On October 15, 2024, the Department of Defense (“DoD”) released its final rule (the “Final Rule”) formally establishing the Cybersecurity Maturity Model Certification (“CMMC”) program, nearly three years after first announcing its plan for the initiative. In substance, the Final Rule creates Part 170 in Title 32 of the Code of Federal Regulations. Within this new part, DoD has established the three CMMC levels and defined the security controls applicable to each; delineated the processes and procedures for assessing and certifying compliance with CMMC requirements; and identified the roles and responsibilities for the contractors and other parties involved in the CMMC assessment and certification process. Thus, after years of talk and speculation, CMMC is now a reality to which contractors will need to adjust.
Bottom Line Up Front
Below, we discuss the high-level requirements of the CMMC program and its impact and ramifications for DoD contractors and subcontractors. Most importantly, all contractors and subcontractors performing under DoD contracts should take note that we are now just one step away from these cybersecurity requirements being required for contractors to remain eligible for DoD work involving the use, storage, or transmission of Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”). As a result, all DoD contractors and subcontractors should start addressing or finalizing their compliance with these program requirements now in order to ensure they remain eligible to continue performing DoD work. In addition, given the significant certification requirements under the CMMC program, and the increased enforcement focus on cybersecurity compliance, contractors and subcontractors should dedicate the necessary resources to these compliance efforts, and approach their CMMC certifications with the attention and effort necessary to ensure full compliance in the event of any post-implementation audit or investigation.
What is the CMMC Program?
At a high level, the CMMC program requires DoD contractors to implement and annually certify compliance with specified cybersecurity requirements in order to be eligible to perform DoD contracts and subcontracts. Thus, CMMC is DoD’s attempt to strengthen cybersecurity within the defense industrial base by creating a verifiable and enforceable framework to ensure that defense contractors adequately protect FCI and CUI received and utilized in the performance of DoD contracts.1,2 Although many of the technical cybersecurity requirements within the CMMC program are not new to DoD contractors and subcontractors, the CMMC program was created to provide DoD with further written assurances that its contractors and subcontractors have fully implemented those security requirements when processing, storing, and transmitting information during performance.
The cybersecurity requirements under the CMMC program are divided into three levels differentiated by the type of information that is expected to be utilized in performance under a particular contract. The Final Rule specifies which assessments are required to verify compliance with the applicable security controls for each respective level. As a general rule of thumb, the more sensitive the information handled by the contractor during performance, the higher the CMMC level that will apply and the more cybersecurity requirements the contractor will need to meet under the CMMC framework. DoD depicts the CMMC model as follows in its “CMMC Model Overview”:
See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.13 at 3-4 (Sept. 2024).
CMMC Level 1 will be required for contracts and subcontracts that involve the use and handling of FCI but not CUI. Under CMMC Level 1, contractors must implement the 15 security controls outlined in Federal Acquisition Regulation (“FAR”) clause 52.204-21(b)(1). Prior to the award of a CMMC Level 1 contract or subcontract, the contractor or subcontractor must complete a self-assessment and report the results of that self-assessment in DoD’s Supplier Performance Risk System (“SPRS”). Contractors and subcontractors will then be required to submit an annual self-certification affirming their continuing compliance. Also, unlike CMMC Level 2, in order to receive a CMMC Level 1 contract, all of the applicable security requirements must be met at the time of the assessment; DoD will not permit contractors and subcontractors to rely on a Plan of Action and Milestones (“POA&M”) to satisfy any unmet requirements at a later time. In terms of applicability, DoD previously estimated that 63% of contractors will fall under Level 1. See 89 Fed. Reg. 66,327, 66,335 (Aug. 15, 2024).
CMMC Level 2 will be required for contracts and subcontracts that involve the use and handling of CUI, and will require contractors and subcontractors to implement the 110 security controls set forth in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 Rev 2.3 The Final Rule states that the scoring methodology for evaluating compliance with these controls will be the same as those currently in use under DoD FAR Supplement (“DFARS”) clause 252.204-7020. Verification of compliance with the CMMC Level 2 requirements will be made either through self-assessments or certification assessments. These Level 2 certification assessments must be conducted by CMMC Third-Party Assessment Organizations (“C3PAOs”), which are independently certified organizations approved to conduct such reviews.4 DoD will determine which assessment level is required for each Level 2 contract based on the sensitivity of the CUI anticipated to be involved under that contract. Level 2 self-assessments and third-party assessments must be conducted and reported every three years in SPRS, and, as under CMMC Level 1, contractors and subcontractors must submit annual affirmations of continuing compliance every year.
