The Department of Defense (DoD) delivered its proposed Cybersecurity Maturity Model Certification Program rule (CMMC) the day after Christmas this year, including several related guidance documents (listed here). The proposed rule is brand new, but we answer several "frequently asked questions" federal contractors and subcontractors may already have about it.
Comments on the proposed rule are due February 26, 2024.
What is CMMC again?
DoD has been developing the CMMC Program for several years now. DoD describes it as a new "assessment mechanism" designed to "ensure defense contractors and subcontractors have … implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs."
Basically, CMMC refers to a future DoD program and DFARS clause that will require DoD contractors and subcontractors to demonstrate their continual compliance with numerous cybersecurity measures in order to remain eligible for and win new federal awards. Depending on the data at issue, this may require a self-assessment of compliance with a handful of security measures or obtaining certification from a third-party contractor (or DoD itself) of compliance with more than 100 security measures.
Will CMMC apply to all DoD contracts and subcontracts?
No. CMMC will apply only to "DoD contract and subcontract awardees that will process, store, or transmit information that meets the standards for FCI or CUI on contractor information systems." It will not apply to "government information systems operated by contractors or subcontractors on behalf of the Government."
DoD also notes, however, that under the proposed rule, a "DoD Service Acquisition Executive or a Component Acquisition Executive may elect to waive inclusion of CMMC Program requirements in a solicitation or contract." However, it remains to be seen how frequent or accepted such a waiver may be and therefore how likely it is to be applied.
Are there any exceptions for small businesses or commercial items?
There is no exception for small businesses; DoD reasoned that "[t]he value of DoD's sensitive information (and impact of its loss to the Department) does not diminish when it moves to contractors—prime or sub, large or small."
There is, however, an exception for contracts or orders that are exclusively for commercial off-the-shelf (COTS) items or are valued at or below the micro-purchase threshold. There is no exception for commercial item (non-COTS) contracts above the micro-purchase threshold.
"Contractor information system," "FCI," and "CUI" seem like important terms here. How are they defined?
The proposed rule does not define "contractor information system," but it does incorporate the definition of "information system" from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171: "[a] discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information." DFARS 204.7301 defines "[c]overed contractor information system" for the purposes of existing cybersecurity clauses as "an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information."
According to the proposed rule, "[t]he CMMC Program uses the definitions of FCI from FAR 4.1901 and CUI from 32 CFR 2002, which are the definitive sources for these definitions." Thus, DoD summarizes:
Federal Contract Information (FCI): As defined in section 4.1901 of the FAR, FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public, such as that on public websites, or simple transactional information, such as that necessary to process payments.
Controlled Unclassified Information (CUI): 32 CFR 2002.4(h) defines CUI, in part, as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, including FCI.
Does CMMC create new security measures for contractors and subcontractors, or is it just a way for DoD to confirm that existing requirements are being followed?
According to DoD's estimates (see here), for more than 99 percent of affected contractors and subcontractors, the CMMC Program rules will not create new security measures. But the CMMC Program will require periodic affirmations—as well as either self-assessments or certifications from a third-party assessor—demonstrating compliance with existing security measures required under Federal Acquisition Regulation (FAR) 52.204-21 (which includes 15 basic security measures) and/or Defense FAR Supplement (DFARS) 252.204-7012 (which incorporates more than 100 security measures from NIST SP 800-171, Rev. 2).
For the remaining 1 percent of affected contractors and subcontractors, CMMC will require implementing multiple new security measures contained within NIST SP 800-172 (but tailored for DoD). As discussed below, by DoD's own estimates, implementing these new security measures will be quite expensive, even before considering the cost of completing and maintaining the relevant assessment/certification.
The assessments and certifications for preexisting security measures are contained within CMMC Level 1 (FAR 52.204-21) and Level 2 (DFARS 252.204-7012), and the new security measures (NIST SP 800-172) are contained in Level 3.
This is hard to visualize. Is there a chart summarizing the new CMMC levels and security measures?
DoD issued the following summary graphic in an "overview" of the new CMMC rule (here):
How will my company know what CMMC level applies to our DoD contracts or subcontracts?
Federal contractors will have to review each DoD solicitation to know what CMMC level will apply. The proposed rule states that "[p]rogram managers and requiring activities are responsible for identifying the CMMC Level that will apply to a procurement … based on factors including but not limited to" the following:
(1) Criticality of the associated mission capability;
(2) Type of acquisition program or technology;
(3) Threat of loss of the FCI or CUI to be shared or generated in relation to the effort;
(4) Potential for and impacts from exploitation of information security deficiencies; and
(5) Other relevant policies and factors, including Milestone Decision Authority guidance.
