Tag: CMMC

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Copyright 2024 K & L Gates
For more on Defense Contractors, visit the NLR Government Contracts Maritime Military section

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery
    For more on the CMMC Program, visit the NLR Consumer Protection section

Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

  • Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
  • Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
  • Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
  • Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

© 2024 Blank Rome LLP