Cybersecurity Requirements for Defense Contractors

Most AGC members will fall under Level 1 or 2, however contractors should not expect to see the CMMC clause in their contracts until approximately mid-2025.

On Dec. 16, the Department of Defense (DoD) final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program went into effect. The CMMC program intends to place unified cybersecurity and information security requirements on DoD contractors and subcontractors. As AGC previously reported, the first proposed rule issued in December 2023 focused on the CMMC program and corresponding cybersecurity requirements for DoD prime and subcontractors.

The DoD is implementing the CMMC requirements over four phases, starting with the inclusion of CMMC Level 1 and Level 2 Self-Assessment requirements in all applicable DoD solicitations. Most AGC members will fall under Level 1 or 2, however contractors should not expect to see the CMMC clause in their contracts until approximately mid-2025. AGC members who fall under CMMC Level 3 requirements are not required to be Level 3 certified until a year from now.  The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to occur sometime in 2027.

AGC has long communicated the difficulty many contractors and their subcontractors have had implementing these cybersecurity requirements and the challenges of that the CMMC model brings. AGC of America has previously commented many times on CMMC as it was developed and will continue to provide education to its members now that the program is in effect.

For more information, contact Jordan Howard.


Showing 1 reaction

Please check your e-mail for a link to activate your account.