BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontThe memo affects senior DoD leaders, program managers, contractors, and acquisition executives involved with DoD contracts. Starting January 15, 2025, contracts must specify a CMMC level based on information sensitivity. Levels range from self-assessment for basic info to certification for sensitive data. Waivers are possible, but minimum security rules remain. Organizations must assess their cybersecurity, ensure subcontractors comply, and plan for the necessary CMMC assessment or certification. Regularly update practices per DoD guidance.
Who does this memo apply to?
- DoD and its components: Senior Pentagon leadership; Defense Agency and DoD Field Activity Directors. DoD Procurement Toolbox
- Program Managers and requiring activities: These are the people inside DoD who define contract requirements, decide what level of CMMC (Cybersecurity Maturity Model Certification) to require in solicitations/contracts, or request waivers if needed. DoD Procurement Toolbox+1
- Contractors / subcontractors in the Defense Industrial Base (DIB) who process, store, or transmit DoD’s Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on non‐federal, unclassified systems. DoD Procurement Toolbox+1
- Service / Component Acquisition Executives (SAEs / CAEs): They have authority to grant waivers of CMMC assessment requirements under certain circumstances. DoD Procurement Toolbox+1
What does the memo mean for your organization?
Depending on what your organization does (contracting / subcontracting with DoD, handling CUI/FCI, etc.), the implications could be significant. Here are the key takeaways and impacts:
| Implication | Details / Impact |
| Requirement to have a CMMC level in contracts | Starting January 15, 2025, all DoD procurement requests/contracts must designate a required CMMC assessment level appropriate to the kind of information involved (FCI / CUI), per the guidance in the memo. DoD Procurement Toolbox |
| Different levels of assessment depending on risk and sensitivity | • Level 1: Self-assessment if only FCI is involved. DoD Procurement Toolbox
• Level 2: Self-assessment or third-party assessment when CUI is involved. DoD Procurement Toolbox • Level 3: Certification (by DoD’s assessment bodies) when CUI requires “enhanced protections” (NIST SP 800-172) — mission-critical / unique technologies, or where high risk is identified. DoD Procurement Toolbox |
| Waiver mechanism | There is a process by which SAEs/CAEs (with coordination up through DoD CIO and possibly under oversight of higher acquisition authorities) may waive the requirement for a CMMC assessment under certain conditions: e.g. to avoid loss of competition, when including the requirement would unreasonably delay delivery, etc. But the underlying security requirements (FAR / DFARS clauses) still apply. DoD Procurement Toolbox |
| Flow-down to subcontractors | If a prime contractor is handling CUI or FCI under a contract, the CMMC level requirement (and assessment) may need to be flowed down to subcontractors. The memo emphasizes that risk from supply chain / subcontractor systems must be considered. DoD Procurement Toolbox |
| No waivers of the underlying security obligations | Even if a CMMC assessment requirement is waived, the minimum security standards (FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-172 if applicable) still apply. Waiver is only about the assessment requirement, not the cybersecurity obligations themselves. DoD Procurement Toolbox |
| Reporting & oversight | DoD will monitor waivers: SAEs/CAEs must report quarterly all contracts where CMMC assessment requirements were waived, what level would have applied, product/service codes, etc. DoD Procurement Toolbox |
What to Do / Prepare for
- Determine what kind of DoD information (if any) your organization handles: FCI / CUI / none. That drives the minimum CMMC level you’ll need.
- Assess your current cybersecurity posture: Are you meeting NIST SP 800-171 (for CUI)? If mission-critical / unique tech is involved, also look into NIST SP 800-172 requirements.
- Plan for obtaining the appropriate CMMC assessment or certification, or understand whether a waiver could apply.
- Ensure your contracts / subcontracts flow down requirements to any subcontractors or suppliers who may process/store/transmit DoD data, so that the entire chain complies.
- Stay current with guidance from DoD CIO, acquisition executives, and any guidebooks (e.g. the one for NIST SP 800-172).
