After numerous fits and starts, on October 14, the Department of Defense (DoD) published a final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program. Borne from documented deficiencies in the implementation of DoD-mandated security controls throughout the defense supply chain, the new CMMC program is a verification requirement to ensure contractors are complying with cybersecurity requirements at FAR 52.204-21, DFARS 252.204-7012, and DFARS 252.204-7020. Importantly, beginning in 2025 DoD RFPs will mandate the CMMC level contractors must meet in order to be eligible for award.
CMMC Levels
The CMMC program requires both prime contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in the performance of a DoD contract to implement certain security requirements to safeguard information on their information technology systems. The final rule differentiates between three levels of compliance obligations depending on the type of information handled by the prime or subcontractor and DoD discretion.
CMMC Level 1
Contracts and subcontracts involving FCI require contractors to comply with 15 security requirements outlined in FAR 52.204-21(b)(1)(i)-(xv), many of which contractors may already follow. FCI is defined as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments." Each year, as a condition of contract award, contractors must self-certify their compliance—using internal resources or third-party assessments—and submit the results to the Supplier Performance Risk System (SPRS).
Importantly, contractors must meet CMMC Level 1 requirements at the time of assessment, as the final rule prohibits the use of a corrective action plan, referred to as a Plan of Action and Milestones (POA&M), for compliance demonstration.
CMMC Level 2
Those contracts and subcontracts that involve CUI must adhere to 110 security controls outlined in DFARS 252.204-7012, which is also aligned with the National Institute of Standards and Technology (NIST) SP 800-171 Revision 2 requirements. CUI has been described as "[a]ny information that a law, regulation, or government-wide policy requires to have safeguarding or disseminating controls for lawful government purposes." Contractors must self-assess compliance or engage a CMMC Third-Party Assessment Organization (C3PAO) to certify compliance. The DoD will make the decision of whether to require a "CMMC Level 2 Self-Assessment" or "CMMC Level 2 Certification Assessment" based on the sensitivity of the CUI, but the DoD expects that once the final rule is fully implemented the majority of contractors will be engaging third-party assessment organizations. In addition, to achieve conditional Level 2 status, contractors must score at least 88 out of 110, with a POA&M allowed for demonstrating compliance with certain requirements. Contractors have 180 days to implement any missing controls; failure to do so may result in termination or disqualification.
CMMC Level 3
Contracts and subcontracts involving CUI that the DoD deems to require enhanced safeguarding must comply with Level 3 security requirements. These include 24 additional controls from NIST SP 800-172. CMMC Level 3 assessments are conducted solely by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBAC). To achieve compliance, contractors must obtain a perfect score on CMMC Level 2 and score at least 20 out of 24on the additional controls. While contractors may qualify for CMMC Level 3 status with POA&Ms, these plans must be resolved within 180 days as stipulated by the final rule.
Implementation Timeline
The implementation of the CMMC program will constitute four phases.
Phase 1 (0-12 Months)
Phase 1 of the CMMC program will commence upon finalization of the proposed DFARS rule, anticipated in "early to mid-2025." During this phase, the DoD plans to incorporate CMMC Level 1 Self-Assessment or Level 2 Self-Assessment requirements into all relevant solicitations as a condition of contract awards. The proposed rule also permits the DoD to make the successful completion of a self-assessment a prerequisite for exercising contract option periods. In addition, the DoD has the discretion to require a CMMC Level 2 Certification Assessment instead of a Level 2 Self-Assessment for certain contracts and solicitations during this phase.
Phase 2 (12-14 Months)
Phase 2 of the CMMC program will start 12 months after Phase 1 begins and will last for one year. During this phase, the DoD will mandate CMMC Level 2 Certification Assessment requirements as a condition for contract awards. These requirements may also apply to exercising options on existing contracts. Furthermore, similar to Phase 1, the final rule allows the DoD discretion to incorporate CMMC Level 3 certification assessment requirements in relevant solicitations and contracts.
Phase 3 (24-36 Months)
Phase 3 of the CMMC program will commence one year after the start of Phase 2 and will continue for one year. During this phase, the DoD will require CMMC Level 2 Certification Assessment requirements for both contract awards and exercising options. Additionally, CMMC Level 3 Certification Assessment requirements will be mandatory for all applicable contract awards. However, the DoD retains the discretion to delay the inclusion of CMMC Level 3 Certification Assessment requirements as a condition for exercising contract options.
