Website Hii Header Logo

Cybersecurity

About CMMC

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a comprehensive framework launched by the Department of War (DoW) to protect the Defense Industrial Base (DIB) from increasingly frequent and complex cyber-attacks. It particularly aims to safeguard information defined as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the DIB.

CMMC 2.0 builds on existing trust-based regulations (DFARS 252.204-7012) by adding a verification component for cybersecurity requirements. The program has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. This program also sets forward the process for requiring protection of FCI and CUI information that is flowed down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the DoW to verify the implementation of existing cybersecurity standards though use of approved auditors.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoW contractors that handle FCI and/or CUI information electronically will be required to achieve a particular CMMC level as a condition of contract award.

It is imperative that all HII subcontractors and/or suppliers that receive and generate FCI and/or CUI meet these new DFARS requirements to be eligible for future work that will contain CMMC 2.0 requirements. Together our continued diligence will protect vital information, minimize risks and secure a competitive advantage for all parties.

Cyber Incident Reporting

When a cyber-incident is discovered, contractors, subcontractors and suppliers must conduct a review for evidence of compromise of covered defense information and report to the DoW and HII within 72 hours. A “Cyber incident” is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Report Cyber Incident to DoW
Report Security Incident to HII

Supplier Flow Down

When engaging with other suppliers that require access to covered defense information in performance of a contract, include the DFARS 252.204-7012 clause in any subcontracts, or similar contractual instruments with those suppliers. Read the full clause here.

Cybersecurity Resources

HII CMMC Resources

Small Business Resources

FAQs

What is Federal Contract Information (FCI)?

Per FAR 52.204-21(a): Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

What is Controlled Unclassified Information (CUI)?

Per 32 CFR Part 2002.4(h): Controlled Unclassified Information  (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

See also the DoD CUI Quick Reference Guide at dodcui.mil

Is anyone exempt from CMMC requirements?

The following exemptions apply for CMMC requirements: 

  • Commercial Off The Shelf (COTS) Products
  • Purchases below the current micro-purchase threshold (Per FAR 2.101: $10,000)

You are also not required to implement CMMC if FCI or CUI data is not generated, received, or transmitted electronically by your company.

When would CMMC 2.0 affect me?

New prime contracts after November 10, 2025 may include the DFARS 252.204-7021 clause. This mandatory flow-down clause will affect any supplier or subcontractor who processes, stores, or transmits FCI or CUI on their information system in support of that prime contract. The CMMC Level required is determined by the type of information (FCI/CUI) flowed down and the Level specified in the clause.

How will I know what CMMC Level my company will be required to meet?

Specific to each contract, it will be based on the information flowed down to your company from HII. If we flow down FCI data, Level 1 will be required. If we flow down CUI data, Level 2 will be required.

When do I have to mark CUI?

CUI flowed down from HII will already be marked as CUI, or one of the legacy markings.  You will be required to mark CUI that you generate in support of the contract in accordance with the DoW CUI guidance found at:

Department of War CUI Registry

Legacy CUI Markings – how do I identify those that are equivalent to modern day CUI markings?

Legacy drawings, specifications, and technical data documents may be marked with a number of legacy markings, such as the following examples:

  • Distribution Statement B through F
  • NOFORN
When would I expect marking changes on CUI?

Legacy documents are not required to change the markings to “CUI” until there is a change or update to the document itself.

What is the difference between the NIST 800-171 and CMMC Level 2 self-assessments?

There is no difference in scope between the two assessments, just how they are scored and entered into the SPRS system.  NIST 800-171 self-assessments are completed outside of SPRS and only the score, date, and other details are entered in SPRS.  CMMC Level 2 self-assessment requires you to attest to each control you scored on your NIST self-assessment, then it computes your final score and any POAM requirements.  If your company has completed an external NIST 800-171 self-assessment, your company can use those results to attest to each control in the CMMC Level 2 Self-Assessment section in SPRS

Will my C3PAO assessment be acceptable for contracts without the CMMC clause?

Yes, C3PAO certifications satisfy all legacy NIST 800-171 or any Level 2 CMMC requirements to handle CUI.

Where do I send my certifications?

[email protected]

When would my company need a JCP?

Any Supplier registered and physically located in the U.S. or Canada; who handles CUI within the Defense and Export Control categories located on the CUI Registry. Examples included within these two categories include — Controlled Technical Information, DoW Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, Unclassified Controlled Nuclear Information; Export Controlled, Export Controlled Research. 

In order to apply, Suppliers must have an active SAM registration and CAGE (US)/ NCAGE (Canada) code and complete a cybersecurity assessment (NIST SP 800-171) and upload those results to the SPRS system.  Refer to the JCP website located at https://www.dla.mil/Logistics-Operations/Services/JCP/#joint-certification-program-jcp-office; for current information. 

As of the date of this publication it states on 9/10/2025, the Department of War (DoW) published the Cybersecurity Maturity Model Certification (CMMC) Acquisition Rule, mandating that companies handling sensitive unclassified DoW information progressively advanced cybersecurity standards based on data type and sensitivity. Under this rule, the Joint Certification Program (JCP) will gradually implement CMMC requirements from November 10, 2025, to November 10, 2028, after which contractors seeking new or renewed JCP Certification must obtain a CMMC Level 2 Certification from a Certified Third-Party Assessment Organization (C3PAO). This certification is essential for protecting export-controlled information in line with U.S. law and the DoW Controlled Unclassified Information (CUI) Program.

See also, DoW CMMC FAQs at https://dodcio.defense.gov/CMMC/FAQ/

Logo For Menu

Thank you.
Your submission was successful.