Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Jacob HarrisonPhoto of Maida Oringher LernerPhoto of Nkechi KanuPhoto of Sarah BurgartPhoto of Alexis Ward

On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] 

CMMC is a DoD regulatory framework created to ensure DoD contractors and subcontractors securely handle two categories of sensitive government information: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).  Among other requirements, CMMC mandates contractors and subcontractors handling CUI obtain third-party assessments and, in turn, certifications verifying their compliance with the 110 cybersecurity controls set forth in National Institute of Standards & Technology Special Publication 800-171A (NIST SP 800-171A) and, where required, NIST SP 800-172A.   

Importantly, publication of the Final Program Rule does not immediately implement the DoD’s CMMC contract requirements.  Instead, the trigger for CMMC’s implementation for contractors is tied to a separate CMMC rule (the “CMMC Clause Rule”), which is currently in a proposed rule and will likely not be finalized until sometime in 2025.  However, the release of the Final Program Rule allows CMMC Certified Third-Party Assessment Organizations (C3PAOs) to begin assessing contractor compliance against the CMMC framework and allows contractors to get a head start on developing compliance programs prior to enforcement.  

Notable Changes in the Final Program Rule

While the Final Program Rule is mostly aligned with the Proposed Program Rule that DoD released in December 2023, the DoD made several notable revisions to the Final Rule, including:

  • Changes to Phased Implementation Schedule
    • The Final Program Rule extended Phase 1, with Phase 2 now beginning one calendar year after the start of Phase 1, instead of the six-month period provided in the December 2023 Program Rule. CMMC’s phased implementation per the Final Program Rule will be:
      • Phase 1: Begins on the effective date of the CMMC Clause Rule.
        • DoD can begin to include requirements for Level 1 or Level 2 self-assessments in all applicable DoD solicitations and contracts as a condition of contract award.
        • DoD may choose to include Level 1/Level 2 self-assessment requirements in options to exercise active DoD contracts.
        • DoD may choose to include Level 2 C3PAO assessment requirements in place of Level 2 self-assessment requirements in applicable DoD solicitations and contracts.
      • Phase 2: Begins one year following the effective date of the CMMC Clause Rule.
        • In addition to Phase 1 allowances, DoD can begin to include Level 2 C3PAO assessment requirements in applicable DoD solicitations and contracts as a condition of contract award.
        • DoD may choose to include Level 3 DIBCAC assessment requirements in applicable DoD solicitations and contracts.
      • Phase 3: Begins two years following the effective date of the CMMC Clause Rule.
        • In addition to Phase 1 and Phase 2 allowances, DoD can begin to include Level 2 C3PAO assessment requirements in options to exercise active DoD contracts.
      • Phase 4: Begins three years following the effective date of the CMMC Clause Rule.
        • DoD will begin including CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
      • Clarified Requirements for Cloud Service Providers (CSPs) and External Service Providers (ESPs)

In the face of public comments expressing confusion regarding the roles and responsibilities of contractor CSPs and ESPs, DoD revised CSP/ESP obligations in the Final Program Rule as follows:

  • CSPs who handle CUI are still expected to obtain FedRAMP Moderate authorization or meet equivalent security requirements.
  • ESPs that are not CSPs who handle CUI are not required to obtain CMMC certification, but their services will be assessed as part of the contractor’s CMMC assessment.
  • ESPs and CSPs who handle Security Protection Data (SPD)–a CMMC-specific term that includes logs, security scans, or other security artifacts derived from the contractor systems handling CUI–but do not handle CUI are not required to meet FedRAMP requirements. However, their services will be assessed as part of the contractor’s CMMC assessment.
  • ESPs and CSPs who do not handle CUI or SPD are not subject to assessment requirements, but their services may need to be documented in the contractor’s system security plan (SSP).
  • DIBCAC Authority to Audit Assessment Result
    • The Final Program Rule expands on the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) ability to audit contractors despite their CMMC Status. If a DIBCAC audit is conducted and its results are different from the contractor’s previously reported CMMC status, DoD will rely on the DIBCAC audit over the contractor’s self- or C3PAO-reported CMMC compliance status and can independently update DoD’s Supplier Performance Risk System (SPRS) to indicate that the contractor does not meet CMMC requirements.  The rule notes that contractors could face contractual penalties if DIBCAC finds them noncompliant.
  • Plan of Action and Milestone (POA&M) Requirement Revisions
    • The Final Program Rule updated the CMMC Level 2 list of controls that cannot have a POA&M, now including security control CA.L2-3.12.4, which requires the development of an SSP and corresponding POA&M.

Core Assessment Requirements

CMMC is implemented through a three-tiered model comprised of CMMC Levels 1, 2, and 3.  For each contract, DoD will determine the applicable CMMC Level.  Contractors and subcontractors will be required to have the applicable CMMC certification before they are eligible for contract award. 

