ARTICLE
19 December 2024

DoD Cybersecurity Maturity Model Certification Requirements Go Into Effect

AO
A&O Shearman

Contributor

A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
On December 16, 2024, the new Cybersecurity Maturity Model Certification (CMMC) 2.0 program from the U.S. Department of Defense (DoD) will go into effect.
United States Technology

On December 16, 2024, the new Cybersecurity Maturity Model Certification (CMMC) 2.0 program from the U.S. Department of Defense (DoD) will go into effect. CMMC 2.0 aims to improve cybersecurity standards within the defense industrial base, protect sensitive government information, and maintain the U.S. military's technological advantages.

This initiative introduces a new tiered cybersecurity regulatory framework for defense contractors and subcontractors. It also provides assessments DoD plans to use to verify implementation. As expected, the more sensitive the information a contractor handles, the higher the CMMC level and the stricter the security standards. Once the CMMC 2.0 rules become effective, the requirements will be implemented in a four-phase plan over a three-year period. DoD contractors handling Federal Contracting Information (FCI) and Controlled Unclassified Information (CUI) will need to meet the requirements of their corresponding CMMC level.

CMMC levels explained:

  • Level 1: For contractors handling FCI, which is information provided by or generated for the government under a government contract not intended for public release. Contractors must comply with 15 security requirements set by Federal Acquisition Regulation 52.204-21. They must complete annual self-assessments and affirmations regarding their compliance with the requirements. The affirmation is forward-looking—the contractor must attest that it "has implemented and will maintain implementation" of its applicable CMMC security requirements.
  • Level 2: For contractors handling CUI. Contractors must comply with 110 requirements from NIST SP 800-171. Depending on the type of CUI that the contract involves, they may be required to perform a self-assessment or be required to secure an outside assessment from an approved Third Party Assessor Organization (C3PAO).
  • Level 3: For contractors handling CUI "associated with a critical program or high value asset," as determined by DoD. Contractors must comply with the 110 requirements from NIST SP 800-171 plus 24 additional requirements from NIST SP 800-172. They will be assessed directly by the DoD Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBAC).

Flow-down requirements

The CMMC requirements "flow down" from contractors to subcontractors to ensure the entire defense industrial base supply chain is protected. If a contractor subject to CMMC 2.0 requirements employs subcontractors to fulfill the contract, those subcontractors must also meet certain CMMC 2.0 standards depending on the kind of FCI or CUI they process, store, or transmit. Prime contractors must require that their subcontractors comply with the flow down CMMC requirements. Thus, a framework that might seem narrow in scope, can pick up a large number of parties.

Remediation

Some flexibility is built into the CMMC 2.0 program's requirements. For example, select CMMC Level 2 and 3 contractors may be allowed conditional CMMC certification even when they cannot meet all the security controls. This conditional status requires the contractor to prepare a Plan of Action and Milestones (POA&M) to remediate the controls that it has not met. Failure to remediate in a 180-day window leads to the expiration of the conditional certification.

Looking ahead

Contractors and subcontractors must be diligent in their CMMC 2.0 cybersecurity implementation and assessments, whether internal or external, due to the increased risk of compliance under the new regulatory scheme. The Department of Justice recently launched its Civil Cyber-Fraud Initiative and is paying close attention to contractors' cybersecurity practices in relation to the False Claims Act (FCA). The growing popularity of claims under this program suggests that gaps in CMMC 2.0 compliance expose DoD contractors to FCA risk, including the risk of whistleblower claims. Given the numerous and varied security and assessment requirements under CMMC 2.0, it will be essential for contractors and subcontractors to ensure their cybersecurity representations to DoD are accurate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More