Photo of Peter J. EyrePhoto of Adelicia R. CliffePhoto of Michael SamuelsPhoto of Michael G. Gruden, CIPP/GPhoto of Jacob HarrisonPhoto of Christian CurranPhoto of Sarah BurgartPhoto of Allison Skager

As Crowell covered in a recent alert, the Department of Defense (DoD) on October 11, 2024 released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).

One aspect of CMMC that may have gotten lost in the shuffle of the Final Program Rule’s 470 pages is that when a contractor undergoes a merger or acquisition (M&A), the transaction may trigger a requirement for a new CMMC assessment.  As the groundwork for this requirement, the Final Program Rule states that “CMMC Level 2 self-assessment, Level 2 certification assessment, and Level 3 certification assessment are valid for a defined CMMC Assessment Scope.”  CMMC Assessment Scope means the set of all assets in the Organization Seeking Assessment’s (i.e., the contractor’s) environment that will be assessed against CMMC security requirements.  Under CMMC, in-scope assets will not only consist of IT infrastructure, but may also include personnel, service providers (e.g., managed service providers and managed security service providers), and other non-technical resources involved in handling or securing Controlled Unclassified Information (CUI). 

DoD stated in response to an industry comment attached to the Final Program Rule that where there is a significant change to the relevant assets defining the Assessment Scope, i.e., “if significant architectural or boundary changes are made to the previous Assessment Scope,” this requires a new CMMC assessment.[1]  Among the examples cited by DoD in its response of such a change in Assessment Scope are “expansions of networks or mergers and acquisitions.”  This means that in the event of M&A activity that results in significant architectural or boundary changes to the contractor’s previous Assessment Scope, the contractor may need to undergo a new CMMC assessment if it holds either Level 2 or Level 3 certification.  Such changes would generally be more likely in an asset sale than a stock purchase, but the rule does not make any explicit distinction based on the type of transaction. 

The Final Program Rule does not establish a specific deadline for completion of a new assessment if one is triggered.  Notably, however, the proposed rule that will update DFARS 252.204-7021, regarding CMMC implementation for contractors, lays out a requirement that contractors “[n]otify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.”  While it is unclear what the final rule for revisions to -7021 (anticipated in early or mid-2025) will include, a valid CMMC assessment will be required in connection with covered DoD contract awards, which could present timing challenges and require close coordination as between M&A activity and pending proposals and contract awards, as well as to ensure that the contractor does not have any CMMC compliance issues on its ongoing contracts. 

Key Takeaways

CMMC is already a hot topic within government contracts M&A diligence.  Buyers are inquiring about the Level of certification that acquisition targets plan to attain and what preparations those target contractors are undertaking.  Once CMMC implementation for contractors is finalized, likely next year, buyers and sellers engaged in the M&A process will also need to consider whether the transaction, and in particular post-closing integration plans, will impact the contractor’s Assessment Scope.  If it does, the implications and considerations include:

  • whether the target contractor will maintain its existing IT infrastructure, modify it, or be subsumed within its acquirer’s (and the CMMC impact of each);
  • the cost of a new assessment (and which party to the transaction should bear it); and
  • the DoD requirements for the timing of the new assessment and its impact on current contract compliance as well as on new or pending proposals.

Crowell will continue to monitor as DoD is likely to elaborate on the specifics and timing of this requirement in the coming months.

[1] Curiously, one section of the DoD commentary states that a new assessment “is required” in such a situation, while in another the Rule says that a new assessment “may be required.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Peter J. Eyre Peter J. Eyre

Peter J. Eyre is a partner and co-chair of Crowell & Moring’s Government Contracts Group. He is also a member of the firm’s Management Board. Peter was named to BTI Consulting Group’s list of “Client Service All-Stars” in 2016, 2017, and 2019 and…

Peter J. Eyre is a partner and co-chair of Crowell & Moring’s Government Contracts Group. He is also a member of the firm’s Management Board. Peter was named to BTI Consulting Group’s list of “Client Service All-Stars” in 2016, 2017, and 2019 and has been named an Acritas Star, Acritas Stars Independently Rated Lawyers (2016, 2017, 2019). He is nationally ranked by Chambers USA in Government Contracts since 2014, and by Super Lawyers since 2017.

Photo of Adelicia R. Cliffe Adelicia R. Cliffe

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been…

Adelicia Cliffe is a partner in the Washington, D.C. office, a member of the Steering Committee for the firm’s Government Contracts Group, and a member of the International Trade Group. Addie is also co-chair of the firm’s National Security practice. Addie has been named as a nationally recognized practitioner in the government contracts field by Chambers USA.

Photo of Michael Samuels Michael Samuels

Michael Samuels is a counsel in Crowell & Moring’s Government Contracts Group. His practice involves counseling and representing government contractors on a wide range of issues.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Christian Curran Christian Curran

Christian N. Curran is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the Government Contracts Group. His practice focuses on government contracts litigation and counseling, including bid protests, government investigations, and compliance with federal and state procurement laws…

Christian N. Curran is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the Government Contracts Group. His practice focuses on government contracts litigation and counseling, including bid protests, government investigations, and compliance with federal and state procurement laws and regulations.

Christian has broad experience in the government contracts arena, including bid protest litigation at both the Government Accountability Office and the Court of Federal Claims, contract claims before the Armed Services Board of Contract Appeals, prime-sub disputes, internal investigations, mandatory disclosures, transactional due diligence, Defense Contract Audit Agency audits, and compliance assessments. He also has experience in both traditional litigation and alternative dispute resolution forums, including international arbitration and mediation, and administrative proceedings before various government agencies.

Photo of Allison Skager Allison Skager

Allison Skager is an associate in Crowell & Moring’s Los Angeles office, where she is a member of the firm’s Government Contracts Group.

Allison’s practice covers a range of transactional and regulatory matters for both startups and mature companies, including government contractors, large…

Allison Skager is an associate in Crowell & Moring’s Los Angeles office, where she is a member of the firm’s Government Contracts Group.

Allison’s practice covers a range of transactional and regulatory matters for both startups and mature companies, including government contractors, large retailers, and developers of emerging technology. She performs due diligence for complex transactions involving government contractors, advises on regulatory compliance issues, and adds critical support on matters related to mergers and acquisitions, joint ventures, and private investments.