On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.
Contractors should ensure they are prepared for the quickly approaching implementation of CMMC. Companies should make sure they have the appropriate investment of resources for compliance, which likely will require a cross-section of corporate engagement, including information security, legal, compliance, supply chain and business operation stakeholders.
Comments on the proposed rule will be accepted until February 26, 2023.
How We Got Here
DoD has focused on regulating the cyber requirements of contracts over the last decade, culminating in this proposed rule. DFARS clause 252.204-7012 (DFARS 7012) was first introduced in 2013 and modified several times with the DoD setting a mandatory implementation deadline of December 31, 2017. Since then, DoD incorporated DFARS 7012 into almost all DoD contracts.
Over time, DoD found that contractors were not consistently implementing the DFARS 7012 requirements and that the risk of sensitive data loss remained. DoD announced the CMMC Program in 2019 and introduced both its initial version (CMMC 1.0) and corresponding DFARS Clause 252.204-7021 under an Interim Rule in September 2020. Concurrently, the Interim Rule released two clauses aimed at assessing contractor implementation of cybersecurity requirements, DFARS 252.204-7019 and DFARS 252.204-2020. With these new clauses, DoD attempted to bolster DFARS 7012 cybersecurity compliance through self-assessments and third-party assessments.
In November 2021, DoD announced “CMMC 2.0,” which established an updated program structure with three key features: tiered levels of security and implementation, assessment requirements, and implementation through contracts. The latest proposed rule establishes a revamped CMMC 2.0 Program and defines requirements for the program and for each CMMC level.
The proposed rule preserves the three-tiered CMMC model first introduced in CMMC 2.0:
- CMMC Level 1 includes 15 requirements listed in Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1) and is expected to apply to contractors who store, process, or transmit Federal Contract Information (FCI).
- CMMC Level 2 includes 110 requirements from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2, and is expected to apply broadly to contractors who store, process, or transmit Controlled Unclassified Information (CUI).
- CMMC Level 3 has 24 selected requirements from the NIST SP 800-172 in addition to full implementation of NIST SP 800-171 and is expected to apply to a small group of DoD contractors who store, process, or transmit high-value CUI.
DoD will determine the applicable CMMC Level for each procurement, and contractors will be required to obtain a CMMC certification before they are eligible to receive a contract or subcontract award under a solicitation requiring CMMC.
All government contractors that handle regulated data under DoD contracts such as CUI and FCI are required to meet CMMC. These requirements are expected to be included in all DoD solicitations valued above the micro-purchase threshold, except for procurements that are exclusively for commercially available off-the-shelf (COTS) items. CMMC requirements, however, are not applicable under the proposed rule to government information systems operated by contractors in support of the government. Additionally, CMMC program requirements may be waived in advance of the solicitation at the discretion of DoD in “very limited circumstances.”
Now that DoD has proposed the CMMC regulatory framework, companies should begin compliance programs. The proposed rule features a four-phase implementation plan. The initial phase begins on the effective date of the CMMC rule and includes CMMC Level 1 or Level 2 self-assessments as a condition for award under applicable solicitations and contracts. Phase two begins six months after the start date of phase one and includes CMMC Level 2 certification assessments. Phase three begins one year after the start date of phase two and introduces CMMC Level 3 certification requirements. Inclusion of CMMC requirements as conditions for award will be at the discretion of DoD Program Managers until full implementation in Phase 4. DoD plans to include CMMC requirements in all applicable solicitations beginning October 1, 2026.
The proposed assessment requirements include a mixture of self-assessments and third-party assessments depending upon the criticality of the data. Under the proposed rule, all CMMC Level 1 assessments will be self-assessments that require contractors to verify their own compliance with CMMC security controls and submit their assessment scores to the DoD’s Supplier Performance Risk System (SPRS) before contract award and annually thereafter. CMMC Level 2 will require either a self-assessment or certification assessment, performed by a third-party assessment organization (C3PAO), which must be completed before a contract award and every three years thereafter. The proposed rule does not specify how DoD will determine which contracts are subject to self-assessments versus certification assessments. At Level 3, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will perform certification assessments, which must be finalized before contract award and re-performed every three years thereafter.
