After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Regulation Supplement (DFARS), and DoD expects to require CMMC certifications as a condition of award beginning in 2025 as part of a phased-in approach.
The final CMMC program rule is the culmination of a lengthy rulemaking process to implement third-party certified cybersecurity program standards for the Defense Industrial Base (DIB), which McGuireWoods has been tracking since 2020. The DoD significantly revised CMMC program requirements since the inception of CMMC 1.0 in 2020. At its most basic level, the CMMC program is a transition from a self-certification model for cybersecurity compliance (primarily implemented through DFARS 252.204-7012), to a third-party verification process contemplated by the CMMC program rule.
Currently, the DoD relies on contractor self-representations and affirmations that they met the NIST SP 800-171 requirements that were in place at the time the contract was executed. This approach has been subject to criticism, increasing enforcement scrutiny, and concerns that it would never be an adequate approach to ensuring cybersecurity within the DIB. The CMMC program rule is intended to respond to these criticisms by adding third-party verification through authorized third-party assessment organizations (C3PAOs) and additional assessment requirements as a condition of contract award. The CMMC program rule does not implement DoD-specific cybersecurity controls, as was contemplated in prior iterations of the CMMC framework. Instead, the rule is designed as a verification framework for the existing NIST SP 800-171, rev. 2 requirements and SP 800-172 cybersecurity requirements. The CMMC program rule continues to use NIST SP 800-171, rev. 2 requirements and specifically states that the DoD has not adopted the newly issued NIST SP 800-171, rev. 3 requirements.
The rule takes effect Dec. 16, 2024, with phased implementation over several years beginning with the finalization of the CMMC DFARS contract clauses. Once the program is fully implemented, prime and subcontractors that handle federal contract information (FCI) or controlled unclassified information (CUI) must achieve the requisite CMMC levels prior to contract award. Vendors and other third parties may also be required to comply with these controls to the extent that they maintain CUI on behalf of a contractor or subcontractor.
The CMMC program rule requires that CMMC contract clauses will be applicable to every contract above the micro-purchase threshold (currently $10,000) that is not solely for commercial off-the-shelf (COTS) products. There is no exemption for small businesses or for contracts for commercial products and services.
Key Takeaways
The final CMMC program rule is largely unchanged from the proposed rule published in December 2023. It implements a tiered assessment model under which contractors implement controls at increasingly stringent levels, depending on the type and sensitivity of the information they will possess under a contract. As a condition of award, information systems containing covered information will need to be certified at the CMMC level specified in the solicitation and retain that certification with no gaps for the life of the contract. Prime contractors will also be required to ensure subcontractor compliance throughout the supply chain at the applicable CMMC level for each contract.
- CMMC Level 1 — CMMC Level 1 requires a self-assessment for a contractor to secure FCI that is processed, stored, or transmitted in the course of fulfilling the contract. The contractor is required to comply with 15 security requirements as provided in FAR 52.204-21. For assessment purposes, each requirement has been tied to a NIST SP 800-171 rev. 2 control, and the associated assessment methodology in NIST SP 800-171A can be used to determine whether the control is met. All requirements must be met for certification at this level, no plans of action and milestones (POA&Ms) are allowed, and assessments must be conducted annually.
- CMMC Level 2 — For contractors seeking to process, store, or transmit CUI during the contract’s period of performance, CMMC Level 2 requires an assessment of the contractor’s compliance with the 110 security requirements of NIST SP 800-171 rev. 2 controls either through (1) an annual self-assessment conducted by the contractor and supported by an affirmation of compliance, or (2) a certification assessment conducted by a C3PAO as proscribed under the contract. POA&Ms are acceptable for some controls, but only if they are resolved within 180 days and if the assessment score divided by the total number of security requirements is greater than or equal to 80%.
- CMMC Level 3 — For contractors with information systems that will contain certain types of CUI, DoD will require compliance with additional security controls. Prior to seeking a Level 3 Certification Assessment, contractors must already have achieved a Level 2 Certification Assessment. Any Level 2 POA&Ms must be closed prior to the initiation of the CMMC Level 3 certification assessment. The government will confirm the contractor’s compliance with the 110 controls in NIST SP 800-171 and 17 additional controls from NIST SP 800-172. Following the government assessment and annually thereafter, the contractor must submit an affirmation of its continued compliance with Level 3 and Level 2 security requirements.
CMMC program rule structured the rollout of this new cybersecurity framework in four phases. Phase 1 will begin with the implementation of the forthcoming DFARS rule and corresponding contract clauses and requires Level 1 and Level 2 self-certifications as a condition of award. Phase 2 through 4 will each start consecutively one calendar year after the preceding phase and will require a third-party assessment for contractors with CUI in most circumstances as a condition of award, finally concluding with Phase 4, which requires CMMC requirements to be implemented in all solicitations and contracts that are implicated by the CMMC program rule. The required CMMC level designation will be made by DoD program managers and product end-users, as opposed to the contracting officer. The CMMC program rule confirms that CMMC level designations will be subject to pre-award protest.
The CMMC program rule takes effect Dec. 16, 2024, and C3PAOs may begin formal assessments as soon as it takes effect. As contractors begin the assessment process, it is important to select a trusted C3PAO that fully understands the company’s information security systems and requirements. While the CMMC program rule implements certain appeal rights for contractors from determinations made by the C3PAO, those rights are limited to within the C3PAO itself and the CMMC accreditation body. As such, there is no right of appeal to the DoD, and there are no regulatory provisions for agency chief information security officers (CISOs) or other officials to make product-specific risk management determinations. This raises questions from a procurement (protest) and compliance (False Claims Act) standpoint.
Additionally, as contractors begin to obtain verifications from C3PAOs, there are certain circumstances that may require an updated assessment, including the sale of the contractor. To that end, the CMMC program rule provides the following commentary: “[a] new CMMC assessment may be required if significant architectural or boundary changes are made to the previous Assessment Scope. Examples include, but are not limited to, expansions of networks or mergers and acquisitions.” Transactions seemingly can be structured in a manner to preserve the existing CMMC assessment, but parties should carefully analyze the impact of changes to the information system within the post-closing company.
Failure to comply with the CMMC 2.0 requirements or maintain compliance with the applicable controls in the CMMC level can result in revocation of the CMMC level and, correspondingly, render the contractor ineligible to bid on certain DoD contracts and raise compliance-related concerns. Contractors that have not been managing cybersecurity compliance under current FAR and DFARS requirements and working towards compliance with the NIST SP 800-171 rev. 2 controls will not be granted additional time to achieve compliance and may not pass along the costs of becoming compliant to the DoD. The DoD has been clear in the rulemaking process that the CMMC requirements reflect and are aligned with information security requirements that have been mandatory since at least December 2017.
Given the cost, time, and risk of complying with these requirements, many contractors and subcontractors have expressed concerns over compliance with the CMMC 2.0 rules. Certain DoD components have taken steps to alleviate these concerns, although the viability, appropriateness, and effectiveness of such steps remain yet unseen. To that end, other DoD components suggest that costs related to the maintenance of CMMC compliance may be recoverable under certain contracts (notwithstanding the DoD comments noted above), although, again, specific proposals to that effect are yet to be seen.
Contractors and subcontractors should ensure they are ready to comply with the CMMC program rule and CMMC DFARS contract clauses once they are fully implemented in the coming months. For questions related to this CMMC program rule, other related proposed rules, or government contracts generally, contact any of the authors or another member of the McGuireWoods government contracting team.