One additional feature of note relating to CMMC Level 2 is the permissible use of POA&Ms in order to provide a longer time period to satisfy certain requirements and achieve full CMMC certification. Under the CMMC program rule, a contractor or subcontractor must obtain a score of at least 88 out of 110 in order to obtain Conditional Level 2 status in conjunction with the use of POA&Ms to resolve the remaining controls. There are limits as to which controls can be satisfied through the use of POA&Ms, with the Final Rule exempting the more significant three- and five-point controls from this avenue.5 In addition, a contractor or subcontractor with Conditional status will be required to close out all of its POA&Ms within 180 days of being granted Conditional status, with the contractor or subcontractor reporting the completion and close out of the controls in SPRS. For CMMC Level 2 contracts, contractors and subcontractors must achieve at least Conditional status prior to award. And if the contractor or subcontractor fails to close out all POA&Ms within the 180 days of Conditional status, it will then become ineligible for additional awards of CMMC Level 2 contracts and subcontracts.
CMMC Level 3 will be required for contracts and subcontracts that involve the use and handling of CUI requiring additional security safeguards, as determined by DoD. This will include CUI relating to “a critical program or high value asset.” To meet CMMC Level 3, contractors and subcontractors will be required to be CMMC Level 2 certified and to implement an additional 24 controls from NIST SP 800-172. CMMC Level 3 assessments will be conducted only by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”), an organization within the Defense Contract Management Agency (“DCMA”). CMMC Level 3 assessments will be valid for three years, but like Levels 1 and 2, contractors and subcontractors must submit annual certifications of compliance. It is anticipated that few DoD contractors and subcontractors will be required to comply with the Level 3 requirements.
Regarding who must submit the required annual affirmations, the CMMC program rule replaced the term “senior official” with “Affirming Official,” which DoD has defined as the senior level representative within the contractor’s or subcontractor’s organization responsible for ensuring CMMC compliance and with authority to affirm the contractor’s or subcontractor’s continuing compliance with CMMC security requirements. As discussed above, each contractor’s Affirming Official must provide a CMMC affirmation in SPRS: (i) upon achieving Conditional CMMC status (if applicable); (ii) upon achievement of Final CMMC status; (iii) annually following achievement of Final CMMC status; and (iv) following a POA&M closeout assessment (if applicable). Timely submission of these affirmations is important because contractors and subcontractors will not be eligible for awards under solicitations requiring CMMC until they submit their affirmations in SPRS.
Who does CMMC impact?
DoD has ensured that the CMMC program will affect nearly all DoD contracts. Under the new regulation, the CMMC program “impacts all prospective and actual DoD contractors and subcontractors that are handling or will handle DoD information that meets the standards for FCI or CUI on a contractor information system during performance of the DoD contract or subcontract.” 89 Fed. Reg. 83,092, 83,170 (Oct. 15, 2024). Companies should note that this definition does not restrict a contractor’s ability to process, store, or transmit its own information, nor does it apply to contracts with federal agencies other than DoD. However, the only classes of DoD contracts exempted from the CMMC program are those contracts below the micro-purchase threshold (currently $10,000) and those contracts solely for the purchase of commercially available off-the-shelf (“COTS”) items. As a result, the CMMC program will apply to small business contractors and to foreign entities performing DoD work.
With regard to subcontractors, the CMMC program requirements task prime contractors with responsibility for ensuring compliance with the requirements throughout their supply chains — including any foreign vendors. As a result, prime contractors will be required to flow down CMMC requirements in their subcontracts, depending on the sensitivity of the information to be handled by each subcontractor during performance, and to ensure subcontractors’ compliance with those requirements. Because DoD will not permit prime contractors to access SPRS to verify potential subcontractors’ compliance, prime contractors will need to request evidence of compliance from their subcontractors.
When does CMMC go into effect?
The CMMC program will be implemented in four phases. However, DoD contractors and subcontractors should be aware that the actual start of these phases will commence upon the publication and effective date of DoD’s separate pending rule amending the DFARS. DoD issued a proposed DFARS rule on August 15, 2024, setting forth the proposed solicitation and contract clauses that DoD contracting officers would use to apply the CMMC program to individual procurements and contracts. Once finalized, the DFARS rule will also establish the associated compliance and contract administration requirements for individual contracts. The comment period for the proposed DFARS rule closed in mid-October 2024, and DoD has stated that it expects to finalize that rule — and initiate the CMMC program — in “early to mid-2025.” As a result, although the December 16, 2024 effective date of DoD’s CMMC program rule will allow contractors to begin proceeding with CMMC Level 2 compliance assessments with C3PAOs, the incorporation of the final CMMC program requirements into contracts and solicitations will not begin until the effective date of that still-pending DFARS rule.
The effective date of the pending DFARS rule will then trigger Phase 1, which will last for 12 months. During Phase 1, DoD will include CMMC Level 1 and Level 2 self-assessments as requirements for contract award. DoD may also include these requirements in existing contracts as a condition to exercise an option period. In addition, DoD may include CMMC Level 2 Certification Assessment requirements in certain contracts if DoD determines a third-party assessment is necessary for the contract or solicitation.
Phase 2 begins one year after the start date of Phase 1 and will also last for one year. In Phase 2, DoD will include a Level 2 Certification Assessment as a requirement for contract award for applicable contracts and potentially as a condition to exercise an option on existing contracts. DoD may also start including a requirement for a Level 3 Certification Assessment if DoD determines it is necessary for the contract or solicitation.
