ARTICLE
17 October 2024

Countdown To Compliance: DoD Finalizes The CMMC Program Rule

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
On October 15, 2024, the Department of Defense ("DoD") published the final version of its Cybersecurity Maturity Model Certification ("CMMC") rule in Title 32 of the Code of Federal Regulations (the "Final Rule").
United States Government, Public Sector

On October 15, 2024, the Department of Defense ("DoD") published the final version of its Cybersecurity Maturity Model Certification ("CMMC") rule in Title 32 of the Code of Federal Regulations (the "Final Rule"). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking effort under Title 48 will update the Defense Federal Acquisition Regulation ("DFARS") and trigger requirements for DoD contractors.)

Brief History/Background

On December 26, 2023, DoD published the Proposed Rule for the CMMC program under Title 32 (the "Proposed Rule") (which we previously covered here). The release of the Final Rule follows publication of the CMMC Title 48 proposed rule (on August 15, 2024) that we analyzed here ("DFARS"). CMMC 2.0 was first announced back in November 2021 (which we previously discussed here).

As a refresher, the goal of CMMC is to strengthen cybersecurity across the Defense Industrial Base by implementing a framework to ensure contractors and subcontractors adequately protect Federal Contract Information ("FCI") and Controlled Unclassified Information ("CUI") under DoD contracts. The framework requires contractors to implement cybersecurity standards at various levels (Levels 1-3) depending on the sensitivity of the information they hold, and to undergo related assessments and provide affirmations regarding compliance.

Final Rule Overview

The DoD received hundreds of public comment submissions, which are addressed in the 470-page Final Rule. For the most part, the structure of the program and security requirements for DoD contractors and subcontractors remain the same. Notably, however, DoD did make some helpful changes, updated key definitions, and provided welcome clarity – particularly with respect to requirements for external service providers.

Below are our initial takeaways and noteworthy updates included in the Final Rule.

Revised Timeline for Phased Roll-Out – Phase 1 Extended to One Year

In response to public comments critiquing the roll-out timeline, the implementation for Phase 1 is extended by six months with parallel adjustments to later phases. This means Phase 2 will start one calendar year after the start of Phase 1. This additional time is intended to address any issues during ramp-up, allow for training of new assessors, and provide companies the necessary time to understand and implement new requirements.

Phase 1 will begin on the effective date of the complementary CMMC Title 48 rule, which is estimated to be early to mid-next year. Below is an updated overview of the four phases for CMMC implementation.

1531730a.jpg

Updates Relating to Security Protection Assets & Security Protection Data

Commenters strongly criticized the Proposed Rule's treatment of Security Protection Assets and Security Protection Data, where the Proposed Rule suggested for Level 2 that Security Protection Assets were to be assessed against all security requirements even where a Security Protection Asset did not store, process, or transmit CUI.

The Final Rule updates definitions and requirements, clarifying at Level 2 and Level 3 that Security Protection Assets that do not process, store, or transmit CUI need only be assessed "against Level 2 [or Level 3] security requirements that are relevant to the capabilities provided," and not all security requirements. See Table 3 §170.19(c)(1).

The new and updated definitions are as follows:

  • Security Protection Assets ("SPA") are "assets providing security functions or capabilities for the [contractor's] CMMC Assessment Scope."
  • Security Protection Data ("SPD") is "data stored or processed by Security Protection Assets (SPA) that are used to protect [the contractor's] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment."

32 CFR §170.4(b). The added specificity here is a welcome update and will alleviate some of the burden associated with performing a CMMC assessment at Level 2 and Level 3.

Clarification of Requirements for External Service Providers

The Final Rule updates requirements for External Service Providers ("ESPs") and, related to the above, clarifies that where an ESP processes, stores, or transmits Security Protection Data (and not CUI), the ESP does not need its own CMMC certification; its services can be assessed as Security Protection Assets as part of the contractor's assessment.

The Final Rule includes the below chart as a helpful tool to determine requirements applicable to ESPs.

1531730b.jpg

Table 4, 32 CFR §170.19(c)(2)(i).

