On December 26, the Department of Defense issued its proposed rule for the Cybersecurity Maturity Model Certification  (CMMC) 2.0 program, which covers federal contracts (including defense contracts) and, by extension, federal contractors. Although the DoD has long required defense contracting entities to safeguard sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), the CMMC Rule creates a new certification requirement for handling CUI intended to assess how well a contractor or subcontractor implements the required information security controls.

The Rule, which codifies and clarifies the CMMC three-tiered structure, outlines both the scope and the requirements for the Rule’s mandated assessments. The requirements for all three tiers are detailed in 32 CFR § 170.14. Which level the DoD will expect a contractor or subcontractor to implement will depend on the type and sensitivity of the information that needs protection.

The Rule incorporates a number of materials by reference:

• FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006
• FIPS PUB 201–3, Personal Identity Verification (PIV) of Federal Employees and Contractors, January 2022
• SP 800–37, revision 2, Risk Management Framework for Information Systems and Organizations, December 2018
• SP 800–39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011
• SP 800–53 revision 5, Security and Privacy Controls for Information Systems and Organizations, September 2020 (includes updates as of Dec. 10, 2020)
• SP 800–82 revision 2, Guide to Industrial Control Systems (ICS) Security, June 3, 2015; updated November 10, 2018
• SP 800–115, Technical Guide to Information Security Testing and Assessment, September 2008
• SP 800–160, Volume 2, revision 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, December 2021
• SP 800–171 revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, February 2020 (includes updates as of January 28, 2021)
• SP 800–171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018
• SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, February 2021
• SP 800–172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, March 2022

The foregoing may all be obtained online from the National Institute of Standards and Technology at https://csrc.nist.gov/publications/. Additional material incorporated by reference:

• Committee on National Security Systems Instruction No. 4009, Committee on National Security Systems (CNSS) Glossary, March 2022; available online at cnss.gov/CNSS/issuances/Instructions.cfm.
• ISO/IEC 17011:2017, Conformity assessment—Requirements for accreditation bodies accrediting conformity assessment bodies, 2017
• ISO/IEC 17020:2012, Conformity assessment—Requirements for the operation of various types of bodies performing inspection, 2012
• ISO/IEC 17024:2012, Conformity assessment—General requirements for bodies operating certification of persons, 2012

The last three references may be obtained from the International Organization for Standardization (ISO), online at www.iso.org/popular-standards.html.

These various references form the basis for various standards set forth in the Rule.

Once adopted, the Rule will become active in a four-phase approach, with phase 1 becoming effective immediately, phase 2 becoming effective six months after the start of phase 1, phase 3 to take effect one year from the beginning of phase 2, and phase 4 (full implementation) to become operative one year from the launch of phase 3.

In general, the DoD will determine which tier is applicable for a given procurement. Specifically, program managers are responsible for identifying the tier that applies to their procurement. Notably, the CMMC 2.0 program does not alter or supplant any separately applicable requirements to safeguard FCI or CUI.

Various cyber security requirements will apply, based on which tier relates, and portions of the Rule are directed to establishment and/or certification of an array of governing entities that will assist in management of the CMMC 2.0 program. Such entities include an Accreditation Body, third-party assessment organizations (C3PAOs—yes, really), a CMMC Assessor and Instructor Certification Organization (CAICO), CMMC Certified Assessors (CCAs), CMMC Certified Instructors (CCIs), and CMMC Certified Professionals (CCPs).

Tier 1 Requirements

Tier 1 self-assessment and affirmation requirements are specified in § 170.15. It is estimated that around 63% of contractors and subcontractors governed by the Rule will only have to comply with Tier 1 requirements. Once the Rule is effective, self-assessment and affirmation requirements must be met prior to the award of any contract or subcontract.

Tier 1 involves both a self-assessment and an affirmation that can be carried out by the contractor or subcontractor. The self-assessment and affirmation are based on compliance with fifteen explicitly listed security controls (technically seventeen, since one of the controls is divided into three phases), and must be performed on an annual basis. Assessment and affirmation are on a pass/fail basis; all specified security requirements must be met for a valid self-assessment.

The results of each assessment are to be submitted through DoD’s Supplier Performance Risk System (SPRS), including the CMMC tier level, assessment date and scope, and compliance result. Failure to achieve and/or maintain compliance with Tier 1 standards could result in revocation of validity of the self-assessment, or invocation of standard contractual remedies, and might make the noncompliant contractor or subcontractor ineligible for further contract or subcontract awards until a valid self-assessment is obtained.