Phase 3 begins one year after the start date of Phase 2 and will also last for one year. In Phase 3, DoD contracts will include Level 2 Certification Assessments as a condition of both initial contract award and as a condition to exercise an option on an existing contract, for applicable contracts. Further, DoD will begin including a requirement for a Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of this requirement as a condition to exercising an option by issuing a waiver if it deems it appropriate in the situation.
Phase 4 begins one year after the start date of Phase 3, and initiates full implementation of the CMMC program in DoD contracts. In Phase 4, all CMMC requirements will be included in all DoD solicitations and contracts, including option periods.
Several Key Takeaways
Although there has been a lengthy wait, publication of the final CMMC program rule makes CMMC a reality for all defense contractors. And with the initiation of Phase 1 rapidly approaching, prime contractors and subcontractors must start taking action to ensure their compliance with the CMMC Level applicable to their current and future contracts. Achieving compliance with CMMC Level 2 likely will be an extensive process that companies should undertake immediately. And although Phase 1 mandates only self-assessments for Level 2 compliance, as discussed above, DoD may begin including certification assessment requirements into new solicitations and contracts as early as mid-2025. Practically speaking, DoD has clearly indicated that it sees the majority of Level 2 contracts as requiring a full certification assessment within the near future. Given this, companies that currently handle, or expect to handle, CUI in the performance of their DoD contracts reasonably should plan on having to meet the third-party assessment requirement sooner rather than later.
This reality, in addition to the challenges of achieving full compliance with the required security controls, will be constrained by the C3PAO bottleneck. Given that there are a limited number of C3PAOs certified to conduct the requisite audits and approvals, there is a high likelihood of significant wait times for contractors to schedule their external assessments. So start now. Best practices for contractors and subcontractors would be to conduct intensive internal compliance reviews and fixes for incomplete security controls as soon as possible, both to meet the Level 2 self-assessment requirements that will be required during Phase 1, and to ensure the C3PAO assessment is a final step rather than a starting place. In other words, contractors and subcontractors should use their best efforts to minimize the likelihood of failing the C3PAO assessment and having to endure another lengthy wait for a second assessment.
Finally, contractors and subcontractors should ensure that all reviews — internal and external — are conducted carefully and thoroughly because of the increased compliance risks associated with the CMMC program. The Department of Justice’s creation of the Civil Cyber-Fraud Initiative and recent scrutiny of cybersecurity measures and certifications indicate that CMMC program compliance is an area with significant False Claims Act (“FCA”) exposure. Given the numerous certification and affirmation requirements under CMMC, contractors and subcontractors must ensure that their CMMC representations are accurate and complete in order to mitigate this increased FCA risk. Even CMMC Level 1 self-certifications can carry risk if the Government relies on them during contract performance but later discovers that there were gaps within the contractor’s compliance. In short, given the increased focus and importance on cybersecurity within the Government, contractors must dedicate the necessary resources to achieving and maintaining continuing compliance with the CMMC program requirements.
The CMMC program requirements are both complex and developing. For help navigating CMMC implementation or for further questions, please contact any of the attorneys below.
1 FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.” See 48 C.F.R. § 4.1901.
2 CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” See 32 C.F.R. § 2002.4(h). CUI does not include classified information, which is subject to a separate set of regulations.
3 In May 2024, during the pendency of the proposed rule, NIST released SP 800-171 Rev 3. See Ron Ross & Victoria Pillitteri, Nat’l Inst. of Standards & Tech., NIST Special Publ’n 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (May 2024), https://csrc.nist.gov/pubs/sp/800/171/r3/final. Revision 3 has fewer security controls than Revision 2, but it also includes more assessment objectives and new supply chain controls. DoD elected to keep the current CMMC requirements and the requirements of DFARS 252.204-7012 consistent with Revision 2 for the time being, noting that the implementation of Revision 3 will be the subject of further rulemaking.
4 Given the purpose of the CMMC program, DoD expects that the majority of CMMC Level 2 contractors and subcontractors eventually will undergo a C3PAO Certification Assessment. Therefore, if your company currently performs DoD contracts or subcontracts involving CUI, you should begin planning now for conducting a C3PAO assessment to ensure your company remains eligible to continue performing similar work for DoD.
5 Under DoD’s NIST SP 800-171 Scoring Methodology, certain security requirements are judged to have more impact on network security than others. As a result, DoD has adopted a weighted scoring methodology that weighs each requirement “based on the impact to the information system and the DoD CUI created on or transiting through that system, when that requirement is not implemented.” See NIST SP 800-171 DoD Assessment Methodology, Ver. 1.2.1 (June 24, 2020), at 6. Under this methodology, security requirements “that, if not implemented, could lead to significant exploitation of the network, or exfiltration of DoD CUI” are worth five points; requirements that “if not implemented have a specific and confined effect on the security of the network and its data” are worth three points; and those that “if not implemented, have a limited or indirect effect on the security of the network and its data” are worth one point. Id.