The Department of Defense (DoD) published a Final Rule earlier this month formally implementing the Cybersecurity Maturity Model Certification (CMMC) Program. This Final Rule is the culmination of five years of work to standardize the safeguards that government contractors must implement to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while also bolstering compliance with these requirements.
(For more background on the road to the Final Rule, please read our earlier blog posts on what we’ve called “CMMC Program Version 2.0.”)
Notably, the CMMC Program does not alter existing cybersecurity safeguarding requirements. Rather, it implements a tiered assessment framework that requires DoD contractors across the Defense Industrial Base (DIB) either to self-assess or receive external assessments of their compliance with DoD cybersecurity requirements at an appropriate level as a condition for receiving a DoD contract or subcontract. Although the CMMC Program will be phased in over a four-year period, most firms with significant DoD contracts will be required to obtain third-party certification, and should do so promptly, particularly given the backlog of accredited third-party assessors.
Background and Implementation Schedule
The CMMC Program was initially launched in 2019 in response to concerns about widespread exfiltration of FCI and CUI from the DIB. DoD published an Interim Rule on Nov. 4, 2021 but went back to the drawing board in response to widespread concerns about its feasibility. DoD finally issued a proposed rule for CMMC last December. The Final Rule codifies the CMMC Program into Title 32, Part 170, of the Code of Federal Regulation (CFR). Parallel rulemaking is underway to codify a CMMC contract clause into the Defense Federal Acquisition Regulation Supplement (DFARS). The final version of the DFARS Rule is expected to be issued in the spring. The contract clauses in the DFARS Rule will provide the mechanism for enforcing the certification requirements in the Title 32 rule against contractors.
The CMMC Program will be phased in over a four-year period, beginning when the final version of the DFARS CMMC rule comes into effect. Nonetheless, DoD contracting officers will be permitted to require Level 2, third-party assessment as soon as the phased implementation begins. Additionally, due to uncertainty about which contracts will require external certification at the outset and the length of time required to obtain such certification, prime contractors are likely to require their subcontractors to obtain external certification ahead of schedule. Here are some highlights of the CMMC Program.
Applies to all DoD Contractors
The CMMC Program applies to all DoD contractors, including small business and commercial contractors, and flows down to subcontractors. Additionally, the Final Rule clarifies that foreign companies will be required to comply with CMMC to receive a DoD contract or subcontract.
Only supply contracts that are solely for commercial off-the-shelf (COTS) items are exempt from CMMC.
Three-Tier Assessment Framework
The CMMC Program establishes three different levels of assessment, which are selected by the contracting officer based on the type and sensitivity of information that will be used under the contract.
- Level 1 requires contractors to secure FCI in their information systems by implementing 15 basic information security controls specified in FAR 52.204-21. Level 1 contractors must self-assess their compliance with these requirements annually and upload their assessments into the Supplier Performance Risk System (SPRS).
- Level 2 is aligned with DFARS 252.204-7012, which requires contractors to secure CUI in their information systems in accordance with all 110 security controls of NIST SP 800-171 and report any cyber incidents. Level 2 involves two kinds of assessments, which must be conducted on a triennial basis. Most Level 2 contractors must obtain third-party certification from a CMMC Third-Party Assessment Organization (C3PAO), which enters the contractor’s score into the Enterprise Mission Assurance Support Service (eMASS). Some Level 2 contractors that handle less sensitive information will be permitted to perform a self-assessment and to upload their scores into SPRS.
- Level 3 is aligned with NIST SP 800-172, which imposes 24 additional security controls. Level 3 assessments are conducted by Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). To be eligible for Level 3, contractors must already be certified for Level 2 by a C3PAO, and therefore meet the 110 requirements of NIST SP 800-171 rev 2, as well as the 24 additional requirements of NIST SP 800-172 Feb 2021. Level 3 contractors must undergo both Level 2 certification by a C3PAO and Level 3 certification by DIBCAC on a triennial basis.
Level 2 and 3 Contractors are permitted to utilize Plans of Actions & Milestones (POA&Ms)
Level 1 contractors must fully comply with the 15 controls specified in FAR 52.204-21. But Level 2 and Level 3 contractors that are at least 80% compliant with the additional controls they are required to meet may obtain conditional certification based on a POA&M. Contractors with a conditional certification are eligible to receive DoD contracts but must close out their POA&Ms within 180 days or lose their certification. Except for Level 2 contractors that are permitted to self-assess, verification of full compliance must be made by a C3PAO or by DIBCAC, as appropriate.
Subcontractor Compliance and Supply Chain Risk
Prime contractors are required to flow down the CMMC rule at an appropriate level and are ultimately charged with ensuring that subcontractors maintain up-to-date CMMC certificates or self-assessments at the appropriate level before awarding subcontracts.
One challenge is that, unlike size representations that are publicly accessible in the System for Award Management, CMMC assessments in SPRS and eMASS are accessible only by the government — a company can only view its own certification in SPRS or eMASS. Prime contractors, then, will need to obtain proof of compliance directly from their subcontractors.
Annual Affirmations Pose False Claims Act (FCA) Risk
The Final Rule explains that all DoD contractors with a CMMC certification must annually affirm their compliance with the applicable security controls. Such affirmations must be made by an “Affirming Official,” a senior figure charged with ensuring compliance with applicable cybersecurity requirements. Inaccurate affirmations, particularly by companies that are permitted to self-assess, may create risk of liability under the FCA.
Additionally, the Final Rule warns that “[a] new CMMC assessment may be required if significant architectural or boundary changes are made to the previous Assessment Scope. Examples include, but are not limited to, expansions of networks or mergers and acquisitions.” Accordingly, if such a change occurs, the Affirming Official should not reaffirm compliance until a new assessment has been performed. Erroneous reaffirmation of compliance could also trigger liability under the FCA.
Next Steps
Third-party certification by C3PAOs will be available beginning in December. Due to the backlog in accredited C3PAOs (particularly for foreign entities), contractors with significant DoD contracts should consider getting in line as soon as possible.
Subcontractors potentially face an even more pressing timeframe. Although the CMMC Rule requires compliance at the time of award (not at the time of offer), contractors without external certification at the time of offer are unlikely to obtain it by time of award unless they initiated the process months before submitting their proposals. Accordingly, prime contractors will likely require prospective subcontractors to have certification in hand as a prerequisite for teaming together.
In the meantime, contractors that have already performed self-assessments should take a second look at their compliance to facilitate external certification. It is widely known that contractors that perform self-assessments without specialized assistance frequently overscore themselves, hence DoD’s push for external certification. Such contractors will need to invest significant time and resources to achieve third-party certification.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
