On December 26, 2023, the U.S. Department of Defense (DoD) published the much anticipated proposed rule for the revamped Cybersecurity Maturity Model Certification (CMMC) 2.0 Program.
Following growing concerns within DoD that contractors were not consistently implementing the cybersecurity requirements of DFARS 252.204-2012, DoD responded with the creation of the CMMC Program in 2019 to move away from a “self-attestation” model of security. The CMMC Program’s purpose is for contractors and subcontractors to demonstrate that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) being processed, stored, or transmitted is adequately safeguarded. CMMC builds from existing cybersecurity requirements by requiring that contractors and subcontractors undergo Self-Assessments, Third-Party Assessments, or Government Assessments, as required, to ensure that mandated information protection requirements have been implemented.
The proposed rule applies to defense contractors and subcontractors that will process, store, or transmit FCI or CUI and is expected to be made a part of every DoD solicitation with a value above the micro-purchase threshold (currently, $10,000). The rule does not apply to contracts for commercially available off-the-shelf (COTS) items or government information systems that are operated by contractors and subcontractors in support of the government.
CMMC does not impose any new security requirements except those mandated at Level 3 of the program. For example, contractors subject to 252.204–7012 are already required to safeguard covered defense information in accordance with NIST SP 800-171. Instead, CMMC provides DoD the process to verify that a defense contractor or subcontractor has implemented the security requirements at each requisite CMMC Level and is maintaining those requirements throughout the contract period of performance.
CMMC Compliance Levels
There are three different levels of CMMC assessment, starting with the basic safeguarding of FCI at Level 1 and moving to the broader protection of CUI at Level 2. Level 3 protection will require the highest level of protection against the risk that DoD terms “Advanced Persistent Threats (APTs).”
For CMMC Level 1, contractors and applicable subcontractors are already required to implement the 15 security requirements currently required by FAR clause 52.204–21. Level 1 will require that all contractors verify compliance with security controls through self-assessments performed annually. Contractors will enter their assessment scores in DoD’s Supplier Performance Risk System (SPRS). CMMC Level 2 will require either a self-assessment or a certified assessment conducted by a third-party assessment organization (C3PAO) to verify a contractor’s implementation of the CMMC Level 2 security requirements. The assessment must be completed before contract award and the certification of compliance is good for three years afterwards. CMMC Level 3 will require contractors to implement 24 selected security requirements from NIST SP 800–172. Note that a CMMC Level 2 certification will be a prerequisite for attaining CMMC Level 3 certification. Unlike CMMC Level 2, DoD assessors will perform the Level 3 certification assessment.
Select requirements under Levels 2 and 3 that are not fully implemented at the time of assessment may be the subject of a Plan of Action and Milestone (POA&M). All permissible requirements covered by the contractor’s POA&M must be closed out within 180 days of the assessment. POA&Ms under Level 1 are not permitted.
As proposed, the rule requires that a senior official from the prime contractor and any applicable subcontractor will affirm annually the concern’s continuing compliance with the specified security requirements. These affirmations are entered electronically in SPRS. At Levels 2 and 3, these affirmations must be made after every CMMC assessment, including POA&M closeout.
DoD will implement the CMMC Program requirements through four phases and will introduce CMMC requirements in solicitations over a three-year period. This iterative approach should provide companies with appropriate ramp-up time. DoD anticipates it will take two years for companies with existing contracts to become CMMC-certified.
- Phase 1 begins on the effective date of the CMMC revision to DFARS 252.204–7021. DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award.
- Phase 2 begins six months following the start date of Phase 1. Beyond Phase 1 requirements, DoD intends to include CMMC Level 2 Certification Assessment all for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award.
- Phase 3 begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include CMMC Level 2 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date. DoD intends to include CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of CMMC Level 3 Certification Assessment to an option period instead of as a condition of contract award.
- Phase 4, full Implementation, begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
The time has come for contractors to prepare to demonstrate CMMC compliance. Contractors should be developing and reviewing current system security protocols and completing System Security Plans (SSP). Contractors should also consider conducting an attorney-client privileged test assessment to baseline their ability to meet CMMC requirements. Additionally, contractors should update all cybersecurity governance documents, including addressing the reporting of cybersecurity incidents. Finally, with the mandate that a senior official affirms compliance with cybersecurity requirements, DoD is signaling that such affirmations are material to the government and that misrepresentation of a contractor’s compliance status may be viewed as a false statement that subjects the contractor to liability under False Claims Act; therefore, affirmation statements should be closely evaluated.
Comments on the proposed rule must be submitted by February 26, 2024.
If you have any questions regarding this proposed rule, please reach out to your Cohen Seglias contact or contact any member of the Government Contracting group.