By now, most defense contractors are familiar with the CMMC, which is the DoD’s new cybersecurity certification requirement. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 400,000 companies in the supply chain. The CMMC was developed in response to significant compromises of sensitive information contained in contractor information technology systems. Previously, contractors were responsible for implementing, monitoring, and self-certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Now, contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC shifts the paradigm by mandating third-party assessments of contractors’ compliance with certain practices, procedures, and capabilities to ensure that they can adapt to new and evolving cyber threats from foreign and domestic adversaries. The DoD plans to implement the CMMC requirements through a phased roll-out, with all requirements becoming effective in 2025. We previously discussed the CMMC framework in a September 2019 blog post, a podcast in March 2020, and a client alert in June 2020.