Department of Defense Establishes New Cybersecurity Maturity Model Certification (CMMC) Program
Requirements for Defense Suppliers, Contractors and Subcontractors
At a Glance
- On October 15, 2024, the Department of Defense (DoD or the Department) published a final rule to establish the Cybersecurity Maturity Model Certification (CMMC) Program. Although the Program will be implemented across four phases, the first phase will take effect on December 16, 2024.
- The CMMC requires defense suppliers, contractors and subcontractors to implement specific cybersecurity measures depending on what level of sensitive government information they will handle during contract performance. The Final Rule establishes three CMMC levels — down from five tiers in the interim rule — against which contractors will be assessed, based on whether a contractor intends to secure Federal Contract Information (FCI), Controlled Unclassified Information (CUI) or other assets requiring safeguards.
- Contractors should review active and pending DoD contracts to ensure they are in compliance with the relevant CMMC standards and consider conducting a self-assessment or certification assessment, or completing a Plan of Action and Milestones (POA&M) to meet the requirements set forth in the Federal Acquisition Regulation (FAR) and by the National Institute of Standards and Technology (NIST).
Following a multi-year rollout process, the U.S. Department of Defense published a final rule on October 15, 2024, establishing its Cybersecurity Maturity Model Certification Program to protect sensitive unclassified information shared by the Department with its contractors and subcontractors. The Program will be implemented as a condition of DoD contract awards after the final rule goes into effect on December 16, requiring contractors and subcontractors to meet cybersecurity requirements through self-assessments, third-party assessments and government certifications. CMMC Program requirements will be implemented using a four-phase plan over the next three years, with the Department adding CMMC Level requirements incrementally to allow time for assessor training and contractor compliance.
Originally announced in 2019, the CMMC Program was developed to move contractors away from a “self-attestation” model of security and toward a standardized, tiered model of practices and processes to protect Federal Contract Information and Controlled Unclassified Information. The initial iteration of the CMMC, published as an interim final rule in September 2020, established a five-year phase-in period for contractors to assess and enhance their cybersecurity frameworks in accordance with the Program’s guidelines. During this time, DoD assessed the level of “maturity” required for each contract across five tiers depending on the type and sensitivity of government information required of the contract. Subcontractors were also largely bound by the Program where they processed, stored, or transmitted FCI or CUI during contract performance.
Specifically, the CMMC Program was designed to protect sensitive FCI and CUI shared with defense contractors and subcontractors during contract performance. The Program requires basic levels of protection to safeguard FCI, which is defined under FAR 4.1901 as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.” Meanwhile, contractors must use broader protections for CUI, defined under 32 CFR 2002.4(h) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
Until now, the DoD has relied on contractor representations regarding cybersecurity standards rather than verified compliance statements. The implementation of the CMMC final rule marks a significant shift in this respect, requiring contractors and subcontractors handling sensitive information to obtain third-party assessments and certifications verifying their compliance with the security requirements set forth in NIST Special Publication (SP) 800-171A (“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”) and/or NIST SP 800-172A (“Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”). Although the DoD does not require annual assessments to guarantee contractor compliance with CMMC standards, it does require annual affirmations to indicate that a contractor has achieved and intends to maintain compliance with the applicable security requirements.
Requirements for Contractors Under the Final Rule
After the final rule is effective, DoD will designate a CMMC level and assessment requirements that contractors must meet to be eligible for contract awards in all solicitations and resulting defense contracts involving FCI or CUI. To achieve a specified CMMC status, contractors must identify which information systems, including systems or services provided by Cloud Service Providers (CSPs) or External Service Providers (ESPs), will process, store, or transmit FCI or CUI. Subcontractors must also achieve a minimum CMMC status — determined by the level of information involved in the contract — to engage in projects where they are processing, storing, or transmitting FCI or CUI.
Assessment Levels
The final rule outlines three progressive tiers (or Levels) of the CMMC system. Each Level requires contractors to meet different cybersecurity standards from existing regulations and guidelines, depending on the sensitivity of information involved in the contract.
- Level 1 — Contractors who store, process or transmit FCI must complete an annual self-assessment and annual affirmation of compliance with the 15 security requirements included in FAR 52.204-21. Self-assessments must be submitted to the DoD’s Supplier Performance Risk System (SPRS).
- Level 2 — Contractors who store, process or transmit CUI must comply with all 110 cybersecurity requirements set out in NIST SP 800-172A. Depending on the type of information involved in the contract, DoD solicitations will specify whether compliance may be achieved through a self-assessment or through a Certified Third-Party Assessment Organization (C3PAO).
- Self-assessment — Level 2 self-assessments must be conducted every three years and affirmed annually to verify compliance with the NIST SP 800-172A requirements. Self-assessments for Level 2 also must be submitted to the DoD’s SPRS.
- C3PAO Assessment — Level 2 C3PAO assessments must be conducted every three years and entered into the CMMC Enterprise Mission Assurance Support Service (eMASS). Third-party assessments must also be affirmed annually.