The controls are taken from FAR 52.204-21: specifically, clauses (b)(1)(i) through (b)(1)(xv). Compliance assessment is based on the objectives outlined in NIST SP 800-171A. Where NIST SP 800-171A addresses CUI, it should be applied equally to FCI.

Tier 2 Requirements

Tier 2 of the CMMC tiered structure requires the implementation of NIST SP 800-171 (Rev. 2) security requirements. Tier 2 requirements are specified in § 170.16 (self-assessment and affirmation) and § 170.17 (certification assessment and affirmation). As these sections indicate, in some situations a contractor or subcontractor seeking assessment may administer a self-assessment. For other situations, a third-party assessment and/or certification is necessary.

For self-assessments under § 170.16, the procedures are substantially similar to those for Tier 1 self-assessments and affirmations, with a few differences:

1. The contractor or subcontractor only has to perform the self-assessment on a triennial basis.
2. The affirmation, however, must still be submitted annually.
3. Though a final self-assessment requires the contractor to meet all security requirements on a pass/fail basis, similar to Tier 1, a conditional self-assessment is allowed where it results in a Plan of Action and Milestones (POA&M) for full compliance. The POA&M must be closed out within 180 days, or the conditional self-assessment status will expire.
4. As with Tier 1 self-assessments, compliance assessment is based on the objectives outlined in NIST SP 800-171A, as well as Tier 2 scoping requirements set forth in 170-19(a) and (c).
5. Cloud service providers are permitted where such providers are authorized or otherwise meet or exceed Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements.

With regard to certification assessments under § 170.17, the process is similar to self-assessments under § 170.16, except that the assessments and certification are obtained from an authorized or accredited C3PAO. Likewise, conditional certification assessments are available with a POA&M, which must be closed out within 180 days, or the conditional certification will expire. The POA&M must be closed out by a C3PAO. One notable difference is that, where a given security requirement is not met, it may be re-evaluated during the assessment process and for 10 business days following the same, provided that additional evidence is available to indicate the requirement has been met, the effectiveness of other met requirements are not changed or otherwise limited, and an assessment findings report has not yet been delivered.

Artifacts that provide evidence of the assessment must be retained by the evaluated contractor or subcontractor for the duration of the certification validity, but in any case no less than six years from the date of certification. The artifacts must be safeguarded from alteration.

Tier 3 Requirements

Tier 3 of the CMMC tiered structure requires the implementation of select NIST SP 800-172 requirements as well as NIST SP 800-171 (Rev. 2) security requirements, subject to DoD-specified parameters. Tier 3 requirements are specified in § 170-14(c)(4), which includes a table that details each security requirement with reference to the relevant portions of NIST SP 800-172 and associated DoD requirements. Certification assessment and affirmation requirements are specified in § 170.18. There are no provisions for self-assessments and self-affirmations for Tier 3.

Tier 3 requires assessment and certification by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). The procedures and requirements are comparable to Tier 2 certification assessments under § 170.17. Moreover, a contractor or subcontractor must meet both Tier 2 and Tier 3 security requirements for Tier 3 compliance. Tier 2 compliance, as discussed above, may be performed by a C3PAO as a prerequisite to obtaining the Tier 3 assessment and certification from DCMA DIBCAC. The scope of the Tier 2 assessment must be the same as the Tier 3 assessment; note that scoping requirements may differ for each CMMC tier. If DCMA DIBCAC determines that not all Tier 2 requirements are met, it may terminate or place on hold the Tier 3 assessment process.

Scoping

Regardless of the tier level, for any assessment and affirmation or certification, the assessment scope must be determined and specified prior to assessment, per the requirements of § 170.19. Information systems outside of the determined scope do not have to be assessed or documented. For Tier 1 assessments, systems deemed in scope are any systems “which process, store, or transmit FCI.” Various named specialized assets that cannot be fully secured but may process, store, or transmit FCI are exempted from Tier 1 scope, such as IoT devices and Government-Furnished Equipment.

As suggested above, for Tier 3 assessments a Tier 2 assessment must be accomplished. In such cases, the Tier 2 scope must be equal to or greater than the Tier 3 scope; which is to say, the Tier 3 scope must be a subset of the Tier 2 scope.

Links to DoD guides regarding Tier 1 and Tier 2 scoping (Tier 3 would be subsumed into Tier 2), as well as guides for assessments for all tiers, may be found here: https://dodcio.defense.gov/CMMC/Documentation/.

Affirmation requirements are set forth in § 170.22.

The effectiveness of the Rule is currently tied to the finalization of CMMC revisions to DFARS 252.204-7021. The comment period for the Rule is open until February 26, 2024. Any individuals or organizations concerned about the requirements imposed by the Rule are encouraged to submit comments during the comment period.