Ready or Not, CMMC Is Here: DoD Issues Final Rule Establishing Contract Clauses Implementing CMMC Program

Key takeaways

• The Department of Defense has published in the Federal Register the long-awaited Cybersecurity Maturing Model Certification Final Rule, which will become effective on Nov. 10.
• The certification requirements will start appearing in select solicitations before the end of the year and in all DOD solicitations requiring FCI or CUI by Nov. 10, 2028, but several prime contractors are already demanding compliance from their subcontractors.
• Contractors and subcontractors should start pursuing certification in accordance with the Final Rule as soon as possible to avoid delays and lost opportunities.

The wait is over. Five years after the Department of Defense (DoD) first introduced the Cybersecurity Maturing Model Certification (CMMC) program, the companion Final Rule was published in the Federal Register on Sept. 10. The Final Rule will become effective 60 days after being published – on Nov. 10 – at which time it will start to appear in select solicitations.

According to the Pentagon, the Final Rule will ensure defense procurements “include CMMC assessment requirements that ensure defense contractors properly safeguard [DoD’s] Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).” The DoD’s chief information officer stated that the U.S. expects vendors “to put U.S. national security at the top of their priority list.” Compliance with cyber standards and achieving CMMC show “vendors are doing exactly that.”

CMMC Background and Important Requirements

The CMMC program is governed by a prior final rule at 32 C.F.R. Part 170 effective as of Dec. 16, 2024. As both the new rule and the prior rule explain, CMMC verifies that defense contractors meet the DoD’s obligations to protect CUI by meeting standardized cybersecurity requirements. Requirements vary depending on the level of CMMC certification required. The program has three levels, with escalating security requirements:

• LEVEL 1: Contractors must complete an annual self-assessment to verify compliance with 15 security requirements found in Federal Acquisition Regulation (FAR) 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems. Contractors must affirm compliance via the Supplier Performance Risk System (SPRS). The DoD estimates that when CMMC is fully operational, approximately 209,540 companies will need Level 1 assessments.
• LEVEL 2: Contractors must implement the 110 security requirements specified by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting. The security requirements are based on the National Institute of Standards and Technology (NIST) Special Publication 800-171. Depending on whether the acquisition involves information critical to national security, contractors will have to either perform a self-assessment or have a certified third-party assessment organization (C3PAO) complete an assessment. We expect, however, that few solicitations will require only a self-assessment. The DoD estimates that when CMMC is fully operational, roughly 6,760 companies will need Level 2 self-assessments and 118,290 will need Level 2 C3PAO assessments.
• LEVEL 3: Contractors must meet all Level 2 requirements plus 24 NIST SP 800-172 security requirements. Every three years, contractors must pass an assessment by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center. The DoD estimates that when CMMC is fully operational, only 3,380 companies will need Level 3 assessments.

Beginning Nov. 10, when the Final Rule goes into effect, contracting officers must include the appropriate DFARS clause in solicitations identifying the CMMC level required for a contractor – and its subcontractors – to receive an award as well as the appropriate DFARS clause in the contracts themselves imposing requirements for ongoing CMMC compliance.

Specifically, the latest Final Rule adds two new DFARS clauses, which allow the DoD to incorporate the CMMC requirements in solicitations and contracts:

• DFARS 252.204-7025 – Notice of Cybersecurity Maturity Model Certification Level Requirements will be included in all solicitations that include DFARS 252.204-7021 (see below) to ensure offerors disclose their applicable information systems and prove they meet the required CMMC level before contract award. The contracting officer will specify the required CMMC level. The offeror must have a current CMMC status at that level or higher and submit an affirmation of continuous compliance.
• DFARS 252.204-7021 – Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements will be included in all contracts except those solely for the acquisition of commercially available off-the-shelf (COTS) items if the program office or requiring activity determines that the contractor is required to have a specific CMMC level and imposes ongoing contractual obligations on awardees to maintain CMMC compliance for the duration of the contract. The clause also requires contractors to update the affirmation of continuous compliance in SPRS annually and provides guidance on the flow of CMMC requirements down to subcontractors.

