On August 15, 2024, the Department of Defense (DoD) published a proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 program through revisions, pursuant to Title 48 of the Code of Federal Regulations, to the Defense Federal Acquisition Regulation Supplement. The proposed rule outlines how DoD will integrate the requirements for its CMMC program into the contracting process. Interested parties now have the opportunity to comment on the proposed rule, with DoD accepting comments through October 15, 2024.
CMMC 2.0 is the DoD's program designed to ensure that companies that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) are compliant with cybersecurity requirements. The program has gone through several iterations since it was first announced in 2019, and the current 2.0 version includes three progressively advanced tiers of certification levels dependent on the type and sensitivity of the information handled by a contractor. DoD published the first proposed CMMC 2.0 program rule on December 26, 2023, which consists of comprehensive cybersecurity and compliance affirmation requirements for DoD contractors. The CMMC 2.0 three-tier model is aligned with existing security requirements published by the National Institute of Standards and Technology in its Special Publication 800-171.
Applicability
The proposed rule applies to all DoD contractors and subcontractors (through flow-down requirements) who process, store or transmit FCI or CUI. Prime contractors will be responsible for ensuring that subcontractors not only understand the CMMC compliance requirements, but also are satisfying the requirements for the prime contractor's designated CMMC level. The proposed rule does not apply to contracts that are for the sole purpose of acquiring commercially available off-the-shelf (COTS) items. The proposed rule also does not contain any exemptions for foreign suppliers.
It is expected that a final rule will be enacted in early to mid-2025. DoD has implemented a phased-in rollout of the CMMC program over the course of a three-year period. During the phase-in period, the CMMC certification requirements will impact a contractor only when a solicitation itself requires a specific CMMC level as determined by the program office or requiring activity. The CMMC certification requirements during this period will impact subcontractors to affected contracts at all tiers who process, store or transmit FCI or CUI. After the phase-in period, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial products or commercial services (except those exclusively for COTS items), valued at greater than the micropurchase threshold that involve processing, storing or transmitting FCI or CUI.
Key Features of the Proposed Rule
Per the proposed rule, DoD will specify which of the CMMC levels is required for the contract in the solicitation process, so only qualified bidders may bid on the procurement. At each of the three CMMC levels, DoD will verify the contractor's eligibility.
The new proposed rule requires that DoD contractors:
- Have a current CMMC certificate or self-assessment at the requisite CMMC level, or higher, when a CMMC level is included in the solicitation;
- Maintain the required CMMC level for the duration of the contract for all applicable information systems;
- Only store, process or transmit data in appropriate information systems;
- Notify the contracting officer within 72 hours of any lapses in information security or changes in the status of CMMC certificate or self-assessment levels;
- Complete and maintain on an annual basis, or when changes occur, an affirmation of continuous compliance with the security requirements; and
- Ensure all subcontractors and suppliers complete and maintain on an annual basis, or when changes occur, an affirmation of continuous compliance with the security requirements.
Additionally, the proposed rule includes a new section on reporting that requires the contractor to provide: (1) the unique identifiers issued by DoD for each information system, (2) the results of contractor self-assessments and (3) any changes to the list of unique identifiers.
Impact on Small Businesses
DoD states that approximately 29,543 contractors will be impacted by the proposed rule, of which 20,395 (69 percent) are small businesses. Therefore, the proposed rule is likely to have a significant impact on small business contractors and subcontractors, as obtaining CMMC certification is a costly endeavor. Contractors will incur implementation fees, consulting costs and other assessment charges. Subcontractors may be subject to requirements from their primes, who may want to preemptively comply with CMMC 2.0. Compliance costs may ultimately force smaller entities to withdraw and/or not bid on affected contracts. It is important that such entities provide DoD with insight on the impact of the proposed rule on their operations, how to reduce the cost of compliance and other potential measures to mitigate costs. For small business subcontractors, it is important to carefully review their subcontracts to ensure whether they in fact will process, store or transmit FCI or CUI, or if they should negotiate to remove the flow-down clause from their contracts.
Timing of Certification
The proposed rule requires that a contractor achieve the CMMC certification or CMMC self-assessment at the required level at the time of the award. The proposed rule includes two requirements that impose additional obligations on behalf of the contractor:
- The contractor is responsible for ensuring that its current CMMC certificate or current CMMC self-assessment level is posted in the Supplier Performance Risk System (SPRS).
- The contractor must have a current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS for each DoD unique identifier applicable to each of the contractor information systems that process, store or transmit FCI or CUI and that are used in performance of the contract.
The timing aspect is important, as an entity is not required to have the requisite CMMC certification at the time of the bid, but instead at the time that the award is made. This may provide additional flexibility to prospective contractors to continue to seek the appropriate certification during the solicitation process. The requirement that contractors must maintain the required CMMC level for the duration of the contract is also important because options on a contract cannot be exercised unless compliance with CMMC is verified.
Opportunity to Comment
The proposed rule is open for public comment for 60 days, with comments due on or before midnight on October 15, 2024. All interested stakeholders should consider filing public comments addressing legal and policy deficiencies in the proposal, including describing unintended consequences or onerous operational impacts. It is expected that industry groups will request an extension for the public comment period, however, it is not expected that DoD will grant such a request.
It our recommendation that all contractors review the underlying changes and conduct an internal analysis to determine the projected impact of the rule changes. Contractors should consult with counsel to draft public comments that adequately address all considerations and convey the anticipated impact of the proposed rule to DoD or unattributed comments that may be submitted through trade associations.
Following the conclusion of the public comment period, DoD will continue its rules process and ultimately release a final rule, which is expected to be published in early to mid-2025.
About Duane Morris
Attorneys in the firm's Government Contracts and International Trade Group and Privacy and Data Protection Group have considerable experience in assisting clients on a wide range of matters, including compliance with federal cybersecurity rules; building cybersecurity teams; a full range of litigation and counseling services on virtually every facet of government contracting and procurement; handling security breaches; providing clients with compliance and auditing advice on privacy and IT security exposure; and navigating the complex regulatory minefield governing data protection. The firm's attorneys also have experience in preparing public comments for submission to the government.
For More Information
If you have any questions about this Alert, please contact Geoffrey M. Goodale, Sandra A. Jeskie, Rolando R. Sanchez, Matthew Steinway, Lauren E. Wyszomierski, any of the attorneys in our Government Contracts and International Trade Group, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.