LawFlash

DOD Finalizes Cybersecurity Maturity Model Certification Program Requirements

21. November 2024

The US Department of Defense (DOD) finalized a rule that takes the next steps toward fully implementing the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This rule formalizes compliance requirements that will soon be a prerequisite for most contractors and subcontractors that wish to support defense contracts. Contracting officers will begin incorporating these compliance requirements once a new Defense Federal Acquisition Regulation Supplement (DFARS) clause is finalized next year.

The final rule implements DOD’s December 2023 proposed rule by publishing regulations that establish the requirements for the CMMC 2.0 program. While the final rule does not introduce significant surprises to the long-anticipated CMMC 2.0 program, it does add nuance to program requirements and helps provide clarity for contractors seeking to prepare for implementation. Noteworthy changes include added detail to flowdown requirements and refinements to the four-phased timeline for program implementation.

Despite those changes, DOD notably refrained from revising or expanding the definition of Controlled Unclassified Information (CUI). CUI is defined only as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Although DOD maintains a CUI registry that lists certain categories of information that are considered CUI, the registry is not exhaustive. As a result, the vague definition of CUI that the final rule declined to expand continues to provide limited assistance to contractors that are uncertain about whether the information they process, store, or transmit is subject to CMMC requirements.

THE CMMC 2.0 PROGRAM

CMMC 2.0 establishes a three-level compliance program that assigns cybersecurity safeguarding and certification requirements to contractors based on the nature of information they handle when supporting government work:

Level 1

The “foundational” CMMC 2.0 level prescribes compliance requirements for contractors that handle Federal Contract Information (FCI), which is any information not intended for public release that is provided by or generated for the government under a government contract. Generally, compliance requires implementing Federal Acquisition Regulation 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). Contractors that handle FCI will be required to complete annual self-assessments and affirmations regarding compliance with Level 1 cybersecurity requirements.

Level 2

The “advanced” CMMC 2.0 level prescribes compliance requirements for contractors that handle CUI. Generally, at this level, contractors must implement the NIST 800-171 requirements, an existing obligation for contractors subject to DFARS 252.204-7012. Contractors may be required to perform a self-assessment of compliance or may be required to secure assessment by a CMMC Third Party Assessor Organization (C3PAO). Whether a contract will require a contractor to obtain Level 2 Self-Assessment or Level 2 C3PAO status will depend on the type of CUI that the contract involves.

Level 3

The “expert” CMMC 2.0 level prescribes compliance requirements for contractors that handle CUI and support the government’s most critical programs and technologies. At this level, contractors will be required to comply with NIST 800-171 and 800-172, undergo review by the DOD Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and provide a certification of compliance with cybersecurity requirements.

CLARIFIED FLOWDOWN REQUIREMENTS

As noted above, while the final rule largely tracks industry expectations and makes minimal departures from DOD’s December 2023 proposed rule, DOD did provide additional elucidatory guidance in response to industry comments, including clarifying flowdown expectations. In the December 2023 proposal, DOD suggested that certain external service providers (ESPs) would be required to obtain Level 2 certifications. In the final rule, DOD removed that broad requirement and noted that ESPs that are not cloud service providers (CSPs) and do not process, store, or transmit CUI will not be required to complete a CMMC assessment or certification.

While DOD’s revision generally reduces the compliance burden for ESPs, DOD confirmed that ESPs that process, store, or transmit CUI must complete a CMMC assessment to ensure their compliance with safeguarding requirements. And all ESPs that are CSPs and process, store, or transmit CUI must meet the Federal Risk and Authorization Management Program (FedRAMP) requirements outlined in DFARS 252.204-7012.

DOD also confirmed that CMMC requirements must be flowed down broadly to subcontractors, specifying the minimum flowdown requirements for subcontractors that will process, store, or transmit FCI or CUI based on the prime contractor’s requirements. For instance, in response to the proposed rule, commenters questioned whether the CMMC requirements would apply to foreign-based and international companies. DOD clarified that CMMC requirements apply to domestic and international prime contractors and subcontractors throughout the supply chain as long as their information systems process, store, or transmit FCI or CUI. DOD made clear that CMMC flowdown requirements are based on the type of information that subcontractors will be required to process and share, without regard for where companies do business.

IMPLEMENTATION TIMELINE

The rule will take effect on December 16, 2024, but the government will not begin inserting CMMC 2.0 compliance requirements into defense contracts right away. Instead, DOD must first finalize a separate proposed rule, as we discuss here, that would allow contracting officers to start implementing CMMC 2.0 requirements by inserting DFARS clause 252.204-7021 into defense contracts. DOD does not expect to finalize that rule until early- to mid-2025, which gives contractors time to prepare.

Notably, the final rule refines the timeline for implementation of the program, which will be a four-phased (and multiyear) process, beginning with the publication of DFARS 252.204-7021:

Phase 1

Phase 1 will begin on the date that the DFARS 252.204-7021 clause takes effect. During this phase, DOD contracting officers will begin including CMMC Level 1 and CMMC Level 2 self-assessment status requirements in all applicable DOD contracts as a condition of contract award. DOD may also incorporate CMMC Levels 1 and 2 self-assessment requirements into contract options. Additionally, DOD may require contractors to secure CMMC Level 2 C3PAO assessment status rather than simply obtaining Level 2 self-assessment status.

Phase 2

This phase will begin one year after the start of Phase 1. During this phase, DOD will begin to require contractors to obtain CMMC Level 2 C3PAO certification status as a condition of contract award. DOD may also begin requiring contractors to obtain CMMC Level 3 DIBCAC status as a condition of contract award, as applicable.

Phase 3

Phase 3 will begin one year after the start of Phase 2. During this phase, DOD will begin including the requirement for CMMC Level 2 C3PAO status in all applicable DOD solicitations and contracts as a condition of contract award, and as a condition to exercise option periods on any contract awarded after the effective date. DOD will also begin including the requirement for CMMC Level 3 DIBCAC status in all applicable DOD solicitations and contracts as a condition of contract award.

Phase 4

Phase 4 will begin one year after the start of Phase 3. This phase will mark full implementation of the CMMC 2.0 program. Upon reaching this phase, DOD will include CMMC program requirements in all applicable DOD solicitations and contracts, including in option periods of contracts awarded before the start of Phase 4.

This new timeline helps bring definition to contractor’s compliance obligations, and the release of the final rule allows for C3PAOs to begin assessing contractors’ compliance with CMMC. In other words, although contractors are not yet required to meet CMMC obligations, the finalization of the requirements now allows contractors to be prepared once the obligations are imposed.

Although the level of CMMC compliance will depend on the government's ultimate designation in particular contracts, contractors may assess their government business today and anticipated future operations to determine their likely level of compliance requirements. Once this baseline is established, in addition to ensuring information technology systems are ready to meet the requirements of the appropriate CMMC level, companies are well advised to confirm they are on track in developing their system security plans (SSP) and other policies to track compliance with CMMC requirements. Companies may then conduct a self-assessment or assessment by a C3PAO to demonstrate readiness for CMMC requirements.

As DOD continues to finalize implementation of the CMMC 2.0 program—including by finalizing DFARS 252.204-7021 and kicking off the implementation process—we will continue to monitor developments in this area.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Authors
W. Barron A. Avery (Washington, DC)
Ezra D. Church (Philadelphia)
Alexander B. Hastings (Washington, DC)
Sarah-Jane Lorenzo (Washington, DC)
Houston