On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.

Contractors should ensure they are prepared for the quickly approaching implementation of CMMC. Companies should make sure they have the appropriate investment of resources for compliance, which likely will require a cross-section of corporate engagement, including information security, legal, compliance, supply chain and business operation stakeholders.

Comments on the proposed rule will be accepted until February 26, 2023.

How We Got Here

DoD has focused on regulating the cyber requirements of contracts over the last decade, culminating in this proposed rule. DFARS clause 252.204-7012 (DFARS 7012) was first introduced in 2013 and modified several times with the DoD setting a mandatory implementation deadline of December 31, 2017. Since then, DoD incorporated DFARS 7012 into almost all DoD contracts.

Over time, DoD found that contractors were not consistently implementing the DFARS 7012 requirements and that the risk of sensitive data loss remained. DoD announced the CMMC Program in 2019 and introduced both its initial version (CMMC 1.0) and corresponding DFARS Clause 252.204-7021 under an Interim Rule in September 2020. Concurrently, the Interim Rule released two clauses aimed at assessing contractor implementation of cybersecurity requirements, DFARS 252.204-7019 and DFARS 252.204-2020. With these new clauses, DoD attempted to bolster DFARS 7012 cybersecurity compliance through self-assessments and third-party assessments.

In November 2021, DoD announced “CMMC 2.0,” which established an updated program structure with three key features: tiered levels of security and implementation, assessment requirements, and implementation through contracts. The latest proposed rule establishes a revamped CMMC 2.0 Program and defines requirements for the program and for each CMMC level.

Model Overview

The proposed rule preserves the three-tiered CMMC model first introduced in CMMC 2.0:

  • CMMC Level 1 includes 15 requirements listed in Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1) and is expected to apply to contractors who store, process, or transmit Federal Contract Information (FCI).
  • CMMC Level 2 includes 110 requirements from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2, and is expected to apply broadly to contractors who store, process, or transmit Controlled Unclassified Information (CUI).
  • CMMC Level 3 has 24 selected requirements from the NIST SP 800-172 in addition to full implementation of NIST SP 800-171 and is expected to apply to a small group of DoD contractors who store, process, or transmit high-value CUI.

DoD will determine the applicable CMMC Level for each procurement, and contractors will be required to obtain a CMMC certification before they are eligible to receive a contract or subcontract award under a solicitation requiring CMMC.

Applicability

All government contractors that handle regulated data under DoD contracts such as CUI and FCI are required to meet CMMC. These requirements are expected to be included in all DoD solicitations valued above the micro-purchase threshold, except for procurements that are exclusively for commercially available off-the-shelf (COTS) items. CMMC requirements, however, are not applicable under the proposed rule to government information systems operated by contractors in support of the government. Additionally, CMMC program requirements may be waived in advance of the solicitation at the discretion of DoD in “very limited circumstances.”

Implementation Timeline

Now that DoD has proposed the CMMC regulatory framework, companies should begin compliance programs. The proposed rule features a four-phase implementation plan. The initial phase begins on the effective date of the CMMC rule and includes CMMC Level 1 or Level 2 self-assessments as a condition for award under applicable solicitations and contracts. Phase two begins six months after the start date of phase one and includes CMMC Level 2 certification assessments. Phase three begins one year after the start date of phase two and introduces CMMC Level 3 certification requirements. Inclusion of CMMC requirements as conditions for award will be at the discretion of DoD Program Managers until full implementation in Phase 4. DoD plans to include CMMC requirements in all applicable solicitations beginning October 1, 2026.

Assessments

The proposed assessment requirements include a mixture of self-assessments and third-party assessments depending upon the criticality of the data. Under the proposed rule, all CMMC Level 1 assessments will be self-assessments that require contractors to verify their own compliance with CMMC security controls and submit their assessment scores to the DoD’s Supplier Performance Risk System (SPRS) before contract award and annually thereafter.  CMMC Level 2 will require either a self-assessment or certification assessment, performed by a third-party assessment organization (C3PAO), which must be completed before a contract award and every three years thereafter. The proposed rule does not specify how DoD will determine which contracts are subject to self-assessments versus certification assessments. At Level 3, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will perform certification assessments, which must be finalized before contract award and re-performed every three years thereafter.

