Well, the wait is over. Just as 2023 came to a close, on December 26, 2023, the Department of Defense (“DoD”) published the much-anticipated Proposed Rule for the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) program (the “Proposed Rule”). It has been just over two years since “CMMC 2.0” was announced in November 2021 (which we previously discussed here). And while there is nothing particularly surprising in the Proposed Rule, there certainly are several notable additions and clarifications. Below we outline the key portions of the Proposed Rule that will be of particular importance to defense contractors.
Wait. What is the CMMC, Again?
We know – it’s been a while. So, first, a quick recap. The CMMC program is DoD’s method of ensuring contractors are adequately protecting sensitive information under DoD contracts. In particular, it will require DoD contractors to certify (following either a self-assessment, third-party assessment, and/or government-led assessment) that they are compliant with the cybersecurity requirements for protecting varying degrees of sensitive information.
When CMMC 2.0 was announced in 2021, it introduced a tiered model (with three levels), assessment and affirmation requirements, and an implementation of the CMMC framework through contractual requirements.
The Proposed Rule
Now, the Proposed Rule. Luckily, the Proposed Rule confirms much of what we expected based on the prior information released about CMMC 2.0. It also goes into detail on the structure of the program, including new roles in what the DoD is calling the “CMMC Assessment and Certification Ecosystem.” Indeed, there are sixty-eight CMMC-specific acronyms included in the Proposed Rule. Many of these relate to the entities that will provide oversight, establish standards, grant and revoke certifications, and investigate and enforce CMMC Assessments. The Rule also incorporates sixteen other cyber publications, standards, and guidelines to be used and understood by contractors.
Once the Proposed Rule becomes effective, it will create a new section in the Code of Federal Regulations (i.e., 32 CFR § 170), and implement the program (discussed in more detail below). There is a 60-day comment period for the Proposed Rule, with comments due February 26, 2024. Comments can be submitted here. As of the writing of this article, eleven comments already have been submitted (mere days after publication of the Proposed Rule). Note there is a separate rulemaking (DFARS Case 2019-D041) that will update the DFARS to align with the Proposed Rule and implement the requirements applicable to contractors.
The Assessment/Certification Levels (Levels 1-3)
As expected, there will be three assessment levels, requiring progressively higher numbers of security controls to protect progressively more sensitive data.
- Level 1 requires contractors to implement the 15 security controls outlined in FAR 52.204-21. Contractors must verify compliance via an annual self-assessment and annually report the results of the self-assessment in the Supplier Performance Risk System (“SPRS”). This means all DoD contractors and subcontractors must have a SPRS account and designated personnel who will be responsible for SPRS updates. One new requirement is that a “senior official” from the contractor must also annually affirm continuing compliance via SPRS. Finally, a Plan of Action and Milestones (“POA&M”) is not permitted for Level 1 (we discuss POA&Ms in more detail below). DoD estimates 63% of entities will be required to achieve Level 1 compliance.
- Level 2 requires contractors to implement the 110 security controls outlined in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 Revision 2 (currently required by DFARS 252.204-7012). Notably, with respect to assessments, Level 2 is bifurcated—meaning DoD will specify in the solicitation whether a self-assessment or a third-party assessment (conducted by a certified third party assessment organization (“C3PAO”)) is required based upon the sensitivity of the CUI anticipated under the contract. Either way, the assessment must be conducted triennially and the results must be entered into SPRS. Here again, a “senior official” from the contractor must also annually affirm continuing compliance via SPRS. At Level 2, contractors may have a POA&M for certain requirements. DoD estimates only 2% of entities will fall under the Level 2 self-assessment requirement, while 35% of entities will have the Level 2 Certification Assessment requirement. Thus, contractors that handle CUI under DoD contracts very likely will need to plan for a third party assessment by a C3PAO.
- Level 3 requires contractors to implement all Level 2 requirements (the 110 NIST 800-171 Rev. 2 controls) as well as 24 selected controls from NIST SP 800-172. Also, Level 3 requires a DoD-led assessment, which will be valid for three years. As with Levels 1 and 2, a “senior official” from the contractor must also annually affirm continuing compliance via SPRS. Additionally, contractors may have a POA&M for certain requirements. DoD estimates only 1% of entities will be required to comply with the Level 3 requirements.
