Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC)


The Cybersecurity Maturity Model Certification (CMMC) program is aligned to the Department of Defense (the Department, DoD) information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process information considered sensitive to the DoD.

CMMC Status

On December 26, 2023, the DoD released the highly anticipated proposed rule for CMMC which requires contractors, including suppliers/subcontractors, entrusted with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to implement cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information.

While the rulemaking process is ongoing, contractors should ensure they are prepared for the upcoming requirements of CMMC. Companies should make sure they have the appropriate investment across multiple groups within the organization, including cyber, information security, legal, compliance, supply chain and critical business stakeholders.

Proposed Levels and Assessments

CMMC Assessments, based on the proposed rule, will be conducted by three different groups, based on level of achievement. Results of those assessments will be reported in DoD’s Supplier Performance Risk System (SPRS)

  • Contractors input Level 1 and Level 2 Self-Assessments directly into SPRS
  • C3PAO inputs CMMC Level 2 Certification Assessment in the CMMC Enterprise Mission Assurance Support Service (eMASS)
  • DIBCAC inputs CMMC Level 3 Certification Assessments in eMASS

Affirmations by a senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POAM closeout and annually thereafter. These affirmations will be entered electronically in SPRS.

Proposed Schedule

There is a notional timeline that assumes DFARS 252.204-7021 CMMC Requirements are finalized and effective on 1/1/2025. The phases will be conducted as such:

  • Phase 1: January 1, 2025 – June 30, 2025
  • Phase 2: July 1, 2025 – June 30, 2026
  • Phase 3: July 1, 2026 – June 30, 2027
  • Phase 4: On/after July 1, 2027

For additional information please refer to the DoD CIO website.

Reporting a Cybersecurity Incident

In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, Suppliers are required to rapidly report cyber incidents within 72 hours of discovery.

The GDIT Cyber Security team responds to and investigates cyber security incidents related to misuse or abuse of GDIT information and information technology resources. A cyber security incident is defined as any event that adversely impacts GDIT data or information systems or is a real or suspected action inconsistent with GDIT Privacy or Acceptable Use policies.

If you experience, observe, or are made aware of activity which you believe may be related to a cyber security incident, immediately email the relevant information to or call the GDIT SOC Hotline number 1-571-386-3500.

Achieving Cybersecurity Compliance – Helpful Cybersecurity References