CMMC Level 1 will apply to contractors and subcontractors who store, process, or transmitFCI.  CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv).  Level 1 certification will require a self-assessment, attested to annually by the Affirming Official of the organization and submitted to DoD’s Supplier Performance Risk System (SPRS).

CMMC Level 2 will apply broadly to contractors and subcontractors who store, process, or transmit CUI.  CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A.  Level 2 will require either a self-assessment annually or a C3PAO certification every three years. 

CMMC Level 3 will apply to a select group of contractors that will store, process, or transmit high-value CUI, as determined by DoD.  CMMC level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172.  All Level 3 certifications will require a certification performed by the DIBCAC every three years. 

Plan of Action and Milestone Requirements

CMMC allows contractors to document in POA&Ms how they will fully satisfy controls not met at the time of their initial CMMC assessment.  POA&Ms allow contractors to achieve conditional CMMC certification, but with some limitations:

  • POA&Ms are not permitted at all for Level 1 assessments.
  • For CMMC Level 2 assessments, POA&Ms generally are not permitted for security requirements with a point value of greater than 1 and are permitted only if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls.
  • For Level 3 assessments, POA&Ms are permitted if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls.
  • Each POA&M must be closed, with all requirements completed, within 180 days of the assessment. The closure must be confirmed by a closeout assessment, which assesses only the unmet requirements identified by the POA&Ms.

Affirmations

CMMC requires annual affirmations of CMMC compliance from all in-scope contractors and subcontractors. At CMMC Levels 2 and 3, contractors must also affirm compliance after every CMMC assessment (whether a self-assessment or an assessment certification), including after any POA&M closeouts.  Like self-assessment scores, CMMC affirmations will be submitted electronically through SPRS. Contractors will not be eligible for awards under solicitations requiring CMMC until they submit their affirmations. 

The Final Rule clarifies that the official who provides the affirmation (the “Affirming Official”) must be a senior level contractor representative who is responsible for ensuring contractor compliance with the CMMC Program requirements and who has the authority to affirm the contractor’s continuing compliance with the specified security requirements. 

The increased specificity to the Affirming Official requirements highlights the enhanced legal risks companies and Affirming Officials face in light of the Department of Justice’s (DOJ) Civil Cyber Fraud Initiative where enforcement of cyber noncompliance has been rampant.  The emphasis on ensuring Affirming Officials possess the requisite authority to attest to continued compliance underscores the importance of accurate and complete CMMC documentation and affirmations.

Key Takeaways

  • Review DoD Contracts to Determine Likely CMMC Level
    • While DoD will eventually indicate via solicitation which CMMC Levels will be required, contractors and subcontractors should review active DoD contracts to determine whether they handle CUI or FCI in the course of performance, as this is likely to forecast what CMMC Levels they will need to achieve certification.
  • Develop and Refine a System Security Plan (SSP)
    • In order to prepare for a self-assessment or certification assessment, a company must complete an SSP describing how security controls are implemented. In order to effectively complete an SSP, a company must know what regulated data (e.g., FCI or CUI) exists on its network and where the data traverses.
  • Define Internal Roles and Responsibilities
    • Contractors should engage internal stakeholders from IT, legal, human resources, compliance, physical security, and other departments to ensure all parties are aligned on the compliance approach, have the needed resources, and understand their role in meeting the appropriate CMMC compliance requirements. Contractors should also identify personnel capable of serving as the organization’s Affirming Official and ensure they are integrated into the CMMC compliance strategy.
  • Conduct Privileged Readiness Assessments
    • Contractors should consider conducting CMMC readiness assessments under attorney-client privilege in order to pressure test their ability to meet the requirements enumerated in CMMC without exposing the company to risk if gaps are found.  Engaging counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies by mitigating the risk of having to disclose assessment findings in litigation or during an investigation.
  • Develop and Refine Corporate Policies
    • While technical solutions are integral to meeting CMMC requirements, a company’s cybersecurity is only as effective as the policies it adopts governing the use of such technology and regulating data traversing it. Companies should establish a practice of devising robust internal cybersecurity policies, developing incident response plans and other governance documents, and updating all for currency and accuracy, as these artifacts are necessary to meet many CMMC requirements.
  • Engage with CMMC-Certified Assessors
    • Entities who handle CUI and expect to be subject to CMMC Level 2 external assessments should not delay engaging C3PAOs to plan their assessments now that the Final Program Rule has been released. While CMMC requirements aren’t expected to roll out to contractors for at least several more months, C3PAOs will be in high demand, and scheduling early assessments may avoid potential C3PAO scheduling constraints. 

We would like to thank Riley Flewelling, for their contribution to this alert.


[1] The Final Program Rule is expected to be formally published in the Federal Register on October 15, 2024.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.