If you are (or want to be) a contractor or subcontractor with the United States Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) program needs to be on your radar for 2025. While the CMMC has been in the works for a while, a final rule officially establishing the program went into effect in December of 2024. DoD contractors and their subcontractors are now required to be certified compliant with the program’s regulations—or risk losing their DoD contracts.
Let’s break down what the CMMC is, what the newly enacted rule means for DoD contractors and subcontractors, and the important role identity governance plays in certification and compliance.
What is CMMC?
Back in 2010, an executive order was issued to standardize how Controlled Unclassified Information (CUI) is handled by organizations considered part of the Defense Industrial Base (DIB) Sector, which the DoD describes as, “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet US military requirements.” The DIB includes over 100,000 contractors and their subcontractors—any companies supplying materials or services to the DoD, either directly or as part of a supply chain.
The move to standardize CUI protection came in response to changes across the cybersecurity landscape as companies began transferring operations to the cloud and conducting more business remotely. Establishing a framework for how to handle sensitive DoD information, both classified and unclassified, was critical to maintaining DoD data security as new technologies were adopted.
Until 2019, DoD contractors—often referred to as “mains”— and their subcontractors could self-attest adherence to the DoD’s CUI guidelines. But as cloud adoption and technologies continued to evolve and grow, so did associated cybersecurity threats. So in 2020, the DoD created an interim rule that established a formal system of certifying compliance with protection guidelines for both CUI and federal contract information (FCI). Called the Cybersecurity Maturity Model Certification (CMMC), the system laid out a tiered certification framework, based on the sensitivity of information handled by contractors, as well as a five-year schedule for implementing the program.
In October of 2024, the DoD issued a final rule, CMMC 2.0, which officially codified the requirements contractors must comply with to receive certification. CMMC 2.0 went into effect two months later, in December—which means companies must now be certified to contract with the DoD. Once a procedural follow-on rule goes into effect in early to mid 2025, the DoD will begin actively enforcing certification for new and existing contracts.
Complying with CMMC
While many DoD contractors already have some of the controls and systems in place to meet CMMC requirements, it’s critical to understand what’s necessary for full compliance and to fill any gaps as soon as possible. In addition, if third-party certification is necessary (which is the case for the majority of contractors), that process should begin immediately, as it can be time intensive and may turn up unforeseen issues that need to be addressed before certification can be granted.
The final rule, CMMC 2.0, lays out three certification levels, each of which builds on the previous. The good news for current DoD contractors and their subs is that Levels 1 and 2 are unchanged from the interim rule issued in 2020—the only real difference being that these levels now require certification versus self-attestation. And CMMC requirements are based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0—a national standard that many companies and frameworks already use as a baseline for cybersecurity best practices. If you’re currently following NIST CSF standards, you’ll be in good shape to comply with the CMMC requirements.
CMMC levels:
- Level 1 (Foundational): Applies to contractors who handle FCI only
- Level 2 (Advanced): Requires third-party assessment in most cases. Cybersecurity practices align with NIST SP 800-171.
- Level 3 (Expert): Applies to around 1% of contractors, who must be certified directly by the US government. Cybersecurity practices align with NIST SP 800-172.
Most contractors will fall into Level 2, which protects both CUI and FCI and requires third-party certification. Crucially, this means that most subcontractors will also require third-party certification—because whichever level a main falls under will apply to its subs as well. So subcontractors shouldn’t assume they’ll be able to self-attest or comply with a lower level because they’re a step or two removed from a main’s DoD contract. Subs must certify that they’re protecting CUI and FCI with the same controls required of the main contractor.
CMMC and identity governance
The NIST CSF and, therefore, CMMC requirements follow a zero trust cybersecurity framework, which assumes that all users, devices, and systems in an environment are potentially compromised. Zero trust practices center around identity—requiring that access to an environment be granted to properly authenticated human and non-human identities only, and that those identities be granted only the minimum level of access necessary to carry out their functions, a concept known as the principle of least privilege.
In practice, enforcing zero trust requires robust identity and access management (IAM) processes. To comply with CMMC regulations, contractors will need to demonstrate sufficient IAM-related security controls in the following areas:
- Access Control
- Identification and Authentication
- Audit and Accountability
- Risk Management
Along with having strong identification and authentication methods in place, contractors will need to show they have sufficient control of access rights and that, in particular, privileged access is properly governed and regularly audited. They will also need to demonstrate the ability to detect and remediate separation of duties violations and privileged access risks. Successfully streamlining these controls across today’s complex environments and remote workforces can be a daunting task—centralized control and automation are essential to success, which is where a modern IGA solution like ConductorOne can help.
ConductorOne for CMMC compliance
ConductorOne has out-of-the-box connectors for both cloud and on-prem apps and infrastructure so you can quickly gain deep visibility and control of all identity and access across your entire environment, a key first step to governing identity. And ConductorOne connectors and workflows can be configured for FedRAMP-compliant systems to streamline identity governance while ensuring federal data remains properly segmented.
Once you’ve integrated your systems, ConductorOne allows you to automate dynamic role-, attribute-, and policy-based access controls that continuously enforce zero trust policies and ensure least privilege across the identity lifecycle. The platform also automates just-in-time (JIT) access so you can lower, or eliminate altogether, standing privileges to sensitive data and systems. And real-time notifications of access conflicts and potential access risks allow you to proactively address access issues as they arise. All access changes are fully logged and ConductorOne’s automated access reviews drastically reduce the time and effort required to regularly audit access, turning reviews into a real security control rather than a compliance box to check.
To learn more about CMMC and how to comply, visit the DoD. To get more info about how ConductorOne can help you with CMMC compliance, talk to our team.
