your contracts team, validates subcontractor CMMC status before teaming agreements are signed, and generates audit-ready documentation showing when and how you confirmed compliance before proposal submission. For contracts spanning multiple years, the Tracker sets calendar reminders for triennial recertification milestones so you maintain eligibility throughout the period of performance.

Ready to streamline your CMMC compliance? Explore the CMMC Compliance Guide (/insights/cmmc-compliance-guide) in your Cabrillo Club dashboard to access assessment templates, control implementation checklists, and automated tracking for all 110 NIST SP 800-171 requirements.

---