LawFlash

DoD Progresses Toward CMMC 2.0 Implementation with New Proposed Rule

September 09, 2024

The US Department of Defense (DoD) has issued a new proposed rule for implementing the next iteration of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This action drives forward the DoD’s plans to bolster US cybersecurity protections and increase the requirements applicable to defense contractors in securing sensitive government information.

DoD’s proposed rule would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to require contracting officers to implement the CMMC program, establish a new clause for inclusion in DoD solicitations, and substantially revise the existing DFARS clause that administers CMMC requirements.

This recently proposed rule helps to implement the December 2023 proposed rule establishing the requirements of the CMMC 2.0 program, and would result in incorporation of CMMC 2.0 program requirements in effectively all government contracts (including subcontracts), other than COTS (commercial off-the-shelf) items.

THE CMMC 2.0 PROGRAM

While defense contractors are already subject to significant cybersecurity requirements, including those at DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), DoD aims to increase oversight and reporting obligations among the defense industrial base to protect “sensitive unclassified information from frequent and increasingly complex cyberattacks.” To that end, CMMC builds on existing cybersecurity requirements while introducing new review and certification obligations.

The CMMC 2.0 model creates three “levels” that assign safeguarding requirements to contractors that handle different types of information, with the compliance burden increasing with each level:

  • Level 1, the “Foundational” CMMC 2.0 level, will prescribe compliance requirements for contractors that handle Federal Contract Information (FCI), which is any information not intended for public release that is provided by or generated for the government under a government contract. Generally, compliance requires implementing FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). Contractors who handle FCI will be required to complete annual self-assessments and affirmations regarding compliance with Level 1 cybersecurity requirements.
  • Level 2, the “Advanced” CMMC 2.0 level, will prescribe compliance requirements for contractors that handle Controlled Unclassified Information (CUI), which is information provided by or generated for the government that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls limiting its distribution. Generally at this level contractors must implement the NIST 800-171 requirements, an existing obligation for contractors subject to DFARS 252.204-7012. The new aspect of this rule subjects contractors to assessments by a CMMC Third Party Assessment Organization, or C3PAO, and requires them to certify to DoD that they meet the cybersecurity requirements.
  • Level 3, the “Expert” CMMC 2.0 level, will prescribe compliance requirements for contractors that handle CUI and support the government’s most critical programs and technologies. At this level, contractors will be required to comply with NIST 800-171 and 800-172, undergo review by the government’s Defense Industrial Base Cybersecurity Assessment Center, and provide a certification of compliance with cybersecurity requirements.

The CMMC 2.0 framework does not apply to contractors yet, but many of the requirements it incorporates already exist in the FAR and DFARS.

DOD’S PROPOSED DFARS REVISIONS

DoD’s proposed DFARS rule would mark significant progress toward implementing the CMMC 2.0 program. In particular, it would require contracting officers to include the appropriate CMMC level in solicitations and contracts. It would also restrict contracting officers from awarding any contract, task order, or delivery order to an offeror that does not have the results of a current certificate or self-assessment at the appropriate CMMC level or higher as well as a current affirmation of continuous compliance with applicable security requirements.

While providing welcome clarity regarding the CMMC level that will apply to a particular contract, the proposed rule introduces uncertainties. For instance, in updating DFARS 252.204-7021 (Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements), the proposed rule requires notification within 72 hours of “any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.”

Some contractors struggle to define their obligations under DFARS 252.204-7021’s existing cybersecurity obligations, which require rapid reporting of cyber incidents. This new obligation increases that ambiguity by adding yet another potential reporting obligation when there are “lapses” in “information security” or “changes in status” to the CMMC compliance. Such terms would benefit from greater precision, particularly for contractors already facing uncertainty in the scope and nature of existing cybersecurity compliance obligations.

The proposed rule also adopts an existing definition of CUI from national defense regulations at 32 CFR 2002 without providing additional guidance or clarity. The proposed rule defines CUI as “information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

This definition does not provide further guidance to help contractors identify CUI that may be subject to CMMC requirements. Even though DoD’s CUI registry, which lists certain categories of information that qualify for CUI protection, offers some additional guidance, that registry is not exhaustive, and contractors are often left with uncertainties about whether the information they create or possess is CUI. The proposed rule misses an opportunity to provide much-needed guidance to industry on this point.

NOTICE AND COMMENT PROCESS

The proposed DFARS amendment was published in the Federal Register on August 14, 2024 as 89 Fed. Reg. 66,327. Interested parties are invited to submit written comments on the rule until October 15, 2024. If DoD issues a final rule that is arguably at odds with the agency’s statutory mandate, contractors will have the opportunity to challenge the DoD’s statutory interpretation in federal court.

If a challenge is raised, as we have previously discussed here, the US Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo may present new opportunities for contractors to argue that the court should not defer to DoD’s interpretation of Section 1648 of the FY 2020 NDAA on which the CMMC rulemaking is based, and that traditional tools of statutory interpretation must instead be used to resolve any statutory ambiguities. We will continue to monitor the promulgation of this rule and developments in this area.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: