Defense contractors and their subcontractors and supply chains that have been preparing for the challenge of complying with the Cybersecurity Maturity Model Certification (CMMC) recently received some welcome news from the U.S. Department of Defense (DoD): DoD is revamping the strategic direction of CMMC via a new “CMMC 2.0” framework that provides additional flexibility to the defense supply chain in how it addresses the cybersecurity requirements for defense contracts. That additional flexibility includes the ability to self-certify compliance in some circumstances, as opposed to obtaining third-party certifications, and to use Plans of Action and Milestones (commonly referred to as POA&Ms) to address certain requirements that a contractor has not yet achieved as of the date of contract award. While this enhanced flexibility is good news for contractors, it does carry increased risk given the U.S. Department of Justice’s recent announcement of a new “Civil Cyber-Fraud Initiative” that will place increased focus on potential false claims related to a federal contractor’s compliance with contractual cybersecurity and cyber incident reporting requirements. In this article, we discuss the significant changes announced in the new CMMC 2.0 framework and the impact of those changes on companies performing — or seeking to perform — defense contracts, including as subcontractors or suppliers.
Fewer Levels and Cybersecurity Requirements
“CMMC 2.0,” as DoD has branded its revised CMMC framework, reduces the number of certification levels from five to three: Level 1 (Foundational), for contractors who will access only federal contract information; Level 2 (Advanced), for contractors who will access controlled unclassified information (CUI); and Level 3 (Expert), for contractors who will access CUI and will work on programs of the highest priority for DoD. The new Level 1 will correspond to prior Level 1, while the new Level 2 will correspond to prior Level 3, and the new Level 3 will correspond to prior Level 5.
Additionally, CMMC 2.0 eliminates all CMMC-unique practices, meaning that for CMMC 2.0 Levels 2 and 3, the required cybersecurity practices will all come from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and NIST SP 800-172 (formerly known as Draft NIST SP 800-171B). Specifically, CMMC 2.0 Level 2 will require compliance with 110 cybersecurity practices that are aligned with the NIST SP 800-171, which many DoD contractors already are required to implement under DFARS clause 252.204-7012. The corresponding level under CMMC 1.0 would have required contractors to comply with the 110 NIST SP 800-171 practices plus 20 other practices and three processes. In addition, CMMC 2.0 Level 3, which is currently under development, will be based on a subset of NIST SP 800-172 requirements, in addition to requiring compliance with all 110 cybersecurity practices that are aligned with NIST SP 800-171. The corresponding level under CMMC 1.0 would have required contractors to comply with additional practices that did not originate from NIST SP 800-171 or NIST 800-172 plus five processes.Thus, CMMC 2.0 both reduces the number of required cybersecurity practices and fully aligns those requirements with NIST SP 800-171 and NIST SP 800-172, as applicable.
Self-Assessments Now Possible for Some Contractors, But Carry Risks
CMMC 2.0 also relaxes the prior requirement that all DoD contractors, subcontractors, and suppliers undergo, and pass, assessments by CMMC Third-Party Assessment Organizations (C3PAOs) to achieve CMMC certification. Under CMMC 2.0, all companies at Level 1 and a subset of companies at Level 2 can demonstrate compliance with their respective CMMC level through annual self-assessments made by a senior official of the company.
Under Level 2, self-assessment will be permitted for “non-prioritized acquisitions.” DoD will determine on a contract-by-contract basis whether the data at issue in the contract will render the contract a “prioritized acquisition.” The ability to perform self-assessments for Level 1 and many contracts under Level 2 should reduce the cost of the assessment process for companies that can do a self-assessment instead of engaging a C3PAO. For “prioritized acquisitions” that require CMMC Level 2, contractors will continue to need to be certified by C3PAOs every three years.
While the ability to rely on self-assessments rather than third-party certifications affords greater flexibility to defense contractors and suppliers, DoD’s plan to implement the self-assessment through the attestation of a senior company official will heighten the risk of allegations that the contractor’s self-attestation constituted a false claim if the self-attestation is later determined to have been inaccurate. False claims can subject a contractor to treble damages and stiff statutory penalties per claim under the False Claims Act. With the recent launch of its new Civil Cyber-Fraud Initiative, the U.S. Department of Justice has announced its intent to use the False Claims Act to “hold accountable entities or individuals that put U.S. information or systems at risk by . . . knowingly misrepresenting their cybersecurity practices or protocols,” increasing the likelihood of enforcement of the False Claims Act in the context of CMMC self-attestations. Further, whistleblowers can bring suit on behalf of the government under the False Claims Act and share in the recovery. In addition, submission of false claims constitute federal crimes. In light of those increased civil and criminal enforcement risks, some contractors otherwise eligible to self-attest their cybersecurity practices may instead elect to rely on third-party certifications. Entities who perform third-party certifications could then face False Claims Act exposure if their certifications are false, causing the contractor to submit false claims.
