The U.S. Department of Defense (DoD) has finalized the Cybersecurity Maturity Model Certification (CMMC) program, introducing a structured framework to assess and enhance the cybersecurity practices of defense contractors. This initiative aims to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the defense industrial base.
The CMMC program establishes a three-tier certification system, replacing the previous five-level model. Each tier corresponds to specific cybersecurity practices and processes, with mandatory compliance required for contractors to secure DoD contracts. A phased implementation is planned over several years, with the initial phase expected to commence in early 2025. Notably, the program mandates third-party assessments for many contractors, ensuring independent verification of cybersecurity compliance.
Historically, the DoD relied on contractors’ self-attestations regarding cybersecurity standards. However, this approach has proven insufficient, as evidenced by recent enforcement actions under the False Claims Act (FCA). For instance, in October 2024, The Pennsylvania State University agreed to a $1.25 million settlement over allegations of failing to meet contractual cybersecurity requirements in 15 contracts involving the DoD and NASA. The university was accused of misrepresenting its compliance status and not implementing necessary security controls.
Similarly, in April 2025, defense contractor MORSECORP, Inc. settled for $4.6 million over allegations of non-compliance with NIST SP 800-171 controls and misreporting its cybersecurity assessment scores. These cases underscore the government’s commitment to enforcing cybersecurity standards through the FCA.
The CMMC’s requirement for third-party assessments introduces an additional layer of accountability, potentially mitigating FCA risks for contractors. By ensuring that cybersecurity practices are independently verified, contractors can demonstrate compliance more credibly, reducing the likelihood of FCA-related enforcement actions.
However, the implementation of CMMC also presents challenges. Contractors must invest in cybersecurity infrastructure, personnel, and processes to meet the new standards. The phased rollout, beginning in early 2025, necessitates prompt action from contractors to achieve certification and maintain eligibility for DoD contracts.
In summary, the DoD’s CMMC program represents a significant shift in cybersecurity compliance, aiming to enhance the protection of sensitive information within the defense sector. While it offers a pathway to reduce FCA risks through third-party validation, it also imposes new obligations on contractors to meet stringent cybersecurity standards.