For subcontracts, DoD states that "the prime contractor will identify for its subcontractor the required CMMC Level in accordance with [32 C.F.R.] § 170.23 if it is not already defined in the solicitation" and that "[i]f a prime contractor is uncertain about the appropriate CMMC Level to assign when creating a subcontract solicitation, it should consult with the government program office to determine what type of certification or assessment will be required given the information that will flow down." The proposed Section 170.23 of Title 32 of the C.F.R. states:
(a) Procedures. CMMC Level requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit FCI or CUI on contractor information systems in the performance of the contract or subcontract. Prime contractors shall comply and shall require subcontractor compliance throughout the supply chain at all tiers with the applicable CMMC level for each subcontract as follows:
(1) If a subcontractor will only process, store, or transmit FCI (and not CUI) in performance of the contract, then CMMC Level 1 Self-Assessment is required for the subcontractor.
(2) If a subcontractor will process, store, or transmit CUI in performance of the subcontract, CMMC Level 2 Self-Assessment is the minimum requirement for the subcontractor.
(3) If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the Prime contractor has a requirement of Level 2 Certification Assessment, then CMMC Level 2 Certification Assessment is the minimum requirement for the subcontractor.
(4) If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the Prime contractor has a requirement of Level 3 Certification Assessment, then CMMC Level 2 Certification Assessment is the minimum requirement for the subcontractor.
Beyond those factors, is there any way to predict which CMMC level may apply in a given acquisition?
Yes, knowledge of whether performance on a given program will involve FCI or CUI could be predictive of the CMMC level. DoD explains that "[t]he CMMC Program requirements for Level 1 will apply when the contract effort requires contractors to process, store, or transmit FCI on its unclassified information system," whereas, "[i]f CUI is processed, stored, or transmitted on a contractor information system, a higher level of CMMC compliance or certification is required."
DoD does not provide detailed information regarding how determinations will be made for CUI, stating that "[t]he CMMC Level required to protect CUI (i.e., CMMC Level 2 Self-Assessment … CMMC Level 2 Certification Assessment … or CMMC Level 3 Certification Assessment …) is determined by the Department based upon the sensitivity of the CUI and will be identified in the solicitation." DoD offers that "[t]he requiring activity knows the type and sensitivity of information that will be shared with or developed by the awarded contractor and selects the CMMC Level required to protect the information according to DoD guidance."
How will my company know whether it needs to obtain a CMMC certification from a third party rather than perform a CMMC self-assessment?
As with the CMMC level, whether a third-party certification is required or a self-assessment is permitted will be identified in DoD solicitations.
CMMC Level 1 requires only self-assessment, while Level 3 requires a certification from DoD. In theory, CMMC Level 2 may only require a self-assessment, but in practice, DoD estimated that 95 percent (76,598 of 80,598) of entities performing at CMMC Level 2 will require a certification from a non-DoD third party, rather than a mere self-assessment.
Does the proposed rule address disagreements regarding what CMMC level or assessment/certification should apply to a given procurement?
The proposed rule does not address this issue in detail. Even though "[t]wo commenters requested clarification regarding whether the CMMC Level required by the DoD or a prime contractor could be contested," DoD responded only that "[a]ny questions about the CMMC Level required by the solicitation should be directed to the contracting officer for the affected contractor."
Once CMMC goes into effect, some contractors may file pre-award bid protests challenging the terms of DoD solicitations on one or more legal grounds related to CMMC, including that the contracting officer's CMMC level selection unduly restricted competition in violation of the Competition in Contracting Act of 1984 and the competition requirements in FAR Part 6.
Who will perform the CMMC certifications for my company?
For CMMC Level 2 certifications, the proposed rule contemplates private entities called "CMMC Third-Party Assessment Organizations" (C3PAOs) performing assessments and providing certifications. The C3PAOs will be authorized and accredited by the "Accreditation Body," another private organization (see https://cyberab.org/ for more information on the Accreditation Body).
The proposed rule contains requirements for C3PAOs with regard to national security background checks, foreign ownership, reporting, records management, information protection, quality assurance, and appeals.
Can my company contest a certification company's determination?
Yes, the proposed rule contains a CMMC assessment appeal process. DoD summarizes this process as follows:
Each C3PAO is required to have a time-bound, internal appeals process to address disputes related to perceived assessor errors, malfeasance, and unethical conduct. Requests for appeals will be reviewed and approved by individual(s) within the C3PAO not involved in the original assessment activities in question. OSCs [organizations seeking certification] can request a copy of the process from their C3PAO. If a dispute regarding assessment findings cannot be resolved by the C3PAO, it will be escalated to the Accreditation Body. The decision by the Accreditation Body will be final.
