Alert
Alert
01.17.24
On December 26, 2023, the Department of Defense (DoD) issued the long-awaited Cybersecurity Maturity Model Certification (CMMC) proposed rule and related guidance. As we have previously reported, CMMC is a program developed by the DoD to protect the Defense Industrial Base from cyber threats. Under this program, nearly all DoD contractors and subcontractors would be required to achieve certain levels of cybersecurity maturity. The DoD first announced the CMMC program in 2019, then issued an initial version of the program (CMMC 1.0) in November 2020. In November 2021, the DoD announced that it would be overhauling the CMMC Program and replacing it with CMMC 2.0. The purpose of CMMC 2.0 was to restructure the CMMC Program and to reduce the cost and administrative burden of achieving cybersecurity compliance. The newly released proposed rule implements many aspects of CMMC 2.0 and introduces additional requirements. Below is a summary of some of the key aspects of the new rule. If implemented, the proposed rule would represent the DoD’s first implementation of the much-debated CMMC Program. Comments on the proposed rule are due on February 26, 2024.
Security Controls
The proposed rule codifies the CMMC Program by adding a new Part 170 to Title 32 of the Code of Federal Regulations. Under this proposed regulation, the CMMC Program will apply to DoD contractors and subcontractors at all tiers who process, store or transmit federal contract information (FCI) or controlled unclassified information (CUI) on contractor information systems. CMMC requirements will not be included in contracts below the micro-purchase threshold (generally $10,000) or contracts exclusively for commercially available off-the-shelf (COTS) items. Consistent with the version of CMMC 2.0 published in 2021, the proposed rule includes three levels of cybersecurity maturity. At Level 1, contractors and subcontractors will be required to implement the 15 security requirements currently required by FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. At Level 2, contractors and subcontractors will be required to implement the 110 security requirements specified in the National Institute of Standards and Technology (NIST) Special Publication 800-171. This requirement is currently imposed on contractors and subcontractors by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. At Level 3, contractors and subcontractors will be required to meet the requirements of Level 2 and implement the 24 selected security requirements from NIST SP 800-172.
Assessment Requirements
Since the conception of the CMMC Program, there has been significant focus on the question of how contractors will be assessed at Levels 1 through 3. The proposed rule states that for Level 1, contractors and subcontractors will perform an annual self-assessment and enter the results electronically in the Supplier Performance Risk System (SPRS). For Level 2, contracts will include either a self-assessment requirement or a certification assessment requirement. Certification assessments will be performed by third-party assessment organizations and good for up to three years. The third-party assessment organization will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), which will electronically transmit the assessment results into SPRS. For Level 3, contractors and subcontracts will need to be certified through the DoD. Certifications will be valid for up to three years, and the DoD assessor will enter the assessment information electronically into the eMASS, which will electronically transmit the assessment results into SPRS.
POA&Ms
As part of CMMC 2.0, the DoD announced that it would allow for a limited use of Plans of Actions and Milestones (POA&Ms) for requirements that a contractor has not yet fully implemented. This was viewed as a welcomed change from CMMC 1.0, which did not allow for POA&Ms. Under the proposed rule, POA&Ms will be permitted for Levels 2 and 3 but must be closed out within 180 days of the assessment. In addition, certain requirements under Levels 2 and 3 will be mandatory and cannot be subject to a POA&M. For Levels 2 and 3, there will be a minimum required score for a Conditional Certification Assessment. This Conditional Certification Assessment will become a Final Certification Assessment once the contractor or subcontractor closes out all POA&M items.
Affirmation Requirements
The proposed rule also includes new affirmation requirements. Specifically, the rule requires that a senior official from the contractor or subcontractor affirm continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter. Affirmations will be entered electronically in SPRS. This requirement is significant, as these affirmations could open contractors up to False Claims Act liability in the event that they are inaccurate. Thus, contractors and subcontractors must continuously monitor their compliance with the relevant security controls to make sure that they remain in compliance.
Applicability
After the CMMC Program is fully implemented, DoD solicitations that involve the processing, storing or transmitting of FCI or CUI on contractor systems will identify a CMMC level and assessment type. Contractors will need to be self-assessed or certified at the applicable level before contract award. Prime contractors will be required to flow the CMMC level requirements down to their subcontractors.
Timing
The proposed rule envisions a phased implementation of the CMMC Program, which will begin with Phase 1 when the implementing DFARS clause, DFARS 252.204-7021, is finalized. Phase 1 will last for six months. During Phase 1, the DoD will include Level 1 and 2 self-assessment requirements as a condition of contract award. Phase 2 will begin six months after the start of Phase 1 and will last for one year. During Phase 2, the DoD will roll out Level 2 certification assessment requirements. Phase 3 will begin 18 months after the start date of Phase 1 and last for one year. During Phase 3, the DoD will roll out Level 3 certification assessment requirements. Finally, Phase 4 will begin 30 months after the start date of Phase 1 and involve the full implementation of all CMMC requirements.
Notably, although the timing of the phased implementation is based on the finalization of DFARS 252.204-7021, the proposed rule also states that the DoD expects to include CMMC requirements for Levels 1, 2 and 3 in all solicitations issued on or after October 1, 2026. Although October 2026 may seem far away, implementation is likely to begin sooner. Therefore, contractors should start evaluating how to comply with the CMMC Program. This should include assessing current SSPs and POA&Ms and determining what action will be required to close the POA&Ms. We are continuing to follow related developments and will report on those in the coming weeks and months.