In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.
What contracts will be subject to CMMC Level 2?
CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.
What are the requirements of CMMC Level 2?
DoD’s proposed CMMC rule recognizes two types of CMMC Level 2 verification:
(1) CMMC Level 2 Self-Assessment: Contractors assess their information systems against NIST SP 800-171 rev. 2, uploading self-assessment scores to the Supplier Performance Risk System (“SPRS”).
(2) CMMC Level 2 Third-Party Certification: Certified Third-Party Assessor Organizations (“C3PAO”) assess the information systems and submit the results through the CMMC Enterprise Missions Assurance Support Service (“eMASS”).
If the information systems meet all security requirements, then the contractor has achieved a “CMMC Level 2 Final Self-Assessment” (for the self-assessment option) or a “CMMC Level 2 Final Certification Assessment” (for the third-party certification option). If certain security requirements are not met, then the contractor will have a “conditional self-assessment” or “conditional certification” and must submit a Plan of Action and Milestone (“POA&M”) explaining how it will implement the remaining security requirements. The contractor must then implement and closeout the POA&Ms within 180 days. The contractor is eligible for DoD CMMC Level 2 contracts as long as its conditional assessment/certification remains active. If the contractor fails to close out the POA&Ms within 180 days, then its conditional status expires, and the contractor is ineligible for CMMC Level 2 contracts.
A final CMMC Level 2 verification (self-assessment or certification) is valid for three years. A contractor “senior official” must affirm continuing compliance with CMMC Level 2 requirements through SPRS on an annual basis.
Does CMMC Level 2 apply to subcontractors?
CMMC Level 2 applies to all subcontractors, at all tiers, if those subcontractors will store, process, or transmit CUI through their information systems. If a subcontractor can perform without CUI, then it may be able to get by with just a CMMC Level 1 verification or could potentially avoid having to comply with CMMC altogether. Whether a subcontractor must comply with CMMC Level 2, or any other CMMC Level, will depend, in large part, on what types of information the prime provides to the subcontractor.
When will DoD begin incorporating CMMC Level 2 requirements into contracts?
The CMMC Level 2 self-assessment will become a condition for contract award when the final CMMC rule goes into effect, which is expected in late 2024 or early 2025. DoD expects that compliance will be straightforward since DFARS 252.204-7012 and -7019 already require contractors to comply with NIST SP 800-171 rev. 2, assess their information systems for compliance, and upload the results of that assessment to SPRS. The only additional step contractors will need to take to complete the CMMC Level 2 self-assessment is to upload an affirmation to SPRS.
The CMMC Level 2 third-party certification will become a condition for contract award six months after the CMMC rule goes into effect (i.e., DoD will begin including CMMC Level 2 certification requirements in new contracts that involve the processing, storage, or transmission of CUI). One year later, DoD agencies will begin amending applicable contracts that were awarded prior to the CMMC rule’s effective date to require CMMC Level 2 certifications. Some DoD contracts will still only require a CMMC Level 2 self-assessment, but we expect that most contracts involving CUI will require a CMMC Level 2 third-party certification once the rule is fully implemented.