Plan of Action and Milestone (POA&M) Limitations

Under the proposed rule, CMMC allows the use of POA&Ms only for certain requirements and for a limited time. POA&Ms are not permitted for Level 1 assessments. For CMMC Level 2 assessments, POA&Ms generally are not permitted for security requirements with a point value of greater than 1 (except CUI Encryption under certain circumstances) and are permitted only if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls. For Level 3 assessments, POA&Ms are permitted if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls. Each POA&M must be closed, with all requirements completed, within 180 days of the assessment. The closeout must be confirmed by a closeout assessment, which assesses only the unmet requirements identified by the POA&Ms. CMMC does not allow for organizations to request waivers for any CMMC security requirement.

Conditional and Final Certifications

The proposed rule explains that assessments may result in a Final Certification or a Conditional Certification, depending on whether the contractor has implemented all required security controls. If a contractor achieves the minimum passing score and every required security control is fully implemented, the contractor will receive a Final Certification. However, if POA&Ms exist upon completion of an assessment, the contractor will be granted a Conditional Certification. Contractors must close out their POA&Ms (i.e. fully implement all pending controls) within 180 days of the initial assessment or be subject to contractual penalties (e.g., termination) and ineligibility for future contracting opportunities requiring CMMC.

Senior Affirmations

The proposed rule requires an affirmation from a prime contractor and any applicable subcontractor to annually affirm compliance with the mandated security requirements. At CMMC Levels 2 and 3, contractors must also affirm compliance after every CMMC assessment (whether a self-assessment or an assessment certification), including after any POA&M close outs. Like self-assessment scores, CMMC affirmations will be submitted electronically through SPRS. Contractors will not be eligible for awards under solicitations requiring CMMC until they submit their affirmations.

Contractors should ensure that their CMMC compliance status is carefully vetted before submitting any affirmations. The submission of an affirmation that misrepresents a contractor’s CMMC compliance status could be viewed by the government as a false statement, which could result in procurement consequences (e.g., contract termination, debarment, etc.) as well as damages and/or fines under the False Claims Act (FCA).

Key Takeaways

While waiting for publication of a final rule, companies may begin preparing for CMMC compliance by considering the following steps.

  1. Develop and Refine a System Security Plan (SSP)
    In order to prepare for a self-assessment or certification assessment, a company must complete the necessary documentation, a System Security Plan (SSP), describing how security controls are implemented. In order to effectively complete an SSP, a company must know what regulated data (e.g., FCI or CUI) exists on its network and where the data traverses.
  2. Develop an Enterprise-Wide Compliance Strategy
    A robust engagement with all stakeholders of a compliance team is necessary to develop a compliance strategy that considers how the company will manage and safeguard its data. A compliance strategy may evaluate what technical gaps and legal risks exist and how they will be addressed. Such a strategy also may inform how the company structures its network and whether the company aims for a conditional or final certification.
  3. Consider a Dedicated Federal Environment
    Depending upon the volume of regulated data a company possesses and the degree of challenge implementing security controls company-wide, a company may consider erecting a dedicated environment to house its regulated data. Segmenting regulated data to a dedicated environment can reduce legal risk by limiting requirements and streamlining technical implementation while decreasing resource costs.
  4. Conduct Privileged Compliance Assessments
    Contractors should conduct compliance assessments under attorney-client privilege in order to pressure test their ability to meet the requirements enumerated in CMMC without exposing the company to risk if gaps are found. Engaging counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies by mitigating the risk of having to disclose assessment findings in litigation or during an investigation.
  5. Develop and Refine Corporate Policies
    While technical solutions are integral to meeting CMMC requirements, a company’s cybersecurity is only as effective as the policies it adopts governing the use of such technology and regulating data traversing it. Companies should establish a practice of devising robust internal cybersecurity policies, developing incident response plans and other governance documents, and updating all for currency and accuracy.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.