On December 26, 2023, the Department of Defense (DoD) unveiled the anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC). This cybersecurity regulatory initiative is poised to significantly impact a broad spectrum of government contractors. The regulation applies to contractors involved in handling sensitive data, such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), during the execution of DoD contracts.
While the CMMC program builds upon the security requirements found in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, it introduces heightened scrutiny into contractors’ cybersecurity compliance. The potential consequences for non-compliance are particularly noteworthy in light of the Department of Justice’s Civil Cyber Fraud Initiative and the potential for False Claims Act litigation. If approved in its current form, the rule will significantly reshape the CMMC landscape, notably mandating that senior company officials affirm each self-assessed or certified CMMC level, thereby elevating the legal compliance risks.
Contractors must proactively prepare for the imminent implementation of CMMC. It is imperative for companies to ensure they allocate the necessary resources for compliance, involving a collaborative effort from various corporate sectors, including information security, legal, compliance, supply chain, and business operations.
Comments regarding the proposed rule will be accepted until February 26, 2023.
How We Got Here
Over the past decade, the Department of Defense (DoD) has dedicated its efforts to regulating the cybersecurity requirements associated with contracts, culminating in the introduction of this proposed rule. The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS 7012) made its debut in 2013 and underwent multiple revisions, with the DoD imposing a mandatory implementation deadline of December 31, 2017. Subsequently, the DoD integrated DFARS 7012 into nearly all of its contracts.
Over time, the DoD observed inconsistent implementation of DFARS 7012 requirements by contractors, leading to persistent risks of sensitive data loss. In 2019, the DoD unveiled the Cybersecurity Maturity Model Certification (CMMC) Program, along with its initial version (CMMC 1.0) and the corresponding DFARS Clause 252.204-7021, introduced through an Interim Rule in September 2020. Simultaneously, the Interim Rule introduced two clauses, DFARS 252.204-7019 and DFARS 252.204-2020, aimed at evaluating contractor adherence to cybersecurity requirements. Through these new clauses, the DoD sought to enhance DFARS 7012 cybersecurity compliance by incorporating self-assessments and third-party assessments.
In November 2021, the DoD introduced “CMMC 2.0,” which outlined an updated program structure featuring tiered levels of security and implementation, assessment requirements, and implementation through contracts. The most recent proposed rule outlines a revamped CMMC 2.0 Program and delineates the requirements for both the program and each CMMC level.
The proposed rule maintains the CMMC model with three tiers, as initially introduced in CMMC 2.0:
CMMC Level 1 encompasses 15 requirements outlined in Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). It is anticipated to be relevant for contractors engaged in the storage, processing, or transmission of Federal Contract Information (FCI).
CMMC Level 2 consists of 110 requirements sourced from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2. This level is expected to be applicable to a broad spectrum of contractors involved in the storage, processing, or transmission of Controlled Unclassified Information (CUI).
CMMC Level 3 incorporates 24 selected requirements from NIST SP 800-172 in addition to full compliance with NIST SP 800-171. It is targeted at a smaller group of Department of Defense (DoD) contractors handling high-value CUI during storage, processing, or transmission.
The determination of the applicable CMMC Level for each procurement will be made by the DoD, and contractors must obtain CMMC certification before becoming eligible to receive a contract or subcontract award under a solicitation that mandates CMMC.
Government contractors handling regulated data in connection with DoD contracts, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), are mandated to comply with the Cybersecurity Maturity Model Certification (CMMC). These stipulations are anticipated to be incorporated into all Department of Defense (DoD) solicitations exceeding the micro-purchase threshold, with the exception of procurements exclusively for commercially available off-the-shelf (COTS) items. It is important to note that the proposed rule does not impose CMMC requirements on government information systems operated by contractors in support of the government. Furthermore, the discretion of the DoD allows for the potential waiver of CMMC program requirements in advance of solicitations, albeit under “very limited circumstances.”
With the introduction of the proposed CMMC regulatory framework by the Department of Defense (DoD), companies are encouraged to initiate compliance programs. The outlined rule outlines a comprehensive four-phase implementation plan. The inaugural phase commences on the effective date of the CMMC rule, encompassing CMMC Level 1 or Level 2 self-assessments as prerequisites for award consideration under relevant solicitations and contracts. Phase two, set to begin six months after the commencement of phase one, involves CMMC Level 2 certification assessments. Subsequently, phase three, starting one year after the initiation of phase two, introduces CMMC Level 3 certification requirements. The incorporation of CMMC requirements as award conditions will be subject to the discretion of DoD Program Managers until full implementation in Phase 4. The DoD intends to include CMMC requirements in all applicable solicitations starting October 1, 2026.
The suggested assessment requirements incorporate a blend of self-assessments and third-party assessments, contingent on the criticality of the data involved. As outlined in the proposed rule, all CMMC Level 1 assessments are designated as self-assessments, necessitating contractors to validate their own adherence to CMMC security controls. Subsequently, they are required to submit their assessment scores to the Department of Defense’s (DoD) Supplier Performance Risk System (SPRS) prior to contract award and annually thereafter. CMMC Level 2 mandates either a self-assessment or a certification assessment conducted by a third-party assessment organization (C3PAO). This assessment must be completed before contract award and repeated every three years. The proposed rule does not explicitly detail how the DoD will determine which contracts are subject to self-assessments versus certification assessments. For CMMC Level 3, certification assessments will be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), necessitating completion before contract award and recurrence every three years.