Phase 4 (over 36 months)
Starting one year after the start date of Phase 3, the DoD will include CMMC Level 3 Certification Assessment requirements as a condition of contract award and as a condition to exercise an option for all applicable DoD solicitations and contracts.
Changes from the Proposed Rule
The final rule largely tracks the requirements of the proposed rule, however, there are several notable differences, including:
- Extended Timeline. The final rule extends the first phase from six months to one year which should be a welcome development for a defense industrial base that wanted increased time to comply.
- External Service Providers (ESPs). The proposed rule required ESPs to obtain Level 2 certifications, however, the final rule eliminated that requirement. This was part of an effort to lower costs and allow for broader competition in the market. With that said, if contractor information is sent to the ESP, the ESP will be within the scope of the requirements and will need an assessment.
- "Enduring Exception" and "Temporary Deficiency" Definitions. The proposed rule adds definitions for these two terms which add some flexibility to compliance as they allow contractors to "meet" certain security requirements if certain conditions are met.
- M&A. The final rule reiterates that CMMC assessments are valid for a specific period of time and scope. It also clarifies that new assessments are required "if there are significant architectural or boundary changes to the previous CMMC Assessment Scope . . . [like] expansions of networks or mergers and acquisitions."
Contractor Considerations
"[I]n performance of the DoD contract"
The CMMC requirements only apply to "contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems." This "in performance of the DoD contract" language qualifies the requirement adding increased flexibility for those companies that receive CUI and FCI in different circumstances. The language clarifies that the program does not restrict how a contractor processes, stores, or transmits its own information. For example, certain categories of CUI reflect proprietary contractor information. Without the clarifying language, a contractor would not be able to disclose that information. With it, a contractor has the ability to share CUI information like business system information with a teammate for purposes of drafting a proposal.
Exceptions
As we briefly discussed above, separate from a POA&M, the DoD will allow certain "temporary" and "enduring" exceptions to meet the security controls under the applicable CMMC level. The final rule defines an "enduring exception" as "a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible." "Temporary exceptions" are defined as "condition[s] where remediation of a discovered deficiency is feasible, and a known fix is available or is in process." These "temporary exceptions" must be documented in an "operational plan of action" which documents temporary vulnerabilities and explains how the contractor will mitigate, correct, or eliminate those vulnerabilities.
Importantly, the proposed rule requires 72-hour notification for "lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels." The term "lapses" could be interpreted as requiring contractors to report "temporary exceptions" within 72 hours of their discovery. Unfortunately, the final rule does not clarify whether "temporary deficiencies" would be considered "lapses." Therefore, the scope of contractor notification obligations is uncertain. Until further guidance is promulgated, contractors should carefully consider whether it is worth disclosing "temporary exceptions."
False Claims Act Risk
The CMMC program requires contractors to make affirmative assessments of compliance creating a new avenue for potential False Claims Act (FCA) liability. In addition, cybersecurity has increasingly become an enforcement priority of the Department of Justice (DOJ) with the DOJ launching its Civil Cyber-Fraud Initiative in 2021. These representations must be thoroughly reviewed to ensure their accuracy as inaccurate statements may impart litigation risk and large penalties.
Don't Wait
While the final rule doesn't take effect until the finalized DFARS rule is promulgated and then phased in over a three-year timeline, contractors should not wait to implement the required cybersecurity controls. Implementing the necessary cybersecurity controls takes time. In particular, obtaining a certification assessment to comply with CMMC Levels 2 and 3 can take six-eight months. Contractors should immediately begin understanding what CMMC level they must comply with, identify the information systems that support DoD contracts to ensure all applicable systems are accounted for and controls implemented, evaluate subcontractor and service provider capacity to meet CMMC requirements, and update compliance policies and procedures to reflect new CMMC requirements.
Conclusion
After several delays, the CMMC program is finally here. Companies may already have some of the required controls implemented, but others will need to be installed. With the parameters of the program finalized, companies should review the final rule, assess their compliance programs, and begin to implement the necessary controls depending on their specific risk profile.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.