Moreover, contractors that intend to pursue CMMC Level 2 contract (or subcontracting) opportunities will likely want to undergo an assessment by a C3PAO in case DoD designates a key Level 2 opportunity as a “prioritized acquisition” requiring third-party certification. Unless DoD identifies clear criteria for determining what is a “prioritized acquisition,” potential offerors that only wish to self-assess at Level 2, or cannot complete a C3PAO assessment by the time proposals are due, might consider filing pre-award protests objecting to the classification of a procurement as a “prioritized acquisition.” DoD also has not yet clarified whether prime contractors can allow subcontractors to self-assess at a Level 2 when the prime contract is considered a “prioritized acquisition” that requires a C3PAO assessment.
For CMMC Level 3, assessments will be performed by government officials, and not by C3PAOs, every three years. The Level 3 assessments will work similarly to the “High Assessment” required for certain existing contracts under DFARS 252.204-7020.
POA&Ms Permitted as Temporary “IOUs” for Certain Requirements
DoD stated that CMMC 2.0 will allow for greater flexibility in implementation, as DoD would allow companies, under certain limited circumstances, to adopt POA&Ms to achieve certification. DoD’s intent is to specify certain of the cybersecurity practices as the “baseline” the contractor must meet prior to contract award but to afford the contractor the ability to meet the remaining requirements “within a clearly defined timeline.” This change would eliminate the strict pass/fail nature of CMMC 1.0, under which failure to have achieved a single one of the required security controls would preclude certification. DoD expects the POA&Ms to be in place for a fixed time period, such as up to 180 days, at which point the contractor must meet all of the applicable CMMC practices or face contractual remedies. DoD also intends to identify a subset of CMMC practices so fundamental that they cannot be met with POA&Ms.
When Do Companies Need to Comply With CMMC 2.0?
In 2020, DoD issued an interim rule to begin the phased implementation of the CMMC 1.0 requirements into DoD contracts. DoD’s announcement of CMMC 2.0 effectively hits the “reset” button on that rulemaking, as DoD announced that CMMC 2.0 will be implemented through its own yet-to-be-issued interim rule. DoD estimates that the CMMC 2.0 rulemaking process will take between nine and 24 months. Presumably, this means all contractors will need to prepare for CMMC 2.0 compliance by November 2023, at the latest.
Until the CMMC 2.0 rulemaking is complete, DoD will not include a CMMC requirement in any DoD solicitations. DoD has said it is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC 2.0 Level 2 certification in the interim period before CMMC 2.0 is mandatory, but until C3PAOs can be certified for CMMC 2.0, achieving CMMC 2.0 Level 2 can only be achieved through self-assessment.
What Should DoD Contractors, Subcontractors, and Suppliers Do Now?
With DoD’s recent announcement about CMMC 2.0, DoD has effectively kicked the can down the road for DoD contractors to achieve CMMC certification, and eliminated the need for C3PAO assessments for many DoD contractors. Going forward, DoD contractors, subcontractors, and suppliers should take the following steps to prepare for the eventual rollout of CMMC certification:
-
Watch for announcements about proposed rulemakings with respect to CMMC;
-
Monitor DoD’s CMMC website for detailed information about the CMMC 2.0 framework, which DoD intends to provide by the end of November 2021;
-
Perform NIST SP 800-171 self-assessments as required by DFARS 252.204-7020;
-
Maintain the cybersecurity standards identified in the company’s NIST SP 800-171 self-assessment, which will prepare the company for CMMC 2.0 Level 2 (if necessary);
-
If the company anticipates needing a CMMC 2.0 Level 3 certification in the future, review the detailed information about CMMC 2.0 Level 3 when it is released to determine any steps needed to meet CMMC 2.0 Level 3 requirements; and
-
Review and strengthen compliance programs to ensure False Claims Act compliance, including robust policies and practices for handling whistleblower complaints that could become False Claims Act suits if not handled well.