We prepared the table below to provide an overview of each CMMC level:
|Federal Contract Information (FCI)
|15 controls (aligned with FAR 52.204-12)
|Annual Self-Assessment and affirmation (to be entered into SPRS)
|Controlled Unclassified Information (CUI)
|110 controls outlined in NIST SP 800-171 Rev 2 (and currently required by DFARS 252.204-7012)
|Triennial Self-Assessment and annual affirmation (to be entered into SPRS); closure of POA&Ms
|Triennial Certification Assessment (by a C3PAO) and annual affirmation (to be entered into SPRS); closure of POA&Ms
|CUI, plus risk of Advanced Persistent Threats (APT)
|110 controls outlined in NIST SP 800-171 Rev 2, plus 24 controls from NIST SP 800-172
|Triennial DoD-led Certification Assessment and annual affirmation (to be entered into SPRS); closure of POA&Ms
Contractors should be aware that these new certification and affirmation requirements open the door for liability under the False Claims Act amid a marked increase in cybersecurity whistleblower cases and fraud enforcement actions initiated by the Department of Justice’s Civil Cyber Fraud Initiative. We have previously discussed these enforcement actions here and here. Senior officials responsible for annual affirmations should take actual (i.e., documented) steps to confirm continuing compliance before submitting such an affirmation rather than treating this as a check-the-box exercise.
Plan of Action and Milestones
The Proposed Rule provides new details about the use of POA&Ms. In order to foster flexibility and collaboration, the DoD will permit contractors to institute POA&Ms for certain controls for Levels 2 and 3. This creates a “conditional certification” requiring the POA&M to be addressed and closed out within 180 days. If a contractor has not met all the security controls required by a certain level, it still can be assessed for certification and use a POA&M to supplement and extend the timeline for compliance. The POA&Ms must be closed out by the same party that conducted the assessment (e.g., self-assessment must be closed out by the company). Notably, certain security controls (e.g., maintaining physical access logs for Level 2 or having a cyber incident response team for Level 3) cannot be included in the POA&M. Because successful execution of a POA&M is a condition of certification, failure to implement the changes of the POA&M within the required timeframe can result in loss of certification and loss or termination of a contract award.
Implementation – When Do The CMMC Requirements Take Effect?
Well, it’s not entirely clear. What we know is this: we now have a Proposed Rule with a 60-day comment period. But note the implementation timeline set forth in the Proposal Rule is based on the effective date of the CMMC revision to the DFARS, which will occur under separate rulemaking (DFARS Case 2019-D041). Currently, it is anticipated that a Notice of Proposed Rulemaking (NPRM) for this DFARS case will be released in March 2024. Once this happens, there likely will be another comment period and review before that rule becomes effective. Assuming DoD allows for another 60 day comment period and review and consideration of all of the comments, it could still be several months before the rule becomes effective. On average, final rules are published 6-7 months after the comment period closes. Additionally, final rules generally become effective a minimum of 30 days after they are published. As such, the final CMMC rule probably will not become effective until Summer 2024 (at the earliest).
What is much clearer is the implementation timeline after the effective date of the CMMC revision to the DFARS. The Proposed Rule lays out a four-phased process for implementing the CMMC program.
|On the date CMMC revisions to the DFARS become effective (DFARS case 2019-D041).
|Inclusion of CMMC Level 1 or CMMC Level 2 Self-Assessment requirement in applicable solicitations/contracts (as a condition of award).
|Six months after Phase 1 begins.
|CMMC Level 2 Certification Assessments (i.e., C3PAO assessments) in applicable solicitations/contracts (as a condition of award).
|One calendar year after Phase 2 begins.
|CMMC Level 2 Certification Assessment for exercising option periods; and CMMC Level 3 Certification Assessment for all applicable solicitations/contracts (as a condition of award).
|One calendar year after Phase 3 begins.
|Full implementation of the CMMC requirements in all applicable solicitations and contracts, including option periods on contracts.
As such, once the DFARS changes become effective, it will take at least 2.5 years for full implementation of the program. The Proposed Rule provides that the DoD may waive the CMMC requirements in certain solicitations and contracts, but we do not expect these waivers to be utilized often.
Timing of Assessments/Certifications
For new contracts, the applicable CMMC Level will be specified in the solicitation, and compliance with the Level’s requirements will be “a condition of award.” This language suggests that offerors will not necessarily have to meet the requirements of the specified Level when they submit a proposal, but offerors will need to meet all of the requirements (or have an acceptable POA&M in place for Level 2 or 3) in order to receive an award. Hypothetically, agencies may opt to include a CMMC certification as a solicitation requirement/evaluation criteria. The Proposed Rule states DoD believes it will take two years for companies to become CMMC certified, meaning contractors will not want to wait until the proposal phase to ensure they can meet the requirements.
Requirements for Subcontractors and Service Providers
The Proposed Rule confirms that DoD wants the CMMC requirements to apply throughout the supply chain, at all tiers. This includes small businesses and providers of commercial products/services. The only exception to the flow down requirements is for contractors that supply exclusively commercial off-the-shelf (“COTS”) products. The three main categories of entities to which the CMMC requirements must be flowed down are (1) subcontractors; (2) external service providers (“ESPs”); and (3) cloud service providers (“CSPs”). Currently, DFARS 252.204-7012 specifies cybersecurity requirements for cloud service providers; the Proposed Rule specifies that contractors must also ensure protection for federal contract information (“FCI”) and controlled unclassified information (“CUI”) when shared with other service providers that may not act as traditional subcontractors. Because of the broad flow down obligations, contractors will need to ensure their various subcontractors and service providers also are compliant with the requisite CMMC requirements.
