In this series of articles, we explore the different certification requirements of CMMC Levels 1, 2 and 3; the impact on contractors and external service providers; and proposed next steps. Read our Level 1 summary here, our Level 2 summary here and our Level 3 summary here.
On December 26, 2023, the US Department of Defense (DoD) published its long-awaited proposed rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The proposed CMMC rule will apply to all DoD contractors and subcontractors that will process, store or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems.
In Depth
The proposed CMMC rule does a number of things, including formally establishing the CMMC Program and defining the security controls applicable to each of the three CMMC levels, establishing processes and procedures for assessing and certifying compliance with CMMC requirements, and defining roles and responsibilities for the Federal Government, contractors and various third parties for the assessment and certification process. The proposed CMMC rule achieves these goals through the addition of a new Part 170 to Title 32 of the Code of Federal Regulations.
The proposed CMMC rule does not, however, modify the Federal Acquisition Regulation (FAR) or the DoD FAR Supplement (DFARS). Instead, CMMC-related contractual processes will be addressed in DoD’s DFARS Case 2019–D041, Assessing Contractor Implementation of Cybersecurity Requirements, which will be proposed by DoD in a separate rulemaking.
The proposed CMMC rule generally does not make fundamental changes to the framework of “CMMC 2.0,” which DoD released in November 2021. Proposed 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the proposed CMMC rule:
CMMC Model 2.0 | ||
---|---|---|
Model | Assessment | |
LEVEL 3 | 110+ requirements based on NIST SP 800-171 & 800-172 |
Triennial government-led assessment & annual affirmation |
LEVEL 2 | 110 requirements aligned with NIST SP 800-171 |
Triennial third-party assessment & annual affirmation; Triennial self-assessment & annual affirmation for select programs |
LEVEL 1 | 15 requirements |
Annual self-assessment & annual affirmation |
See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 4 (Nov. 2023).
CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. DoD estimates that 63% of the contractors impacted by the proposed CMMC rule will only be subject to CMMC Level 1. The security requirements for CMMC Level 1 remain those set forth in FAR clause 52.204-21(b)(1)(i)-(b)(1)(xv), which currently governs contracts involving FCI. The proposed CMMC rule adds a requirement for a CMMC Level 1 Self-Assessment, which contractors must make in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. Importantly, the proposed CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.
CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in NIST SP 800-171 Rev 2. DoD estimates that 37% of the contractors impacted by the proposed CMMC rule will be subject to CMMC Level 2. Contractors that have invested considerable resources in preparing for CMMC, including investments in connection with the self-assessments required by DFARS 252.204-7020, should welcome this aspect of the proposed CMMC rule. The proposed CMMC rule generally retains the scoring methodology of DFARS 252.204-7020 but establishes a minimum required score of 88 out of 110. The proposed CMMC rule also continues to allow for POA&Ms to comply with CMMC Level 2 requirements not met at the time of assessment, but it places a number of limits on POA&Ms: POAM’s are not permitted for a number of controls, are only permitted if a contractor achieves a particular assessment score, and all POA&Ms must be closed within 180 days of initial assessment. CMMC Level 2 Self-Assessments will continue to be submitted in the SPRS prior to the award of a CMMC Level 2 contract or subcontract.
The proposed CMMC rule distinguishes between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessment. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program—independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. Additionally, the phased implementation of the CMMC Program discussed below contemplates that CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until 18 months after the start of implementation. Ultimately, however, DoD estimates that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Certain contractors that previously achieved a perfect score on a Defense Contract Management Agency (DCMA) High Assessment under DFARS 252.204-7020 will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.
For CMMC Level 3, DoD had not previously released specific requirements but had indicated that CMMC Level 3 requirements would be derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172. Table 1 to proposed Section 170.14(c)(4) sets forth the specific requirements for CMMC Level 3, which are all derived from NIST SP 800-172, and identifies various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract. DoD estimates that only 1% of the contractors impacted by the proposed CMMC rule will be subject to CMMC Level 3.
CMMC Level 3 assessments are performed exclusively by DCMA. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows POA&Ms for unmet requirements, subject to certain limitation and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.
The proposed CMMC rule contemplates a “phased implementation” in which CMMC requirements will be included solicitations in four phases over a three-year period:
- Phase 1—0-6 Months: Phase 1 will begin when DFARS 252.204-7021 is finalized as part of DFARS Case 2019–D041 and will last for six months. During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
- Phase 2—6-18 Months: Phase 2 begins six months after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
- Phase 3—18-30 Months: Phase 3 begins 18 months after the start date of Phase 1 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements to an option exercise as it deems appropriate.
