CMMC Alert: DoD Issues CMMC Program Final Rule

     On Tuesday, October 15, 2024, the U.S. Department of Defense (DoD) will take a significant step forward in implementing its Cybersecurity Maturity Model Certification (CMMC) program when it publishes its Final Rule under its national security regulations that establishes the program.  As government contractors may remember, DoD published its Proposed Rule revealing details of the program on December 26, 2023.  Notwithstanding the complexity of CMMC and significant issues raised during the comment period for the Proposed Rule, in the Final Rule DoD made very few changes to regulations it proposed last December. 

     Briefly, the Final Rule provides a framework for the CMMC program, which requires DoD government contractors and subcontractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CFI) during contract performance to verify that they are in compliance with existing cyber security safeguarding requirements.  Once the CMMC program is implemented, DoD will require in solicitations and contracts that, as a condition of contract award, contractors and subcontractors have self-assessments or assessments from third party certifying organizations (C3PAO’s) that verify that they meet the cyber security safeguarding requirements of one of the three CMMC Levels.  Below are just a few additional highlights of the CMMC program as set forth in the Final Rule.

CMMC Level I

     Currently, DoD regulations provide that federal contracts involving the transfer of FCI to a government contractor must require the government contractor to comply with the 15 security requirements under Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  Under the CMMC program, those 15 security requirements under FAR 52-204-21 comprise all of the requirements for CMMC Level 1.  Under the CMMC program, DoD will require government contractors performing under a contract that involves storing, processing or transmitting FCI to, at a minimum, perform a CMMC Level 1 self-assessment that verifies compliance with all 15 safeguarding requirements.

CMMC Level 2

     Under current DFARS regulations, DoD contracts that involve the development or transfer of CUI already require contractors to mee the 110 security requirements specified in NIST SP 800-171.  Under the CMMC program those 110 NIST SP 800-171 safeguarding standards comprise CMMC Level 2 requirements.  For DoD contracts that involve storing, processing or transmitting CUI, government contractors must meet those CMMC Level 2 requirements and, depending on the type of verification required by DoD for the contract, must verify compliance with either a self-assessment or an assessment performed by a C3PAO.

CMMC Level 3

     In addition to the CMMC Level 2 safeguarding requirements, for certain contracts DoD will require government contractors to meet the 24 security requirements derived from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.  Collectively, the NIST SP 800-171 and NIST SP 800-172 standards comprise the CMMC Level 3 safeguarding requirements.  To verify they meet CMMC Level 3 requirements for DoD contracts assigned a CMMC Level 3, government contractors must have an assessment performed by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

CMMC Program Phase In

     DoD intends to incrementally phase in CMMC requirements into solicitations and contracts.  Phase 1 will begin once the related proposed Defense Federal Acquisition Regulation Supplement (DFARS) CMMC rule, which we discussed in a recent article, becomes final.  During Phase 1, DoD will include only CMMC Level 1 or CMMC Level 2 self-assessment requirements into applicable contracts and solicitations.  DoD may also, at its discretion, include Level 1 and Level 2 self-assessment requirements as a condition of exercising contract option periods for contracts awarded before CMMC’s effective date. 

     Phase 2 will begin one year after the beginning of Phase 1.  The delayed beginning of Phase 2, which DoD initially proposed would start six months after the start of Phase 1, is one of the few instances in which DoD made changes to the CMMC program regulations in response to comments submitted during the rule-making process.  During Phase 2, in addition to Phase 1 requirements, DoD intends to include CMMC Level 2 C3PAO certification requirements as a condition of contract award into DoD solicitations and contracts.  At its discretion, DoD may make inclusion of the C3PAO certification requirement a condition of an option period rather than a condition of contract award.  DoD also may, at its discretion, include CMMC Level 3 DIBCAC assessment requirements into applicable solicitations and contracts.

     Phase 3 will begin one year after the start of Phase 2.  During Phase 3, in addition to Phase 1 and 2 requirements, DoD will include CMMC Level 2 C3PAO certification requirements in all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the CMMC effective date.  During Phase 3, DoD also will include CMMC Level 3 DIBCAC assessment requirements for all applicable solicitations and contracts as a condition of contract award.  DoD also may at its discretion, delay inclusion of CMMC Level 3 DIBCAC assessment requirements to an option period instead of as a condition of contract award.

     Phase 4 will begin one year after the start of Phase 3.  During Phase 4, DoD will include all applicable CMMC program requirements into all applicable solicitations and contracts, including in option periods for contracts awarded before the beginning of Phase 4.

Flow Down Requirements

     The CMMC requirements will apply to prime contractors and subcontractors at all tiers that process, store or transmit FCI or CUI on their information systems during contract performance.  Prime contractors must require subcontractors to comply with the CMMC flow down requirements.   

     If a subcontractor will only process, store or transmit FCI but not CUI during contract performance, then it must meet CMMC Level 1 requirements.  If a subcontractor will process, store or transmit CUI during contract performance then it must meet CMMC Level 2 requirements.  If the related prime contract requires CMMC Level 2 C3PAO certifications, then the subcontractor must also obtain a C3PAO certification to meet its CMMC Level 2 requirements.  If a subcontractor will process, store, or transmit CUI during contract performance and the related prime contract requires the prime contractor to obtain a CMMC Level 3 DIBCAC assessment, then the subcontractor must, at a minimum,  obtain a CMMC Level 2 C3PAO certification.

Affirmation

     The CMMC Program regulations require that a DoD contractor's senior level representative affirm continuing compliance with the appropriate level self-assessment or C3PAO certification assessment.  Affirmations are generally required to be submitted annually to the Supplier Performance Risk System (SPRS).

What Government Contractors Should Be Doing Now

     As stated above, CMMC will begin to be phased into DoD contracts once the CMMC DFARS regulations become final.  As we wrote in our recent article, the CMMC DFARS regulations were proposed in August with a comment period ending on October 15.  It seems very likely that the CMMC DFARS regulations will become final during the first quarter or first half of 2025.  At that point, Phase 1 will begin and DoD contractors will start to see CMMC Level 1 self-assessment and CMMC Level 2 self-assessment requirements in solicitations and contracts.  Phase 2 would kick in 12 months later with the inclusion of CMMC Level 2 C3PAO certification requirements in DoD solicitations and contracts.

     As also noted above, CMMC Level 2 requires an assessment and verification of compliance with the 110 safeguarding requirements under NIST SP 800-171, and the documentation and policies needed to perform a self-assessment may be extensive and may require significant time and resources to compile.  

     Therefore, if they have not already done so, government contractors should assess whether they are likely to process, store or transmit FCI or CUI during contract performance.  Reviewing DoD contracts that DoD contractors currently perform under may be helpful in making this assessment.  Similarly, DoD contractors should also develop an understanding of the various safeguarding requirements necessary to attain CMMC Level 1, 2 or 3 verification and should begin to budget for any consulting and C3PAO certification costs they may incur in order to comply with the CMMC program requirements.

     The Final Rule becomes effective on December 16, 2024, and the Amadeo Law Firm intends to provide additional educational and instructional information on the CMMC program in the coming weeks and months.