Plan of Action and Milestone (POA&M) Limitations
Under the proposed rule, CMMC allows the use of POA&Ms only for certain requirements and for a limited time. POA&Ms are not permitted for Level 1 assessments. For CMMC Level 2 assessments, POA&Ms generally are not permitted for security requirements with a point value of greater than 1 (except CUI Encryption under certain circumstances) and are permitted only if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls. For Level 3 assessments, POA&Ms are permitted if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls. Each POA&M must be closed, with all requirements completed, within 180 days of the assessment. The closeout must be confirmed by a closeout assessment, which assesses only the unmet requirements identified by the POA&Ms. CMMC does not allow for organizations to request waivers for any CMMC security requirement.
Conditional and Final Certifications
The proposed rule explains that assessments may result in a Final Certification or a Conditional Certification, depending on whether the contractor has implemented all required security controls. If a contractor achieves the minimum passing score and every required security control is fully implemented, the contractor will receive a Final Certification. However, if POA&Ms exist upon completion of an assessment, the contractor will be granted a Conditional Certification. Contractors must close out their POA&Ms (i.e. fully implement all pending controls) within 180 days of the initial assessment or be subject to contractual penalties (e.g., termination) and ineligibility for future contracting opportunities requiring CMMC.
The proposed rule requires an affirmation from a prime contractor and any applicable subcontractor to annually affirm compliance with the mandated security requirements. At CMMC Levels 2 and 3, contractors must also affirm compliance after every CMMC assessment (whether a self-assessment or an assessment certification), including after any POA&M close outs. Like self-assessment scores, CMMC affirmations will be submitted electronically through SPRS. Contractors will not be eligible for awards under solicitations requiring CMMC until they submit their affirmations.
Contractors should ensure that their CMMC compliance status is carefully vetted before submitting any affirmations. The submission of an affirmation that misrepresents a contractor’s CMMC compliance status could be viewed by the government as a false statement, which could result in procurement consequences (e.g., contract termination, debarment, etc.) as well as damages and/or fines under the False Claims Act (FCA).
While waiting for publication of a final rule, companies may begin preparing for CMMC compliance by considering the following steps.
- Develop and Refine a System Security Plan (SSP)
In order to prepare for a self-assessment or certification assessment, a company must complete the necessary documentation, a System Security Plan (SSP), describing how security controls are implemented. In order to effectively complete an SSP, a company must know what regulated data (e.g., FCI or CUI) exists on its network and where the data traverses.
- Develop an Enterprise-Wide Compliance Strategy
A robust engagement with all stakeholders of a compliance team is necessary to develop a compliance strategy that considers how the company will manage and safeguard its data. A compliance strategy may evaluate what technical gaps and legal risks exist and how they will be addressed. Such a strategy also may inform how the company structures its network and whether the company aims for a conditional or final certification.
- Consider a Dedicated Federal Environment
Depending upon the volume of regulated data a company possesses and the degree of challenge implementing security controls company-wide, a company may consider erecting a dedicated environment to house its regulated data. Segmenting regulated data to a dedicated environment can reduce legal risk by limiting requirements and streamlining technical implementation while decreasing resource costs.
- Conduct Privileged Compliance Assessments
Contractors should conduct compliance assessments under attorney-client privilege in order to pressure test their ability to meet the requirements enumerated in CMMC without exposing the company to risk if gaps are found. Engaging counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies by mitigating the risk of having to disclose assessment findings in litigation or during an investigation.
- Develop and Refine Corporate Policies
While technical solutions are integral to meeting CMMC requirements, a company’s cybersecurity is only as effective as the policies it adopts governing the use of such technology and regulating data traversing it. Companies should establish a practice of devising robust internal cybersecurity policies, developing incident response plans and other governance documents, and updating all for currency and accuracy.