Increasingly, DoD contractors and their supply chains have been a weak link in the theft of government data, and the proposed CMMC rule is meant to be a line of defense against these thefts.

On December 26, 2023, the Department of Defense (DoD) published its long-awaited proposed Cybersecurity Maturity Model Certification (CMMC) Program rule, which will impose comprehensive cybersecurity and compliance affirmation requirements on DoD contractors and subcontractors. Given that the eventual final rule could result in CMMC clauses in some DoD contracts as early as the first quarter of fiscal year 2025, interested parties are encouraged to submit comments on the proposed rule by February 26, 2024. 

Applicability

The proposed CMMC rule applies to defense contractors and their subcontractors and requires them to implement adequate safeguards that protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in their information systems, and to verify to the DoD that the safeguards are in fact implemented. Increasingly, DoD contractors and their supply chains have been a weak link in the theft of government data, and the proposed CMMC rule is meant to be a line of defense against these thefts. When the proposed rule becomes effective, the current ability of DoD contractors to self-assess and self-report their compliance with cybersecurity safeguards will be replaced with more stringent requirements.

Features of the Proposed CMMC Rule

The proposed CMMC rule follows a three-tier model that, at each level, is aligned with existing security requirements published by the National Institute of Standards and Technology (NIST). Depending on the type of DoD procurement at issue, the government can determine whether government information (FCI and/or CUI) will be processed by a contractor or its proposed subcontractors, and also determine which one of the three levels will best protect the government information. During solicitation, the DoD will specify the level of cybersecurity safeguarding it requires (i.e., CMMC Level 1, 2 or 3) as a condition of contract award, so that only qualified bidders may bid on the procurement. At each level, a key feature of the proposed CMMC rule is how DoD will verify an assessment.

Level 1 – Self-Assessment - Full Compliance

At Level 1, the contractor must conduct a self-assessment to confirm that it is compliant with the 15 security requirements listed under Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. These 15 security requirements also map to security requirements under NIST Special Publication (SP) 800-171, Rev. 2. The results of the self-assessment must be entered into the Supplier Performance Risk System (SPRS). An annual affirmation from a senior official of the prime contractor, and any applicable subcontractor, must verify compliance with the 15 security requirements. If the contractor or subcontractor are noncompliant with any security requirement, the CMMC Program Management Office, which is responsible for granting and revoking the validity of status, will not certify Level 1 compliance until the contractor or subcontractor are fully compliant.

Level 2 – Self-Assessment vs. Third-Party Assessment

At Level 2, compliance with the 110 security requirements specified by NIST SP 800-171, Rev. 2 will result in a successful assessment, which is subject to an annual affirmation by a senior official and must undergo reassessment every three years. However, the assessment verification requirements are bifurcated depending on DoD needs. A DoD procuring activity has the option to choose a CMMC clause that requires a self-assessment, or a CMMC clause that requires a third-party certification assessment from an authorized or accredited CMMC Third Party Assessment Organization (C3PAO).

Level 2 self-assessment certification is procedurally similar to Level 1, albeit with more comprehensive safeguards. A contractor or subcontractor ensures that it is compliant with the NIST SP 800-171 Rev. 2 security requirements and then conducts a self-assessment that is entered into SPRS. A difference from Level 1 is that if compliance with a security requirement is not met, the contractor or subcontractor is allowed to draft a Plan of Action and Milestones (POA&M), which will allow for a conditional self-assessment for certain security requirements depending on scoring. The contractor or subcontractor then has 180 days to closeout compliance with the security requirement subject to a POA&M and achieve final self-assessment. However, with a conditional self-assessment, a prime contractor may bid on a solicitation.

Level 2 third-party certification assessment requires a contractor or subcontractor to ensure that its information is compliant with CMMC security requirements and then a C3PAO must conduct an assessment that is entered into the CMMC instance of the Enterprise Mission Assurance Support Service (eMASS), which provides automated transmission to SPRS. As with Level 2 self-assessments, conditional certification assessments are allowed when POA&Ms exist, but must be closed out by the C3PAO within 180 days in order to achieve a final certification assessment.

Importantly for Level 2, the contractor may use a Federal Risk and Authorization Management Program (FedRAMP) moderate (or higher or equivalent) Cloud Service Provider (CSP) to process, store or transmit CUI in execution of a contract or subcontract. This aspect of the proposed rule leverages existing CSP solutions and allows contractors who have been using such solutions in compliance with DFARS 252.204-7012.

Level 3 – Government Assessments

For Level 3 assessments, contractors or subcontractors must first have received a final certification assessment for Level 2 (i.e., conducted by a C3PAO and free of POA&Ms). Contractors or subcontractors must then prepare for enhanced safeguarding by complying with an additional 24 security requirements derived from NIST SP 800-172. The Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) then conducts a certification assessment of the information system to verify compliance, which is entered in CMMC instantiation of eMASS and automated transmission is provided to SPRS. As with Level 2 assessments, POA&Ms are allowed for certain security requirements and depending on scoring, but must be closed out by DIBCAC before final certification assessment. A reassessment must be conducted every three years and an annual affirmation by a senior official of the contractor or subcontractor is required. However, contract eligibility will exist if there is a conditional certification assessment and an affirmation is submitted through SPRS.

The below provides an illustration of the proposed CMMC rule levels:

Next Steps

The 60-day comment period for the proposed rule, due to expire on February 26, 2024, allows industry stakeholders to express concerns that the proposed rule raises and solutions to address those concerns. It is expected that industry groups will request an extension to the comment period given the importance of the rule, although an extension is not guaranteed. Some concerns that have been expressed for this proposed rule is its lack of an appellate right for contractors who disagree with a third-party assessment decision; unresolved cost assessments; more specific CUI identification guidelines; and the incorporation of NIST 800-171 Rev. 3, which is currently also in a public comments phase. It is important to note that the proposed rule will recognize only one Accreditation Body that will be responsible for accrediting C3PAOs and will wield great power as a nongovernmental body. The currently designated Accreditation Body is the Cyber AB, which will be subject to its own stringent compliance and should be watched by stakeholders as it continues to stand up its process. It is also important to note that the proposed rule is drafted pursuant to Title 32, which allows for changes to the DFARS. However, further rulemaking is expected under Title 48, which allows for changes to the FAR. Finally, DoD plans to implement the proposed rule in four phases, with the first phase beginning on the effective date of the revision to DFARS 252.204-7021, which specifically addresses CMMC, and with Level 1 and 2 self-assessments expected as initial requirements in contracts.

About Duane Morris

Attorneys in the firm’s Government Contracts and International Trade Group and Privacy and Data Protection Group have considerable experience in assisting clients on a wide range of matters, including compliance with federal cybersecurity rules; building cybersecurity teams; a full range of litigation and counseling services on virtually every facet of government contracting and procurement; handling security breaches; providing clients with compliance and auditing advice on privacy and IT security exposure; and navigating the complex regulatory minefield governing data protection. The firm’s attorneys also have experience in preparing public comments for submission to the government.

For More Information

If you have any questions about this Alert, please contact Geoffrey M. Goodale, Sandra A. Jeskie, Rolando R. Sanchez, Lauren E. Wyszomierski, any of the attorneys in our Government Contracts and International Trade Group, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.