- Phase 4—30+ Months: Phase 4 begins 30 months after the start date of Phase 1 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.
Although the phased implementation of CMMC is tied to a DFARS rulemaking for which there is no deadline, the proposed CMMC rule indicates that DoD expects to include CMMC requirements for Levels 1, 2 and 3 in all solicitations issued on or after October 1, 2026.
The proposed CMMC rule contemplates that its requirements will apply to all contracts and subcontracts that require the contractor to process, store, or transmit CUI or FCI on contractor information systems, including contracts for the acquisition of commercial items. Under the proposed CMMC rule, CMMC requirements applicable to subcontractors will be determined based on the level of FCI or CUI the subcontractor will process, store or transmit in performance of the subcontract. The proposed CMMC rule does not apply to contracts under $10,000 (the micro-purchase threshold) and contracts exclusively for commercially available off-the-shelf (COTS) items. CMMC requirements also will not apply to Government information systems operated by contractors; however, as discussed below, certain Government-furnished equipment may be considered a “Specialized Asset” that may be subject to various levels of assessment in connection with a contractor information system. The proposed CMMC rule provides that CMMC program requirements may be waived in accordance with DoD policies and procedures that have yet to be issued.
The proposed rule defines the roles and responsibilities of a number of actors, including:
- DCMA’s Defense Industrial Base Cybersecurity (DIBCAC), which will conduct CMMC Level 2 assessments of the Accreditation Body and C3PAOs, and CMMC Level 3 assessments for contractors (Section 170.7);
- A single Accreditation Body that will authorize and accredit the C3PAOs, oversee the training and certification of individual assessors (Section 170.10) and develop policies for C3PAOs and assessors covering conflicts of interest, professional conduct and ethics (Section 170.8); and
- The C3PAOs that perform CMMC Level 2 Certification Assessments for contractors (Section 170.9), and individual CMMC Certified Assessors that will conduct Level 2 Certification Assessments (Section 170.11).
We will provide more in-depth analysis of the proposed CMMC rule in the weeks to come; however, the following are a handful of issues that caught our eyes immediately:
- Scoping: Proposed Section 170.19 details the “scoping” of each CMMC level assessment to determine which contractor information systems assets must be included in a given assessment and the degree to which each asset must be assessed. This aspect of the proposed CMMC rule will be critical for those contractors that seek to achieve compliance with CMMC by establishing a dedicated information system for CMMC-covered contract performance. The scope of CMMC assessments vary based on the level of certification attempted. For example, “Specialized Assets” (e.g., Internet of Things devices, Government Furnished Equipment, etc.) that normally would not be assessed against CMMC requirements will be assessed against those requirements if the contractor is certifying for Level 3. The scoping provisions in the proposed CMMC rule also define out-of-scope assets that do not need to be assessed for CMMC compliance, including assets that do not process, store or transmit FCI/CUI and do not provide security protections for CUI assets.
- Cloud Service Providers (CSPs): Contractors may also use CSPs without a CMMC certification if that CSP offers a Federal Risk and Authorization Management Program (FedRAMP) Moderate (or higher) cloud environment to process, store or transmit CUI. This environment can be authorized on the FedRAMP Marketplace or can meet security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline.
- External Service Providers: Except for certain CSPs, external service providers (ESPs), such as Managed Service Providers, Managed Security Services Providers or any organization dealing with CUI or Security Protected Data on behalf of the contractor, must be certified at the same CMMC level as the contractor. Following the effective date of CMMC, a contractor seeking a Level 2 certification will have to use ESPs that are Level 2-certified, including by self-assessment or certification.
- Misrepresentation and False Claims Act risk: Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the proposed CMMC rule will require all contractors that handle FCI and CUI on their systems—even contractors subject to CMMC Level 1—to make periodic affirmative representations regarding their cybersecurity programs and controls. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could general litigation risk under a variety of criminal and civil laws, including the False Claims Act.
- The Elephant in the Room? The proposed CMMC rule comes at a time when the Government Accountability Office and DOD Inspector General have been critical of both the Government’s and the industrial base’s cybersecurity hygiene. CMMC, of course, does nothing to address deficiencies in Government cybersecurity controls. More fundamentally, CMMC does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. For example, we often see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out—even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC.
Stay tuned for more updates and an in-depth review of CMMC levels in the New Year.
Endnotes
[1] Pursuant to FAR 4.1901, FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
[2] Pursuant to 32 C.F.R. § 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” CUI does not include classified information, the handling of which is governed by DoD’s National Industrial Security Program Operating Manual Rule at 32 C.F.R. Part 117.