Photo of Michael G. Gruden, CIPP/GPhoto of Daniel W. WolffPhoto of Nkechi KanuPhoto of Kate GrowleyPhoto of Maida Oringher LernerPhoto of Jacob Harrison

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

This month, the DoD made public a memorandum titled “Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements.” The memorandum emphasizes the DoD’s focus on reducing the risk of cyber attacks and reinforces contractors’ obligations to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the final Defense Federal Acquisition Regulation Supplement (DFARS) rule, 2019-D041, has not been published yet, the memorandum reminds program managers and contractors of the CMMC assessment requirements, reiterating that program managers and requiring activities will designate CMMC levels for contracts based on the type of information that contractors will handle on their own networks during contract performance. Notably, the memorandum provides that non-Federal Acquisition Regulation (FAR) based grants and other legal agreements will also include CMMC requirements. 

In addition, the memorandum includes guidance on how requiring activities may determine the applicable CMMC Level and how program managers or requiring activities may request a waiver of CMMC requirements. 

As contractors prepare for the publication of the final DFARS rule, the memorandum provides new insight on what contractors should expect, including the following:

  • The CUI Registry will determine whether self-assessments or third-party assessments are required for CMMC Level 2.
    • CMMC Level 2 self-assessments will be sufficient only when the contract will require the contractor to process, store, or transmit CUI that is outside of the National Archives CUI Registry Defense Organizational Index Group. However, a program manager may elevate the requirement to CMMC Level 2 certification “if there is high risk to the confidentiality, integrity, or availability of the CUI.”
    • CMMC Level 2 certifications will be necessary when the contract will require the contractor to process, store, or transmit CUI categories under the National Archives CUI Registry Defense Organizational Index Grouping.
  • Contractors that process, store, or transmit CUI that is outside of the CUI Registry Defense Organizational Index Group may need to be prepared for an accelerated timeline.
    • As noted above, CMMC Level 2 self-assessment are only sufficient when the CUI is not one of the categories under the National Archives CUI Registry Defense Organizational Index Grouping. The Defense Organizational Index Grouping includes Controlled Technical Information; DoD Critical Infrastructure Security Information; Naval Nuclear Propulsion Information; Privileged Safety Information; and Unclassified Controlled Nuclear Information – Defense. Accordingly, contractors that handle information such as Protected Critical Infrastructure Information, North Atlantic Treaty Organization (NATO) Unclassified, or Personnel Records, should be prepared for the requirement of CMMC Level 2 self-assessments—which are expected to begin on the effective date of the final DFARS rule (CMMC Phase I).
  • Program managers or requiring activities, not the contractor, may request to waive CMMC assessment requirements.
    • The program managers or requiring activities, not the contractor, may request Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) approval to waive a CMMC assessment requirement for either an individual procurement or a class of procurements.
    • Waivers do not affect the requirements set forth in FAR 52.204-21, DFARS 252.204-7012, or the more advanced cybersecurity standard NIST SP 800-172, when applicable. In other words, the waiver applies only to the assessment, not the cybersecurity requirements that may be applicable in the contract.
    • Waivers on a class basis must include a planned expiration date and guidance for requiring CMMC certification in subsequent solicitations.
  • Waivers are not appropriate under certain circumstances.
    • Waivers are unlikely to apply to CMMC Level 1 or CMMC Level 2 self-assessments.
    • Waivers are not appropriate for contracts requiring performance by a cleared defense contractor.
    • For CMMC Level 3, waivers are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information.
  • Waivers under CMMC Level 2 third-party assessments and CMMC Level 3 third-party assessments may be applicable in “rare circumstances.”
    • For example, waiver of a CMMC Level 2 third-party assessment could theoretically be appropriate when the requiring activity is seeking competition from non-traditional DoD sources.

Separately, Katie Arrington announced her recent appointment as the DoD’s Chief Information Security Officer (CISO). The name will immediately refresh the recollections of those following CMMC over the years. Ms. Arrington previously held a narrower CISO position within the DoD’s Office of Acquisition & Sustainment under the first Trump administration. In that role, she was a notably staunch advocate for the original “CMMC 1.0” program.

Since the start of the new administration, speculation has swirled around whether CMMC would be on the regulatory chopping block. Many contractors staring down expected compliance deadlines as early as this summer have anxiously awaited clarity. With these recent developments, the answer appears to be an emphatic “no.” The DoD is showing no signs of slowing down on CMMC.

Tags: Cybersecurity, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Daniel W. Wolff Daniel W. Wolff

Dan Wolff represents clients facing enterprise-level risks arising out of government enforcement actions and complex commercial disputes. He is a problem solver who understands how to use litigation, whether as plaintiff or defendant, to achieve exceptional business solutions and outcomes. Dan leads the…

Dan Wolff represents clients facing enterprise-level risks arising out of government enforcement actions and complex commercial disputes. He is a problem solver who understands how to use litigation, whether as plaintiff or defendant, to achieve exceptional business solutions and outcomes. Dan leads the firm’s administrative law litigation practice, counseling clients and litigating on their behalf in federal and state courts around the country in matters arising under the Administrative Procedure Act, other federal statutes, and the U.S. Constitution. He also litigates commercial disputes and matters arising in tort. He has deep experience arguing dispositive motions and appeals, in addition to trying jury cases. Notably, The National Law Journal named Dan a Political Activism and First Amendment Rights Trailblazer.

Beyond the courtroom, clients also seek Danʼs counsel in government investigations of workplace accidents, fatalities, supervisor liability, and requests for company records.

Dan serves on the firm’s Public Service Committee and maintains an active pro bono practice. In recent years, he has focused on civil rights impact litigation, helping to secure victories or favorable settlements under the First Amendment, § 1983, and the Voting Rights Act.

Immediately following law school, Dan clerked for two years in the Southern District of Ohio for the Honorable Walter H. Rice. He is licensed to practice in the District of Columbia and Ohio and is also a member of the bars of multiple federal courts, including the U.S. Supreme Court.

Read more about Daniel W. WolffDaniel's Linkedin Profile
Show more Show less
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Read more about Nkechi Kanu
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Read more about Maida Oringher Lerner
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
Final DOD Rule Codifies 20-Year SBIR Data Protection Period and Other SBIR Program Protections While Punting Potential Changes To Marking Requirements
January 28, 2025
Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
January 28, 2025
NICE and Easy: Proposed Cybersecurity FAR Amendment Incorporates NICE Framework, Standardizing Cybersecurity Workforce Descriptions
January 16, 2025