Back

CMMC Program Proposed Rules and Cost Impacts

CMMC v2 Proposed Rules have introduced several key updates and new requirements. Let's review the new items found within, including cost impacts.

4 min read
Published on Dec 27, 2023
CMMC 2.0 Proposed Rule

The Cybersecurity Maturity Model Certification (CMMC) Program’s 2023 update introduces significant changes, affecting contractors and subcontractors involved with the Department of Defense (DoD). These modifications are critical in shaping the landscape of cybersecurity practices within the defense sector. In this blog post, we’ll dive into the new sections of the CMMC Program Proposed Rules, providing a comprehensive summary and highlighting the potential cost impacts on contractors and subcontractors.

The Proposed Rule of the Cybersecurity Maturity Model Certification (CMMC) v2 Program introduces significant changes, particularly affecting contractors and subcontractors in the defense sector. These updates are critical for enhancing cybersecurity measures in alignment with the Department of Defense (DoD) requirements. This blog post delves into the specific new sections introduced in the CMMC Program Proposed Rules and discusses the potential financial impacts these changes may have on contractors and subcontractors.

New Sections

The following are sections that are labeled (NEW) within the proposed rules:

  1. Assessment Requirements at Level 1 (NEW): This section mandates annual self-assessment for contractors and subcontractors to ensure they meet the security requirements outlined in FAR clause 52.204–21. The results of these assessments must be recorded in the Supplier Performance Risk System (SPRS), adding an additional layer of accountability and traceability.

  2. New CMMC Assessment Scope and Annual Affirmations (NEW):

    • This rule stipulates that any system falling under the new CMMC Assessment Scope cannot process, store, or transmit Controlled Unclassified Information (CUI) until it has been validated through a new CMMC assessment. Furthermore, a senior organization official must annually affirm that the organization complies with the specified CMMC level, emphasizing the importance of continuous compliance.
  3. Monitoring Contractor Compliance (NEW):

    • This section places the onus of monitoring compliance with contract terms directly on contractors. It highlights that the DoD will not employ continuous monitoring in place of compliance requirements, making it clear that the responsibility lies with the contractors.
  4. Affirmation Requirements at Level 2 (NEW):

    • This new requirement compels senior officials from prime contractors and any applicable subcontractors to affirm annually their organization’s compliance with specified security requirements. This affirmation must be entered electronically into the SPRS.
  5. Affirmation Requirements at Level 3 (NEW):

    • Similar to Level 2, this section requires affirmations of compliance post-assessment and annually thereafter. However, it adds that additional security requirements will be prescribed for Level 3 upon the finalization of CMMC.
  6. Updates to CMMC Levels 4 and 5 Based on Public Comment (NEW):

    • This section responds to public feedback about the disconnect between NIST SP 800–171B/172 and CMMC 1.0 Levels 4 and 5. It introduces a degree of flexibility in implementation to accommodate various organizational structures and threat models.
  7. New Requirements for CMMC Level 3 (NEW):

    • This section introduces additional security protection and assessment requirements derived from NIST SP 800–172. It emphasizes the evolving nature of cybersecurity threats and the need for advanced protective measures.

Cost Impacts to Contractors and Subcontractors

The revised CMMC Program rules will have several financial implications for defense contractors and subcontractors:

  1. Enhanced Administrative and Compliance Costs:

    • The additional self-assessment and affirmation requirements across CMMC levels will likely increase the administrative workload. This could lead to higher operational costs, especially for smaller organizations that may lack the necessary resources for regular compliance activities.
  2. Need for Advanced Cybersecurity Solutions:

    • Compliance with the updated security requirements, particularly at higher CMMC levels, will necessitate investments in state-of-the-art cybersecurity infrastructure and tools. This could be a significant expenditure, especially for organizations that currently lack advanced cybersecurity measures.
  3. Training and Personnel Development Expenses:

    • Ensuring staff are well-versed in the latest cybersecurity practices and compliance requirements may require ongoing training programs. This could result in increased expenditure on training and personnel development.
  4. Potential Cost Savings with Flexibility:

    • The flexibility offered in the implementation of Levels 4 and 5 may allow organizations to adopt cost-effective cybersecurity measures that are tailored to their specific needs and threat environments.
  5. Unforeseen Reassessment Costs:

    • Changes in the CMMC Assessment Scope could necessitate new assessments, leading to unexpected financial burdens, especially for organizations that undergo frequent infrastructure changes or expansions.

Conclusion

The Proposed Rule to the CMMC V2 Program Proposed Rules represent a significant stride in advancing cybersecurity standards within the defense sector. While these changes aim to fortify cybersecurity defenses, they also bring forth new financial challenges for contractors and subcontractors. Organizations must navigate these changes carefully, balancing the costs of compliance with the necessity of robust cybersecurity practices. This balance is essential for safeguarding sensitive information against evolving cyber threats while maintaining fiscal sustainability.

Related Posts

CMMC Documentation Requirements: Avoid Assessment Failure

GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

Strong documentation is critical to CMMC success. Learn the key evidence assessors expect and how to avoid common documentation failures.

Jul 24, 2025
5 min read
Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read
Technical vs. Process Controls in CMMC Compliance

Understanding Technical vs. Process Controls for CMMC Compliance

Understand the difference between technical and process controls in CMMC compliance. Learn how both work together to protect FCI and CUI data effectively.

Jul 14, 2025
4 min read
20 Essential Questions to Ask a Managed Service Provider

Top Questions to Ask Your Managed Service Provider (MSP)

Looking for a new MSP? Stay ahead with the top questions to ask—from security and scalability to pricing and offboarding. Vet your provider with confidence.

Jul 12, 2025
5 min read
Overview of CMMC 2.0 and Its Levels: DoD Compliance Guide

CMMC 2.0 Explained: Levels, Compliance Requirements, and Key Changes

CMMC 2.0 simplifies cybersecurity requirements for DoD contractors. Explore an overview of its levels, key changes from CMMC 1.0, and what each level means for compliance.

Jul 11, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation