On October 15, 2024, the Department of Defense (DoD) published the final rule for the Cybersecurity Maturity Model Certification (CMMC) Program that not only finalizes the long-anticipated CMMC Rule but also foreshadows what 2025 may hold for the Defense Industrial Base (DIB) and beyond. Indeed, 2025 is gearing up to be the year of cybersecurity.
The CMMC Timeline
Although the CMMC Rule's effective date is December 16, 2024, the timeline will not kick off until the currently proposed acquisition rule (48 CFR part 204 CMMC Acquisitions rule) is finalized. Nonetheless, the acquisitions rule is expected to be finalized in mid-2025, and the DoD confirmed that "[t]he DoD's objective timeline to begin implementing the CMMC requirements has been, and remains, FY 2025."
Below is the rollout schedule as well as how the DoD may, at its discretion, require more or fewer security controls during each stage of this rollout:
Phase | Estimated Date | Requirement* | DoD May, at Its Discretion |
Phase 1 | FY 2025 | Level 1 (Self) or Level 2 (Self) | include the requirement for Level 2 (C3PAO) in place of the Level 2 (Self) |
Phase 2 | FY 2026 | Level 2 (C3PAO) | include the requirements for Level 3 (DIBCAC) |
Phase 3 | FY 2027 | Level 2 (C3PAO) Level 3 (DIBCAC) |
delay the inclusion of requirement for Level 3 (DIBCAC) to an option period instead of a condition of contract award |
Phase 4 | FY 2028 | Full Implementation | N/A |
Certification at the level specified in the contract must be complete by the time of the contract award. As a result, contractors must ensure that both they and their subcontractors have received the required certification prior to the award. Due to the time and effort they may need in order to become certified (certification is currently estimated to take up to one year), contractors and subcontractors should begin assessing their systems and preparing for certification well before the DoD begins adding these requirements to contracts. This pressure will likely cause prime contractors to require their subcontractors to obtain certification soon. We anticipate a push for subcontractors to obtain these certifications starting now, with increasing pressure as we enter 2025.
Other Noteworthy Provisions
External Service Provider Requirements and the Spotlight on FedRAMP Authorization
The DoD revised the final rule to reduce the assessment burden on External Service Providers (ESPs) by allowing the ESPs to be included in the Organizations Seeking Certification's (OSC) System Security Plan (SSP) and be evaluated with the OSC rather than requiring them to independently obtain certification.
However, the DoD imposes additional obligations where a contractor uses an ESP as a Cloud Service Provider (CSP) to store, process or transmit Covered Defense Information (including controlled unclassified information (CUI)). As clarified in a December 2023 memo, a contractor must "require and ensure" that a CSP is either FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline or is FedRAMP Moderate "equivalent." The same memo confirms that equivalency requires the CSP to maintain and present to the contractor a full body of evidence demonstrating 100 percent compliance with the FedRAMP Moderate baseline and complete an assessment with a Third Party Assessment Organization (3PAO).
This requirement may increase demand for FedRAMP-authorized services at the same time that FedRAMP is completely reworking its program. Earlier this year, FedRAMP discussed its high-level road map, setting forth its intended changes, including redefining their security expectations across the FedRAMP authorization in FY25 (Q1-Q2). This was followed by OMB rescinding the memo that established FedRAMP and issuing new guidance meant to dramatically scale up the FedRAMP marketplace.
These changes forecast increased cybersecurity requirements for many DoD contractors and subcontractors as well as increased scrutiny of their implementation of these cybersecurity measures.
The Six-Year Retention Period
Under the CMMC Rule, OSCs must retain artifacts used as evidence for the assessment for at least six years from the date of the certification assessment. This retention obligation extends to the annual self-certifications that contractors must perform. Similarly, third party assessors also have a six-year record retention requirement. In order to preserve the integrity of the artifacts reviewed, OSCs are required to create and retain a hash of the assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm and the hashing algorithm used).
This assessment evidence will include all artifacts that are used to support Level 2 or Level 3 assessments by C3PAOs and DCMA DIBCAC. These artifacts will consist of the evidence related to an OSC's SSP, which will be reviewed as part of a CMMC certification assessment. An OSC's SSP should detail the policies and procedures that support how security requirements are implemented for all NIST SP 800-171 controls.
In addition to the evidence showing the implementation of technical controls, OSCs should retain any additional documentation created to explain the reason for their implementation decisions. In recognition of the large variety of system architectures and OSC-specific needs, OSCs will likely be required to make numerous judgment calls when implementing CMMC requirements. As part of this process, OSCs should retain not only evidence of the implemented controls but also the explanations for any decisions made based on OSC-specific factors that may not be as easily discernable in six years if the government questions whether the implementation was reasonable.
The selection of a six-year retention period is not arbitrary. When a commenter suggested that the DoD reduce the artifact retention period to one year, the DoD declined the request and explained that the "requirement for an artifact retention period of six years is a result of the Department of Justice's input to the proposed rule." This interagency collaboration makes sense given that six years also happens to be the statute of limitations for the False Claims Act, a particularly relevant fact in light of the United States' recent intervention in a whistleblower suit against the Georgia Institute of Technology, initially filed by current and former members of Georgia Tech's cybersecurity team. The complaint alleged that Georgia Tech intentionally misrepresented its compliance with cybersecurity requirements in connection with certain DoD contracts.
Beyond DoD: FAR CUI Rule – Turning Up the Heat for All Government Contractors and Subcontractors
On October 28, 2024, the federal government announced that the proposed FAR CUI rule cleared regulatory review and is being prepared for notice in the Federal Register. It is anticipated that this rule will require non-DoD government contractors and subcontractors handling CUI to protect it in accordance with NIST 800-171, similar to the DoD cybersecurity regulations that have been in place since 2012.
The details of the new rule, however, remain unclear. First, this new rule will answer important questions around the extent to which non-DoD contractors will be required to obtain third-party assessments to evidence their compliance with the NIST 800-171 controls and whether non-DoD contractors will also use NIST 800-171 Revision 2. In the comments to the DoD final rule, the DoD cited the time needed for the industry to prepare for the implementation of NIST 800-171 Revision 3 as one of the reasons they did not want to use the newest version of NIST 800-171. They did, however, say that they will issue future amendments to the final DoD rule to incorporate the current version of NIST 800-171.
Where To Go from Here
For a defense contractor or subcontractor that will be subject to the CMMC requirements, there are steps that can be taken today.
First, all defense contractors that currently handle federal contract information (FCI) or CUI, or would like to handle either one in the future, should begin aligning their security program to NIST 800-171. Beginning this process now, regardless of whether contractors plan to certify at this time, will position contractors to efficiently move forward with certification by the time such certification becomes a prerequisite to receiving a desired contract award.
A great starting point for contractors is to develop a road map addressing where they are, what they would like to accomplish and what steps they should take to reach their goal. Contractors should also consider conducting a detailed mapping exercise to identify what CUI they are receiving and how they are storing and protecting that CUI.
For contractors or subcontractors that will be impacted by the FAR CUI rule, now is the time to consider whether you are interested in preparing comments to the proposed rule, when published. As evidenced by some of the significant adjustments to the CMMC Rule described above, well-drafted comments can shape the final rule.
We are here to help.
The cross-disciplinary team of attorneys on our Government Contracts team and in our Digital Assets and Data Management Practice Group draws on technical knowledge, unrivaled incident response experience, and outcomes from remediations of incidents and regulatory investigations to help organizations generate and implement solutions. This technical experience is coupled with our strong government contracting skills honed from decades advising and representing clients in all areas of public contract law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.