Ultimately, however, DoD states that "[t]he issue of C3PAO liability is between an OSC and the C3PAO with which it contracts to do the assessment." In other words, DoD contractors and subcontractors will have to carefully review the terms of their agreements with C3PAOs to fully understand what remedies may be available in the event of a dispute with a C3PAO.
Does my company need to obtain the relevant CMMC level prior to contract award?
Yes, the proposed rule states that "[c]ontractors must have achieved [the CMMC level stated in the solicitation] or higher, to be awarded the resultant contract." As a result, DoD places the burden of timing compliance on contractors and subcontractors:
Prospective contractors must make a business decision regarding the type of DoD business they wish to pursue and understand the implications for doing so. If an offeror or current DoD contractor or subcontractor has self-assessed then later decides to pursue a contract or subcontract requiring a certification at CMMC Level 2 or 3, it will need to factor in the time and investment necessary to hire a third-party assessment organization and achieve certification as a condition of contract award.
In this regard, DoD noted that it does not intend to delay procurements to wait for contractors or subcontractors to obtain a CMMC assessment or certification: "The CMMC Program rule does not provide mitigations for assessment delays that may impact timeliness of certification or recertification with regard to the closing date of a particular solicitation."
But there is an exception to the general requirement to obtain the designated CMMC level prior to award. For CMMC Levels 2 and 3, under certain circumstances, it is possible for the contractor to obtain a "conditional" certification (or, for Level 2, a conditional self-assessment) with unmet security measures placed on a Plan of Action and Milestones (POA&M) that must be closed out within 180 days. A POA&M is not permitted for CMMC Level 1 self-assessments. Contractors obtaining such a conditional score will be eligible for award of CMMC Level 2- and Level 3-rated DoD contracts.
How much is this going to cost my company?
DoD's proposed rule does not calculate the cost of implementing the security measures in CMMC Levels 1 and 2, on the assumption that DoD contractors and subcontractors should have already implemented them, since compliance with those standards predated the CMMC Program under FAR 52.204-21 and DFARS 252.204-7012.
But DoD does attempt to calculate the cost of obtaining the new assessments/certifications, as well as the cost of the new security measures in CMMC Level 3:
- Annual cost of CMMC Level 1 assessment and affirmation: $4,042 for other-than-small entities ($5,977 for small entities)
- Triennial CMMC Level 2 self-assessment and three annual affirmations: $48,827 over three years for other-than-small entities ($37,196 for small entities)
- Triennial CMMC Level 2 certification and three annual affirmations: $117,768 over three years for other-than-small entities ($104,670 for small entities)
- Triennial CMMC Level 3 certification and three annual affirmations: $44,444 over three years for other-than-small entities ($12,802 for small entities)
- CMMC Level 3 nonrecurring engineering costs for implementation and maintenance of the new NIST SP 800-172 requirements: $21,100,000 for other-than-small entities ($2,700,000 for small entities)
- CMMC Level 3 recurring engineering costs for implementation and maintenance of the new NIST SP 800-172 requirements: $4,120,000 for other-than-small entities ($490,000 for small entities)
Each of DoD's estimates comes with caveats, and industry may well disagree with DoD's projections.
When does DoD anticipate CMMC going into effect?
The proposed rule states that "DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations issued on or after October 1, 2026, when warranted by any FCI or CUI information protection requirements for the contract effort."
DoD is proposing a "phased approach for the inclusion of CMMC Program requirements in solicitations and contracts." The proposed phases appear below.
(1) Phase 1. Begins on the effective date of the CMMC revision to DFARS 252.204–7021. DoD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DoD solicitations and contracts.
(2) Phase 2. Begins six months following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include CMMC Level 2 Certification Assessment all for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award. DoD may also, at its discretion, include CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.
(3) Phase 3. Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include CMMC Level 2 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date. DoD intends to include CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of CMMC Level 3 Certification Assessment to an option period instead of as a condition of contract award.
(4) Phase 4, Full Implementation. Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.
Although the phases purport to provide DoD procuring offices with "discretion" to include the new CMMC clause in preexisting contracts upon option exercise, that approach would render the option invalid under long-standing procurement law. See, e.g., Varo, Inc., ASBCA No. 47945, 96-1 BCA ¶ 28,161 (modification purporting to exercise option and add "eight FAR and DFARS clauses which were not included originally in contract 2278" was invalid). A contractor that continues performing at the government's direction notwithstanding the invalid option exercise would be entitled to an equitable adjustment for the added cost of complying with CMMC. See, e.g., Fluor Fed. Sols., Inc., ASBCA No. 62343, 23-1 BCA ¶ 38,302 (collecting cases).
