On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1]
CMMC is a DoD regulatory framework created to ensure DoD contractors and subcontractors securely handle two categories of sensitive government information: Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Among other requirements, CMMC mandates contractors and subcontractors handling CUI obtain third-party assessments and, in turn, certifications verifying their compliance with the 110 cybersecurity controls set forth in National Institute of Standards & Technology Special Publication 800-171A (NIST SP 800-171A) and, where required, NIST SP 800-172A.
Importantly, publication of the Final Program Rule does not immediately implement the DoD’s CMMC contract requirements. Instead, the trigger for CMMC’s implementation for contractors is tied to a separate CMMC rule (the “CMMC Clause Rule”), which is currently in a proposed rule and will likely not be finalized until sometime in 2025. However, the release of the Final Program Rule allows CMMC Certified Third-Party Assessment Organizations (C3PAOs) to begin assessing contractor compliance against the CMMC framework and allows contractors to get a head start on developing compliance programs prior to enforcement.
Notable Changes in the Final Program Rule
While the Final Program Rule is mostly aligned with the Proposed Program Rule that DoD released in December 2023, the DoD made several notable revisions to the Final Rule, including:
- Changes to Phased Implementation Schedule
- The Final Program Rule extended Phase 1, with Phase 2 now beginning one calendar year after the start of Phase 1, instead of the six-month period provided in the December 2023 Program Rule. CMMC’s phased implementation per the Final Program Rule will be:
- Phase 1: Begins on the effective date of the CMMC Clause Rule.
- DoD can begin to include requirements for Level 1 or Level 2 self-assessments in all applicable DoD solicitations and contracts as a condition of contract award.
- DoD may choose to include Level 1/Level 2 self-assessment requirements in options to exercise active DoD contracts.
- DoD may choose to include Level 2 C3PAO assessment requirements in place of Level 2 self-assessment requirements in applicable DoD solicitations and contracts.
- Phase 2: Begins one year following the effective date of the CMMC Clause Rule.
- In addition to Phase 1 allowances, DoD can begin to include Level 2 C3PAO assessment requirements in applicable DoD solicitations and contracts as a condition of contract award.
- DoD may choose to include Level 3 DIBCAC assessment requirements in applicable DoD solicitations and contracts.
- Phase 3: Begins two years following the effective date of the CMMC Clause Rule.
- In addition to Phase 1 and Phase 2 allowances, DoD can begin to include Level 2 C3PAO assessment requirements in options to exercise active DoD contracts.
- Phase 4: Begins three years following the effective date of the CMMC Clause Rule.
- DoD will begin including CMMC Program requirements in all applicable DoD solicitations and contracts, including option periods on contracts awarded prior to the beginning of Phase 4.
- Clarified Requirements for Cloud Service Providers (CSPs) and External Service Providers (ESPs)
- Phase 1: Begins on the effective date of the CMMC Clause Rule.
- The Final Program Rule extended Phase 1, with Phase 2 now beginning one calendar year after the start of Phase 1, instead of the six-month period provided in the December 2023 Program Rule. CMMC’s phased implementation per the Final Program Rule will be:
In the face of public comments expressing confusion regarding the roles and responsibilities of contractor CSPs and ESPs, DoD revised CSP/ESP obligations in the Final Program Rule as follows:
- CSPs who handle CUI are still expected to obtain FedRAMP Moderate authorization or meet equivalent security requirements.
- ESPs that are not CSPs who handle CUI are not required to obtain CMMC certification, but their services will be assessed as part of the contractor’s CMMC assessment.
- ESPs and CSPs who handle Security Protection Data (SPD)–a CMMC-specific term that includes logs, security scans, or other security artifacts derived from the contractor systems handling CUI–but do not handle CUI are not required to meet FedRAMP requirements. However, their services will be assessed as part of the contractor’s CMMC assessment.
- ESPs and CSPs who do not handle CUI or SPD are not subject to assessment requirements, but their services may need to be documented in the contractor’s system security plan (SSP).
- DIBCAC Authority to Audit Assessment Result
- The Final Program Rule expands on the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) ability to audit contractors despite their CMMC Status. If a DIBCAC audit is conducted and its results are different from the contractor’s previously reported CMMC status, DoD will rely on the DIBCAC audit over the contractor’s self- or C3PAO-reported CMMC compliance status and can independently update DoD’s Supplier Performance Risk System (SPRS) to indicate that the contractor does not meet CMMC requirements. The rule notes that contractors could face contractual penalties if DIBCAC finds them noncompliant.
- Plan of Action and Milestone (POA&M) Requirement Revisions
- The Final Program Rule updated the CMMC Level 2 list of controls that cannot have a POA&M, now including security control CA.L2-3.12.4, which requires the development of an SSP and corresponding POA&M.
Core Assessment Requirements
CMMC is implemented through a three-tiered model comprised of CMMC Levels 1, 2, and 3. For each contract, DoD will determine the applicable CMMC Level. Contractors and subcontractors will be required to have the applicable CMMC certification before they are eligible for contract award.
