Cybersecurity: The Program Rule

Lockheed Martin Logo
Back to Supplier News

Cybersecurity: The Program Rule

June 30, 2025

The Department of Defense’s (DOD) final rule (32 CFR Part 170) for the Cybersecurity Maturity Model Certification program (CMMC) 2.0 went into effect in December 2024. This rule, often referred to as “the program rule,” formalized the role of the Cyber AB and CMMC / certification assessment ecosystem and established the security requirements organizations must implement to meet CMMC Levels 1-3. It also reaffirmed expectations around the time-phased schedule of self-assessment vs. certification requirements, though Contracting Officers retained flexibility to work ahead of the phased schedule.

While the requirement will not make its way into contracts until the second part of the rule (48 CFR Part 252 - Docket 2020-0034-0194) is finalized and effective, the now final 32 CFR Part 170 provides clarity on the future CMMC requirements. Upon contract award with the updated safeguarding and certification clauses the following assessment(s) can apply:

  • CMMC Level 1 (Self-Assessment/Attestation): DOD contractors / subcontractors who receive only Federal Contract Information with no Controlled Unclassified Information (CUI) in scope, must meet CMMC Level 1 requirements. No CMMC Level 1 requirements are eligible to be on Plans of Action and Milestones (POAM). (These minimum requirements will be implemented in the initial contracting phase, following finalization of the 48 CFR rule.)
  • CMMC Level 2 (Initial Phase: Self-Assessment; Subsequent Phases: Certification Assessment & Affirmation): DOD contractors / subcontractors who manage CUI within scope of their DOD contracts must meet CMMC Level 2 requirements (NIST SP 800-171 (R2)). All requirements must be fully implemented to fully satisfy the requirements for CMMC Level 2, with only select requirements eligible for POAMs not to exceed 180 days. (Self-assessment requirements expected in initial contracting phase, with certification requirements to follow approximately one year later.)
  • CMMC Level 3 (Phase 3+: Certification Assessment by DCMA): Expected to apply to a narrow scope of mostly DOD Prime Contractors managing CUI associated with DOD’s most critical program technologies. Certification (via CMMC 3rd-Party Assessment Organization) at CMMC Level 2 is a prerequisite. Additionally requires full implementation (no POAM) of 24 NIST SP 800-172 requirements. (Per phased implementation, CMMC Level 3 requirements not anticipated in contracts until 24 months after initial phase.)

Defense Industrial Base companies with DOD CUI are reminded that the DFARS 252.204-7012 and DFARS 252.204-7020 regulatory mandates in current contracts continue to require organizations to assess and implement NIST SP 800-171 Revision 2 security requirements (per DOD Class Deviation for 252.204-7012), and to submit their DOD NIST Assessment Methodology Score into the DoD Supplier Performance Risk System (SPRS). By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements. 

In addition, by this time all Lockheed Martin suppliers should have transitioned their company self-assessments to the Cybersecurity Compliance and Risk Assessment (CCRA). To assist our programs with understanding and improving their suppliers’ CMMC readiness, Lockheed Martin Supply Chain Cybersecurity is reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements (including unimplemented CMMC controls). Ensure you are keeping Lockheed Martin current on your NIST assessment and level of CMMC readiness by updating your CCRA assertions in Exostar Onboarding Module (soon to be renamed “Supplier Management).

Suppliers are encouraged to engage with NIST MEP and/or the CyberAB Marketplace to validate preparedness for an anticipated CMMC third-party assessment and certification. Additionally, for your awareness, the “DOD encourages all DIB companies to join ND-ISAC...” for threat intelligence and sharing but also as a platform to learn more about CMMC via the National Defense Information Sharing Analysis Center (ND-ISAC) / DIB Sector Coordinating Council (SCC) Cyber Assist website.

Lockheed Martin also hosts monthly Supply Chain Cyber Academy sessions with members from the ND-ISAC/Defense Industrial Base Sector Coordinating Council to provide education and awareness of CMMC, NIST SP 800-171, cyber DFARS, and cybersecurity best practices. You can register for the monthly sessions by reviewing the calendar link provided here.

We encourage suppliers to take advantage of these resources to support on-going efforts to protect CUI in accordance with NIST SP 800-171 and potential future CMMC requirements.

Please take a few moments to hear from Lockheed Martin’s Chief Supply Chain Officer on why Cybersecurity is a Business Imperative below.

FAQS
Cybersecurity Business Imperative