Plan of Action and Milestone (POA&M) Limitations
According to the proposed rule, the Cybersecurity Maturity Model Certification (CMMC) permits the use of Plans of Action and Milestones (POA&Ms) only for specific requirements and within a defined timeframe. Notably, Level 1 assessments do not allow the utilization of POA&Ms. For CMMC Level 2 assessments, POA&Ms are generally prohibited for security requirements with a point value exceeding 1, except for Controlled Unclassified Information (CUI) Encryption under specific circumstances. However, they are allowed if the assessment score divided by the total number of security requirements equals or exceeds 0.8 and the control is not listed among the prohibited controls for POA&Ms. In Level 3 assessments, POA&Ms are permissible under the condition that the assessment score divided by the total number of security requirements is 0.8 or higher, and the control is not among the prohibited controls for POA&Ms. Each POA&M must be resolved, with all requirements fulfilled, within 180 days of the assessment. A closeout assessment, focusing solely on the unmet requirements identified by the POA&Ms, must confirm the closure. It is important to note that CMMC does not entertain requests for waivers pertaining to any CMMC security requirement.
Conditional and Final Certifications
As per the proposed rule, the outcome of assessments can lead to either a Final Certification or a Conditional Certification, contingent on the contractor’s implementation of all mandatory security controls. If a contractor attains the minimum passing score and has fully implemented all required security controls, they will be awarded a Final Certification. Conversely, if Plans of Action and Milestones (POA&Ms) are present at the conclusion of an assessment, the contractor will be issued a Conditional Certification. Contractors are obligated to address and resolve their POA&Ms, ensuring the full implementation of pending controls within 180 days from the initial assessment. Failure to do so may result in contractual penalties, such as termination, and render the contractor ineligible for future contracting opportunities requiring compliance with the Cybersecurity Maturity Model Certification (CMMC).
According to the proposed rule, both the prime contractor and any relevant subcontractor are obligated to annually affirm their compliance with the mandated security requirements. Additionally, at CMMC Levels 2 and 3, contractors must provide affirmations of compliance after each CMMC assessment, whether it be a self-assessment or an assessment certification, and also following the completion of any Plans of Action and Milestones (POA&M) close-outs. These CMMC affirmations, akin to self-assessment scores, are required to be electronically submitted through the Supplier Performance Risk System (SPRS). Contractors are not deemed eligible for awards under solicitations that necessitate Cybersecurity Maturity Model Certification (CMMC) compliance until their affirmations are submitted.
Contractors are advised to meticulously validate their CMMC compliance status before submitting affirmations. The submission of an affirmation that inaccurately represents a contractor’s CMMC compliance status may be construed by the government as a false statement, potentially leading to procurement repercussions, such as contract termination or debarment. Additionally, damages and/or fines may be imposed under the False Claims Act (FCA).
While awaiting the final rule’s publication, organizations can initiate their preparations for Cybersecurity Maturity Model Certification (CMMC) compliance through the following measures:.
1. Formulate and Enhance a System Security Plan (SSP)
To ready itself for a self-assessment or certification assessment, a company must undertake the essential documentation of a System Security Plan (SSP) detailing the implementation of security controls. The effectiveness of an SSP requires the company to be aware of the existence and paths of regulated data (e.g., Federal Contract Information or Controlled Unclassified Information) within its network.
2. Establish an Enterprise-Wide Compliance Strategy
Developing a comprehensive engagement with all members of a compliance team becomes imperative to formulate a compliance strategy that outlines how the company will oversee and protect its data. This strategy should evaluate technical gaps and legal risks, addressing how they will be managed. It also informs decisions on network structure and whether the company aims for conditional or final certification.
3. Consider the Implementation of a Dedicated Federal Environment
Considering the volume of regulated data and the challenges associated with implementing security controls throughout the company, creating a dedicated environment for housing regulated data may be beneficial. Segregating regulated data into a dedicated environment can minimize legal risks by simplifying technical implementation and reducing resource costs.
4. Conduct Confidential Compliance Assessments
Contractors are advised to conduct compliance assessments under attorney-client privilege to assess their ability to meet CMMC requirements without exposing the company to risk if gaps are identified. Involving legal counsel with technical expertise to conduct or direct assessments by third parties can help mitigate the risk of having to disclose assessment findings in legal proceedings or investigations.
5. Develop and Enhance Corporate Policies
While technological solutions are crucial for meeting CMMC requirements, the effectiveness of a company’s cybersecurity relies on the policies governing the use of such technology and the regulation of data traversing through it. Companies should establish a practice of formulating robust internal cybersecurity policies, creating incident response plans, and updating all relevant documents for currency and accuracy.
Take the first step towards seamless Cybersecurity Maturity Model Certification (CMMC) compliance. If you need expert guidance or assistance in navigating the complexities of CMMC requirements, don’t hesitate—reach out to us today. Our dedicated team is ready to support you on your compliance journey. Contact us now for tailored solutions and ensure your organization meets the necessary standards.