- Level 3 — Contractors who store, process or transmit “high value assets,” as identified by the DoD, must achieve final CMMC Level 2 Status and comply with 24 additional requirements from NIST SP 800-172. Level 3 Status also requires a government assessment and certification every three years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
For Levels 2 and 3, contractors may also receive a Conditional CMMC Status by achieving 80% of necessary security requirements — excluding specified “critical requirements” — and identifying any shortcomings in a Plan of Action and Milestones. Unmet requirements must be remedied through a “closeout assessment” within 180 days of receiving Conditional Status; these assessments must be performed by the same party who conducted the initial assessment. If a contractor fails to verify proper implementation of any unmet requirements through a second assessment, they risk the expiration of their Conditional Status and may become subject to standard contractual remedies for noncompliance.
Implementation Timeline
DoD has established a four-phase implementation plan for the CMMC Program to address ramp-up issues, with Phase 1 beginning on December 16, 2024 (sixty days after publication of the final rule). In response to public comments, the DoD updated the final rule to extend Phase 1 by six months, with appropriate adjustments to later phases to address ramp-up issues, provide time to train assessors, and allow contractors the time needed to implement CMMC requirements. Notably, DoD program managers will have discretion to include CMMC status requirements or rely upon existing requirements in DFARS 252.204-7012 during the phase-in period.
Each phase adds more advanced CMMC Level requirements, outlined below:
- Phase 1 — Beginning on December 16, 2024, DoD solicitations involving FCI or CUI will require Level 1 or Level 2 self-assessments as a condition of award for all applicable contracts. The DoD may, at its discretion, also include such requirements as a condition to exercise an option period on a contract awarded prior to the beginning of Phase 1. The DoD may also require Level 2 C3PAO assessments in place of Level 2 self-assessments for applicable solicitations and contracts.
- Phase 2 — Beginning one year following the effective date of Phase 1, DoD plans to include Level 2 C3PAO requirements for applicable solicitations and contracts. DoD may still, at its discretion, delay the inclusion of C3PAO requirements to an option period instead of as a condition of contract award. The Department may also include the requirement for CMMC Level 3 Status for applicable DoD solicitations and contracts.
- Phase 3 — Beginning two years following the effective date of Phase 1, DoD intends to include the Level 2 C3PAO requirements for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. DoD may also, at its discretion, delay the inclusion of Level 3 requirements to an option period instead of as a condition of contract award.
- Phase 4 — Three years following the effective date of Phase 1, DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
Notable Changes From the Interim Final Rule
Clarification of Subcontractor Obligations
DoD modified language in 32 C.F.R. § 170.23 to confirm that prime contractors need only flow down their own CMMC requirements for the performance of a DoD contract, rather than for all possible engagements of external providers.
Expanded Definition of Security Protection Data (SPD)
To help contractors, CSPs and ESPs understand the scope of SPD and any assessment requirements that follow, the DoD added a definition of SPD to the final rule. While still ambiguous, under the final rule, SPD refers to “data stored or processed by Security Protection Assets (SPA) that are used to protect a [contractor or provider’s] assessed environment.” Specifically, SPD is “security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.” Because SPA is also defined broadly (i.e., as “assets providing security functions or capabilities for the [contractor’s] CMMC Assessment Scope”), CSPs and ESPs must closely follow which CMMC Level is specified by the DoD in procurements moving forward.
Clarification of Service Provider Responsibilities
The final rule clarifies that no CMMC assessment or certification is required of ESPs that do not process, store or transmit CUI. For ESPs and CSPs that do process, store or transmit CUI, those providers must meet the FedRAMP requirements in DFARS clause 252.204-7012. Accordingly, any ESP or CSP services used to meet a contractor’s CMMC requirements are within the scope of that contractor’s CMMC assessment. The DoD anticipates that, although ESPs may voluntarily request a C3PAO assessment to ensure its compliance with the CMMC Program, the final rule will generally “reduce the assessment burden” on ESPs.
Impact and Takeaways
Self-assessments
All DoD contractors, subcontractors and suppliers should assess their existing systems to determine compliance with NIST SP 800-171 and ensure their assessments are conducted in line with existing DoD methodologies (i.e., NIST SP 800-171A under DFARS 252-204.7012) and scoring methodologies under the final rule (i.e., Section 170.24).
Internal Staffing Preparation
It is hoped that most DoD contractors have organized a cross-disciplinary team from leadership, business development, information technology, operations, compliance and contract management to assess the company’s business goals and capacity to implement new cybersecurity frameworks, as necessary. These teams should revisit the contractor’s goals, capacity and CMMC compliance plan to ensure compliance with the final rule. For those contractors who have not performed an internal analysis and compliance plan, organization of the cross-disciplinary team is now essential, and an analysis and assessment must be done immediately.
Establish an Outreach Plan
Given that DoD has discretion to require Level 2 C3PAO assessments for applicable solicitations and contracts during Phase 1 of the CMMC Program, contractors should establish contacts with C3PAO organizations to coordinate certification planning well in advance of Phase 2, when C3PAO services will be in higher demand.
Timeline and Priorities
To ensure they are in compliance with all relevant CMMC requirements in a timely manner, contractors should develop a schedule for adapting their internal cybersecurity systems, particularly for upcoming contracting opportunities that may require C3PAO assessments during Phase 1 of the Program.
Solicitation Review Procedures
Contractors should incorporate in solicitation review procedures a careful review of the CMMC level that DoD designates in the solicitation as eligibility for award. Contractors should ensure they comply with the designated level, or if the level appears in error, attempt to seek redress from DoD as soon as possible in the solicitation process.
Legal clerk Asher Friedman Young contributed to this update.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.