As a reminder, ESPs are "external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization." 32 CFR §170.4(b). While the definition of ESP did not change, the Final Rule provides additional information to help contractors understand the definition.

  • Cloud Service Providers ("CSPs"), Managed Service Providers ("MSPs"), and Managed Security Service Providers ("MSSPs") to DoD contractors are considered ESPs.
  • Service providers needing only temporary access, for services such as penetration testing, incident response, or forensic analysis, do not meet the definition of an ESP and are not considered to process, store, or transmit CUI.
  • A CMMC assessment is not necessary for an ESP that provides staff augmentation where the contractor provides all processes, technology, and facilities.
  • Not all companies that provide services to a DoD contractor are considered ESPs.

These updates come as a relief to DoD contractors and their service providers where the compliance threshold will be significantly lessened in some cases. DoD contractors still should carefully review their arrangements with any third parties that may handle sensitive DoD information to ensure appropriate security protections are in place even if the third party does not necessarily meet the definition of an ESP.

Revisions Regarding Contractor Affirmations

The Final Rule removes the term "senior official" and now uses "Affirming Official," which is defined as the senior level representative within the contractor's organization responsible for ensuring CMMC compliance and with authority to affirm the contractor's continuing compliance with CMMC security requirements. 32 CFR §170.4(b). The Affirming Official must provide a CMMC affirmation in the DoD's Supplier Performance Risk System ("SPRS") at each of the following times: (i) upon achieving conditional CMMC status (as applicable); (ii) upon achievement of final CMMC status; (iii) annually following final CMMC status; and (iv) following a Plan of Action and Milestones ("POA&M") closeout assessment (as applicable). 32 CFR §170.22.

Other Noteworthy Changes

Additional points worth noting in the Final Rule are below.

International Contractors

The Final Rule confirms both U.S. and non-U.S. organizations will be subject to the same CMMC requirements. No additional timeline or special accommodations will be granted to international contractors solely based upon an international location. The Final Rule emphasizes that the phased implementation will impact both U.S. and non-U.S. contactors equally.

Operational Plans of Action v. POA&Ms

The Final Rule adds the concept of "operational plans of action" as distinct from POA&Ms to address concerns that the CMMC program's draconian approach to POA&Ms did not align with standard continuous monitoring practices. Operational plans of action are defined as the formal artifacts identifying temporary vulnerabilities and temporary deficiencies (e.g., necessary information system updates, patches, or reconfiguration as threats evolve) in implementation of requirements and documenting how they will be mitigated, corrected, or eliminated. DoD clarifies, "An operational plan of action...is not the same as a POA&M, which is associated with an assessment for remediation of deficiencies that must be completed within 180 days." 32 CFR §170.4(b). Operational plans of action are part of normal maintenance of a system.

Verification of Subcontractor Compliance

The DoD reiterates in the Final Rule that prime contractors will be responsible for compliance throughout their supply chain and that SPRS, or any other DoD-sponsored tools, will not be made publicly available for contractors to verify CMMC status of other companies. Instead, contractors should share information to ensure verification of CMMC status when arranging contracts, as appropriate. The DoD emphasized the importance of early and effective communication between contractors and subcontractors to verify CMMC statuses. Further, the Final Rule noted that DoD will not be involved with this process and that it is beyond the scope of the Rule.

Conclusion – Takeaways and What's Next

Now that the Final Rule is available, contractors can finalize their assessment scoping and complete self-assessments or CMMC certification assessments. Even though the CMMC program is not effective for DoD contractors until finalization of the parallel Title 48 rule, DoD makes clear companies can immediately seek CMMC certification and need not wait for the phased roll-out to begin.

DoD contractors should seriously focus on CMMC compliance now (if they have not already) as completing the assessment can take time and we expect DoD to move quickly in finalizing the parallel rule to update the DFARS. Once CMMC requirements are applied to a solicitation, contractors will be ineligible for award, and eventually option periods or extension of performance, if they do not have the required CMMC compliance in place. And, while program managers may seek approval for a waiver of the CMMC requirements in certain solicitations, we expect waivers likely will be rare.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More