Unsurprisingly, the term “subcontractor” is defined quite broadly, in accordance with 48 CFR 3.502-1, as “any person, other than the prime contractor, who offers to furnish or furnishes any supplies, materials, equipment, or services of any kind under a prime contract or a subcontract entered into in connection with such prime contract; and [i]ncludes any person who offers to furnish or furnishes general supplies to the prime contractor or a higher tier subcontractor.” While the definition of subcontractor varies through the FAR and DFARS, we’re hoping to see some unification later this year via DFARS Case 2023-D022 (which our colleagues previously wrote about here).
For subcontractors, if the requisite CMMC Level applicable to subcontractors is not already identified in the solicitation, then the prime contractor must identify the required CMMC Level for its subcontractors. If the prime contractor is uncertain about what Level should apply the contractor should consult with the government program office for the particular solicitation/contract. The Proposed Rule provides some guidance regarding determining the appropriate Level:
- Level 1 will be required if the subcontractor will only process, store, or transmit FCI in performance of the contract.
- Level 2, Self-Assessment will be required if the subcontractor will process, store, or transmit CUI in performance of the contract and the prime contractor has a requirement for a Self-Assessment.
- Level 2, Certification Assessment (by a C3PAO) will be required if the subcontractor will process, store, or transmit CUI in performance of the contract and the prime contractor has either (1) a requirement for a Certification Assessment; or (2) a requirement for a Level 3 Certification Assessment.
Two items are worth noting here. First, the Proposed Rule does not contemplate a requirement for a Level 3 Certification for a subcontractor. Second, the Levels outlined in the flow down requirements are the minimum requirements (i.e., the floor, not the ceiling). As such, a prime contractor could decide to require its subcontractors to obtain a higher level assessment or certification than the assessment or certification required by the solicitation.
External Service Providers
ESPs are defined as “external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization.” ESPs must have a CMMC Level Certification equal to or greater than the Level required by the contract if CUI or Security Protection Data (e.g., log data, configuration data) is processed, stored, or transmitted on the ESP’s assets.
Cloud Service Providers
CSP is defined as “an external company that provides a platform, infrastructure, applications, and/or storage services for its clients.” Currently, DFARS 252.204-7012 specifies that a DoD contractor using a CSP to house CUI must ensure the CSP meets the FedRAMP Moderate baseline or “equivalent,” and agrees to comply with certain incident response requirements. The Proposed Rule contains a similar requirement and provides more detail on how equivalency is determined. For CMMC Levels 2 and 3, contractors may use a CSP that is FedRAMP Moderate (or higher) Authorized or meets the security requirements equivalent to those of FedRAMP Moderate or High. To show equivalency, a contractor must have the CSP’s System Security Plan (“SSP”) or other security documentation demonstrating compliance and a Customer Responsibility Matrix (“CRM”) mapped to NIST SP 800-171 Rev 2.
The Proposed Rule contemplates two types of disputes. First, there may be disputes over a Certification Assessment (i.e., the contractor disagrees with the C3PAO or with the DoD regarding its CMMC assessment). Second, there may be disputes with the contracting officer regarding which Level should be included in the solicitation.
The CMMC Accreditation Body (“Cyber AB”) and the DoD will oversee the Certification Assessment disputes process. Many details are not yet available, but appeals of DoD Certification Assessments will go through the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”). For third party assessments, each C3PAO is required to establish an internal appeals processes that can be escalated to the Cyber AB for resolution.
Separately, a dispute related to the CMMC Level required by a particular solicitation should be directed to the contracting officer. If the dispute cannot be resolved informally, this type of dispute likely will follow the usual process for pre-award bid protests.
International / Foreign Entities
CMMC requirements also are applicable to international members of the Defense Industrial Base. Accordingly, contractors will be required to flow down CMMC requirements to foreign subcontractors that store, process, or transmit FCI or CUI. In response to comments on this topic, the Proposed Rule makes clear that international suppliers will be subject to the same requirements as U.S. entities and there is no plan yet to allow for reciprocity or accommodations for international cybersecurity standards. (But we note some of the commentary in the Proposed Rule appears to leave open the possibility that DoD may review and accept alternative frameworks/standards at some point.) Notably, while there is no general prohibition of foreign dissemination of CUI, contractors should be mindful of export restrictions.
For those contractors that have been waiting to finalize their CMMC plans – now is the time for action. In theory, we could begin seeing the first CMMC requirements in solicitations as soon as Summer 2024. While we expect there will be a significant number of comments submitted in response to the Proposed Rule, the effective requirements likely will very closely resemble those in the Proposed Rule. As such, contractors should refocus on their strategies and timelines in light of the Proposed Rule, determine what CMMC Level(s) are likely to be included in their future contracts (based on the type and sensitivity of data involved), and get going on plans to achieve compliance (via self- or third-party assessments) in the meantime.