The US Department of Defense (DoD) has issued a proposed rule to implement its long-awaited Cybersecurity Maturity Model Certification program (CMMC 2.0). This proposed rule — released on December 26, 2023, and published in the Federal Register — maintains three “levels” of security controls (CMMC levels), which the DoD will impose on defense contractors and subcontractors depending on the sensitivity of the information these contractors will possess during contract performance. When implemented and as anticipated, each DoD solicitation will dictate the CMMC level offerors must achieve, and each level is accompanied by certain security, assessment, and senior-level affirmation requirements. The proposed rule also limits offerors’ use of Plans of Action and Milestones (POA&Ms) when defense contractors fall short of applicable security requirements. Industry participants have until February 26, 2024, to submit comments on the proposed rule, so we recommend that you gain familiarity with the proposed rule now and assess your company’s existing cybersecurity controls against the new CMMC levels. CMMC 2.0 is expected to be implemented by early 2025.
Background
The DoD has been working on various iterations of CMMC 2.0 since 2019. The DoD established the CMMC program as a direct result of the government’s concerns about the steadily increasing number, and evolving sophistication, of cybersecurity intrusion events affecting defense contractors. The DoD has historically relied on defense contractors’ “self-attestation” of their ability to protect different categories of sensitive, unclassified, nonpublic information — such as federal contract information (FCI) and controlled unclassified information (CUI) — but in September 2020, the DoD issued an interim rule to establish a formal CMMC 1.0 program. However, defense contractors pushed back on this iteration, complaining that it was too complicated and rigid, and that it did not appropriately take risk into account. Accordingly, the DoD abandoned the first version of the program and announced a 2.0 version of the program in November 2021. This 2.0 version has finally made it to the proposed-rule stage and represents the government’s attempt to align the goals of the program with the industry’s concerns about its impact on the way defense contractors manage cybersecurity risks.
CMMC 2.0
The DoD will use CMMC 2.0 to impose major cybersecurity requirements, assessment requirements, and affirmation requirements specific to each CMMC level. Program managers will identify the applicable CMMC level for a given contract based upon the specific responsibilities associated with contract performance. Once implemented, CMMC 2.0 will require many defense contractors to obtain a third-party certification that they have successfully implemented the cybersecurity controls set forth in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 Rev. 2. Currently, defense contractors in possession of CUI are required to implement these NIST SP 800-171 Rev. 2 cybersecurity controls but are permitted to self-report to the DoD that they have done so, with minimal oversight. Going forward, CMMC 2.0 will bar a defense contractor from performing an awarded contract if it has not been certified as CMMC 2.0 compliant.
CMMC 2.0 Level 1
The first CMMC level will focus on protecting FCI and will continue to consist of the 15 basic security requirements specified in Federal Acquisition Regulation (FAR) 52.204-21. In terms of assessment, CMMC 2.0 adds a requirement for contractors and applicable subcontractors to affirm — in the Supplier Performance Risk System (SPRS) — that all applicable security requirements outlined in FAR 52.204-21 have been implemented. In addition to this self-assessment, CMMC 2.0 requires a senior company official to annually affirm continuing compliance with the specified security requirements. To the extent that a defense contractor’s self-assessment reveals that it has not implemented one or more of the 15 basic security requirements above, POA&Ms are impermissible at this level.
CMMC 2.0 Level 2
The second CMMC level will focus on protecting CUI and will require defense contractors to implement 110 security requirements identified in NIST SP 800-171 Rev. 2. To verify a defense contractor’s implementation of these cybersecurity requirements, the procuring defense agency will require defense contractors to either conduct a self-assessment or undergo a certification assessment.
To the extent that the procuring agency requires a self-assessment, the defense contractor must perform this self-assessment on an annual basis, and the results must be entered electronically in SPRS. If a solicitation requires a third-party assessment, however, a triennial certification assessment will be performed by an independent CMMC third-party assessment organization (C3PAO). The C3PAO will be required to enter the certification assessment information electronically into the CMMC 2.0 Enterprise Mission Assurance Support Service (eMASS), which will transmit the results into SPRS.
In addition to either the self-assessment or the certification assessment, a senior official from the company will be required to annually affirm continuing compliance with CMMC Level 2 security requirements. Unlike at CMMC Level 1, POA&Ms are permissible at this level.
CMMC 2.0 Level 3
Level 3 focuses on protecting CUI associated with what the DoD determines to be “a critical program or high value asset.” CMMC Level 3 requires DoD contractors to implement 24 specific security requirements as identified in NIST SP 800-172 and detailed in Table 1 to § 170.14(c)(4). To achieve CMMC 2.0 Level 3 certification, defense contractors must already have a CMMC 2.0 Level 2 certification.
At CMMC Level 3, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (part of the DoD) will conduct the assessment to determine whether defense contractors have implemented the requisite security controls above and, after verifying implementation, will certify that all applicable CMMC Level 3 security requirements from NIST SP 800-172 have been implemented. The DoD assessor will enter the assessment results electronically into eMASS, which will transmit assessment results into SPRS. Once granted, this DoD certification is valid for up to three years. Like CMMC Levels 1 and 2, CMMC Level 3 requires a senior official from the company to annually affirm continuing compliance with the specified security requirements. Under specific circumstances, POA&Ms are permissible at this level.
Takeaways
Defense contractors should take a very close look at the requirements that will flow from CMMC 2.0’s implementation as currently drafted. Many of these requirements are new and will require additional protocols. The failure to fully understand these requirements may result in defense contract ineligibility due to noncompliance and increase False Claims Act risks, especially considering the newly imposed senior-official affirmations. At minimum, defense contractors and subcontractors should conduct an analysis of their existing cybersecurity posture in relation to the security controls set forth in the NIST SP 800-171 Rev. 2. Although CMMC 2.0 is expected to be implemented by early 2025, now is the time to comment on the proposed rule and begin to ascertain whether your company has any major gaps in its cybersecurity program or practices that would make compliance with CMMC 2.0 challenging.
[View source.]
