On December 26, 2023, the Department of Defense (“DoD”) published the long-awaited Proposed Final Rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. At a high level, the CMMC program is a mechanism by which the DoD can verify that contractors and subcontractors have implemented security measures to protect Controlled Unclassified Information (“CUI”) and Federal Contract Information (“FCI”). The CMMC program is designed to require contractors and subcontractors with access to CUI and FCI to demonstrate the maturity of their cybersecurity programs.
Comments on this proposed final rule can be submitted within a 60-day comment period, which ends on February 26, 2024.
So how did we get here? A quick review shows that the CMMC proposed final rule is many years in the making. It is a simple fact the DoD must rely on private sector companies to provide needed goods and services. These companies, which compose the Defense Industrial Base (“DIB”), may present significant cybersecurity risks to the military to the extent that their information systems are compromised.
To mitigate these risks, the DoD began to include clauses in its contracts prescribing various cybersecurity requirements. Most notably, the DoD created Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which could be incorporated into DoD contracts. This clause, which has been amended several times, requires contractors and subcontractors to implement the 110 security protocols in the National Institute of Standards and Technology (“NIST”), to provide adequate security for federal information that is processed, stored, and transmitted on contractor information systems.
Over time, as security incidents in the DIB continued to occur, DoD officials started to consider additional methods—other than merely using contractual obligations—to reduce cybersecurity risk. In 2019, the DoD began developing a framework, known as CMMC. The purpose of the CMMC program was to build on the requirements of DFARS 252.204-7012 and create a mechanism to verify that a contractor or subcontractor has implemented certain security requirements. To this end, the DoD’s development of CMMC has been an iterative process; for example, introducing CMMC 1.0 under an interim rule in 2020. (In a previous Legal Update, we discussed CMMC 1.0 in detail.) Then, in November 2021, the DoD announced CMMC 2.0, which serves as the basis for the recently issued proposed final rule.
Overview of CMMC Framework
The CMMC program has three principal features. First, it requires companies that are entrusted with national security information to put into place cybersecurity measures at increasingly advanced levels. Second, the CMMC assessment requirement will allow the DoD to verify that the cybersecurity measures have been implemented. Third, CMMC provides a condition requiring DoD contractors managing CUI and FCI achieve a certain CMMC level.
As a framework, CMMC is divided into three levels of security maturity: Foundational, Advanced, and Expert. The level of maturity that an organization must meet will depend on the type of sensitive information they handle.
CMMC levels are not constant and can change depending on the type of information that contractors or subcontractors have access to, including when they have access to FCI, CUI, and highly sensitive CUI. CMMC appears to allow them to assess depending on this level of access. For example, a contractor may complete a self-assessment for systems that have access to FCI but will be required to do a level-three assessment (which requires validation by a third party) on systems that have access to high-priority sensitive information.
Level 1 is for contractors and subcontractors that handle FCI or “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” Level 1 requires contractors to verify through self-assessment that the applicable security requirements in FAR subsection 52.204-21 have been implemented. The assessment must be affirmed annually by a senior official from the prime contractor and any applicable subcontractor.
Level 2 is for contractors and subcontractors that manage CUI and requires contractors to verify that all 110 security requirements of DFARS 252.204-7012 (which are aligned with NIST SP 800-171) have been implemented. As determined by the DoD, Level 2 requires either a self-assessment or a Level 2 certification assessment to ensure implementation of the security requirements. The self-assessment must be performed three times per year, and continuing compliance must be affirmed after every assessment. The certification assessment will be done by a third party—known as a third-party assessment organization or “C3PAO”—and will remain valid for three years. A senior official from the prime contractor or any applicable subcontractor will affirm continuing compliance with the security requirements after every assessment and then annually.
Level 3 is for contractors and subcontractors with access to CUI of the highest priority and requires them to implement the 24 security requirements of NIST SP 800-172 as well as the requirements detailed in DFARS 252.204-7012. They must verify through DoD assessment—i.e., by the Defense Industrial Base Cybersecurity Assessment Center (“DIBAC”)—and receive certification that all Level 3 security requirements have been implemented. This certification is valid for three years. A senior official from the prime contractor and any applicable subcontractor must affirm continued compliance with the security requirements after every assessment, and every year thereafter.
Applicability of CMMC
The proposed final rule confirmed that its requirements would be included in all DoD procurement valued at or above the micro-purchase threshold. However, the proposed rule provides for the following applicability exceptions: (i) procurements exclusively for commercially available off-the-shelf (“COTS”) items; (ii) government information systems operated by contractors; (iii) and procurements in which the DoD exercises its discretion to waive the requirement in “very limited circumstances.”
Also, the proposed final rule confirmed that CMMC program requirements included in solicitations and contracts will “flow down” to subcontractors who will process, store, or transmit FCI or CUI during contract performance.
- Phased Implementation: Ultimately, the CMMC rules will be implemented by making the required certifications a condition of receiving award of a federal contract. The proposed rule lays out an implementation plan that consist of four phases: Phase 1 will require CMMC Level 1 or Level 2 self-assessments under applicable solicitations; Phase 2 will require CMMC Level 2 certifications assessments; Phase 3 will include CMMC Level 3 certifications assessments; and Phase 4 will include full implementation for all applicable solicitations.
- Phase 1 begins on the effective date of the DFARS rule.
- Phase 2 begins six months after the start date of Phase 1.
- Phase 3 begins one calendar year after the start date of Phase 2.
- Phase 4 begins one calendar year after the start date of Phase 3.
Under this phased plan, the DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations on or after October 1, 2026.
Issues and Concerns for Contractors
The DoD’s proposed final rule contained a number of features that contractors should consider to ensure CMMC compliance.
- Where Federal Information Resides: In light of the new CMMC requirements, contractors should make a reasoned choice about where certain information resides. Contractors should determine whether their information system should house FCI and CUI in an enterprise-wide environment or whether it makes sense to create a dedicated environment in which federal information will reside. Further, contractors may want to develop and use different environments for the various CMMC levels described above.
- CMMC Compliance Program: Prime DoD contractors and subcontractors should assemble a multidisciplinary (e.g., IT, legal, business) team to develop a detailed CMMC compliance program. Even though the final rule has not yet become effective—and changes could be made—contractors would be wise to act quickly as many companies rush to obtain the required certifications. Additionally, contractors should strongly consider engaging outside counsel to perform compliance assessments, the results of which may be protected by the attorney-client privilege.
- Affirmations: As noted above, the proposed final rule requires prime contractors and subcontractors to affirm their compliance on an annual basis. Contractors should also note that because affirmations are linked to a specific CMMC level and therefore could be on different schedules, separate affirmations might have to be made in a given year. Misrepresentations associated with these affirmations may cause the government to take adverse action against the contractor—including contract termination, issuance of a negative past performance rating, initiation of suspension and debarment proceedings, and the pursuit of False Claims Act damages and fines. Therefore, these affirmations should be taken very seriously by the contractor and only be made consistent with its compliance program.
CMMC 2.0 is intended to verify the security measures of contractors and subcontractors to protect CUI and FCI. This extra layer is specific to the CMMC level, and a CMMC compliance program should be developed by a multidisciplinary team. We encourage you to call us to discuss CMMC 2.0 further and to let us help develop your compliance program.