CMMC Level 1 will apply to contractors and subcontractors who store, process, or transmitFCI. CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv). Level 1 certification will require a self-assessment, attested to annually by the Affirming Official of the organization and submitted to DoD’s Supplier Performance Risk System (SPRS).
CMMC Level 2 will apply broadly to contractors and subcontractors who store, process, or transmit CUI. CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A. Level 2 will require either a self-assessment annually or a C3PAO certification every three years.
CMMC Level 3 will apply to a select group of contractors that will store, process, or transmit high-value CUI, as determined by DoD. CMMC level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172. All Level 3 certifications will require a certification performed by the DIBCAC every three years.
Plan of Action and Milestone Requirements
CMMC allows contractors to document in POA&Ms how they will fully satisfy controls not met at the time of their initial CMMC assessment. POA&Ms allow contractors to achieve conditional CMMC certification, but with some limitations:
- POA&Ms are not permitted at all for Level 1 assessments.
- For CMMC Level 2 assessments, POA&Ms generally are not permitted for security requirements with a point value of greater than 1 and are permitted only if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls.
- For Level 3 assessments, POA&Ms are permitted if the assessment score divided by the total number of security requirements is greater than or equal to 0.8 and the control does not appear in the list of POA&M prohibited controls.
- Each POA&M must be closed, with all requirements completed, within 180 days of the assessment. The closure must be confirmed by a closeout assessment, which assesses only the unmet requirements identified by the POA&Ms.
Affirmations
CMMC requires annual affirmations of CMMC compliance from all in-scope contractors and subcontractors. At CMMC Levels 2 and 3, contractors must also affirm compliance after every CMMC assessment (whether a self-assessment or an assessment certification), including after any POA&M closeouts. Like self-assessment scores, CMMC affirmations will be submitted electronically through SPRS. Contractors will not be eligible for awards under solicitations requiring CMMC until they submit their affirmations.
The Final Rule clarifies that the official who provides the affirmation (the “Affirming Official”) must be a senior level contractor representative who is responsible for ensuring contractor compliance with the CMMC Program requirements and who has the authority to affirm the contractor’s continuing compliance with the specified security requirements.
The increased specificity to the Affirming Official requirements highlights the enhanced legal risks companies and Affirming Officials face in light of the Department of Justice’s (DOJ) Civil Cyber Fraud Initiative where enforcement of cyber noncompliance has been rampant. The emphasis on ensuring Affirming Officials possess the requisite authority to attest to continued compliance underscores the importance of accurate and complete CMMC documentation and affirmations.
Key Takeaways
- Review DoD Contracts to Determine Likely CMMC Level
- While DoD will eventually indicate via solicitation which CMMC Levels will be required, contractors and subcontractors should review active DoD contracts to determine whether they handle CUI or FCI in the course of performance, as this is likely to forecast what CMMC Levels they will need to achieve certification.
- Develop and Refine a System Security Plan (SSP)
- In order to prepare for a self-assessment or certification assessment, a company must complete an SSP describing how security controls are implemented. In order to effectively complete an SSP, a company must know what regulated data (e.g., FCI or CUI) exists on its network and where the data traverses.
- Define Internal Roles and Responsibilities
- Contractors should engage internal stakeholders from IT, legal, human resources, compliance, physical security, and other departments to ensure all parties are aligned on the compliance approach, have the needed resources, and understand their role in meeting the appropriate CMMC compliance requirements. Contractors should also identify personnel capable of serving as the organization’s Affirming Official and ensure they are integrated into the CMMC compliance strategy.
- Conduct Privileged Readiness Assessments
- Contractors should consider conducting CMMC readiness assessments under attorney-client privilege in order to pressure test their ability to meet the requirements enumerated in CMMC without exposing the company to risk if gaps are found. Engaging counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies by mitigating the risk of having to disclose assessment findings in litigation or during an investigation.
- Develop and Refine Corporate Policies
- While technical solutions are integral to meeting CMMC requirements, a company’s cybersecurity is only as effective as the policies it adopts governing the use of such technology and regulating data traversing it. Companies should establish a practice of devising robust internal cybersecurity policies, developing incident response plans and other governance documents, and updating all for currency and accuracy, as these artifacts are necessary to meet many CMMC requirements.
- Engage with CMMC-Certified Assessors
- Entities who handle CUI and expect to be subject to CMMC Level 2 external assessments should not delay engaging C3PAOs to plan their assessments now that the Final Program Rule has been released. While CMMC requirements aren’t expected to roll out to contractors for at least several more months, C3PAOs will be in high demand, and scheduling early assessments may avoid potential C3PAO scheduling constraints.
We would like to thank Riley Flewelling, for their contribution to this alert.
[1] The Final Program Rule is expected to be formally published in the Federal Register on October 15, 2024.