Significant Changes from Proposed Rule

The Final Rule made several key changes and clarifications of the proposed rule based on public comments:

• Contractors are not required to notify the contracting officer about lapses in information security or changes in compliance. The Final Rule confirms that notifications regarding security incidents and the annual self-assessment are sufficient to protect DoD information.
• The Final Rule confirmed that CMMC does not apply to contracts exclusively for COTS items as defined in FAR 2.101.
• Prime contractors cannot view subcontractors’ CMMC certificates or self-assessment information within SPRS. The Final Rule confirms that prime contractors must obtain such information directly from subcontractors to facilitate business teaming arrangements.
• The Final Rule replaces the term “senior company official” with “affirming official” consistent with 32 C.F.R. Part 170.

CMMC Phased Rollout

CMMC implementation will be phased into DoD contracts over several years. Starting Nov. 10, contracting officers will include DFARS 252.204-7021 and 252.204-7025 in select solicitations and contracts as directed by the applicable program office. At the same time, contracting officers will have the discretion to modify existing contracts to incorporate the new CMMC clauses with appropriate consideration. By Nov. 10, 2028, the clauses must be included in all solicitations and contracts requiring contractors to process, store or transmit FCI or CUI.

Key Takeaways for Contractors

1. Efforts To Comply with CMMC Are Already Overdue. The best time for contractors to start ensuring CMMC compliance was five years ago. The second-best time is now. The Final Rule makes clear that contracting officers cannot award, extend or exercise contract options for contracts involving the use, receipt or processing of FCI or CUI unless the contractor has a current CMMC status in SPRS at the required level. Indeed, some large prime contractors have already started requiring subcontractors to be in CMMC compliance in anticipation of the now-published DFARS clauses.
   
   Defense contractors that currently receive or anticipate receiving CUI as part of contract or subcontract performance should be particularly proactive in ensuring CMMC compliance due to a significant C3PAO shortage. Those contractors will need to achieve a Level 2 (C3PAO) certification. While there are an estimated 80,000 contractors expected to obtain Level 2 CMMC certification by the end of 2026, there are only 80 fully authorized C3PAOs. Accordingly, contractors requiring third-party assessments should start identifying a C3PAO as soon as possible and begin preliminary preparations to assess audit readiness.
2. Understand FCI and CUI. The CMMC obligations – and the underlying cybersecurity obligations themselves – are triggered by the receipt and processing of CUI and FCI. The definition of CUI is frustratingly broad – a fact made worse by a trend of overmarking of information as CUI for fear of leaving CUI unmarked. Contractors should take time and work with contracting officers to understand what received information is actually CUI and whether the contract or potential subcontracts can be performed without CUI.
3. Know Your Supply Chain. The CMMC requirements flow down to any lower-tiered entity that is also receiving CUI or FCI. The DoD has taken a hands-off approach with regard to a prime contractor’s validation of subcontractor cybersecurity. It has taken a similarly hands-off approach with regard to dictating the roles and responsibilities of subcontractors on the grounds that these are matters of subcontract administration to which the DoD lacks privity. Even so, prime contractors must ensure that subcontractors provide adequate evidence and certification of their cybersecurity compliance and CMMC status.
4. Be Aware of False Claims Act (FCA) Liability. On the one hand, CMMC creates no new cybersecurity obligations. Contractors with DFARS 252-204.7012 have been required to comply with the same controls that are being assessed by CMMC. On the other hand, CMMC, through the required assessment process, increases the likelihood that contractors and potential whistleblowers will identify past noncompliance actionable under the FCA. It also creates risk that future express or implied certifications might be objectively false or viewed as such by the government or potential whistleblowers. Both raise the prospect of FCA liability, and as a result, companies should work with experienced counsel to mitigate FCA exposure as they pursue CMMC gap assessments and audits as well as to prospectively address the significant suspension and debarment risks arising from perceived misconduct. At the same time, CMMC will provide a blanket of protection for contractors relying on third-party assessments. As long as a contractor is forthcoming and transparent with its auditor, the contractor’s reliance on the third-party assessment will make it difficult to prove the requisite scienter under the FCA.

[View source.]