The latest updates and analysis from Morrison Foerster
January 02, 2024 - Protests & Litigation, Cybersecurity & Data Privacy, Compliance

An Overview of the Defense Department’s Long-Awaited Proposed Regulations for Its Cybersecurity Maturity Model Certification Program

GAO Finds CIO-SP4 Solicitation Is Unduly Restrictive of Competition

The U.S. Department of Defense released a special holiday treat for government contractors and subcontractors last week in the form of long-promised proposed regulations for its Cybersecurity Maturity Model Certification (CMMC) program. More than two years in the making, the current iteration of the rules contains a few surprises, including a new annual affirmation of compliance requirement for all DoD contractors and subcontractors covered by the CMMC Program. Below we highlight several noteworthy aspects of the proposed CMMC regulations, summarize the obligations in chart form, and explore potential implications for contractors and subcontractors.

The Cybersecurity Maturity Model Certification (CMMC) program was first conceptualized by the Department of Defense (DoD) in 2019 as a means to protect the defense industrial base from evolving security threats. Contractor information systems are the focus, and the purpose of CMMC is to enhance cybersecurity compliance by requiring implementation of specific security protections commensurate with risk and by moving from a self-attestation model to one that requires third-party validation of the implementation of security measures for certain contracts that involve sensitive, unclassified information. An interim rule became effective on November 30, 2020. Major revisions to that interim rule were proposed in November 2021, with the DoD’s announcement of CMMC 2.0, a re-envisioned and restructured CMMC Program.

The DoD Office of the Chief Information Officer (CIO) published the latest CMMC proposed rule on December 26, 2023. The proposed rule in large part implements the previously announced CMMC 2.0 structure, with some additional features and requirements. In parallel with the CMMC proposed rule, DoD made available eight additional guidance documents for the CMMC Program, covering the CMMC model, assessments, scoping, and hashing. The guidance documents, referenced in Appendix A to the proposed rule, are available at https://dodcio.defense.gov/CMMC/Documentation/.

Interested parties must submit comments on both the proposed rule and the guidance documents by February 26, 2024.

Highlights of the Proposed Rule

1. Tiered Model for Cybersecurity Requirements

The proposed rule identifies three CMMC levels of increasingly advanced cybersecurity protections. The appropriate level for any given contract will depend on the sensitivity of the information to be processed, stored, or transmitted on unclassified contractor information systems.

Level 1: For contracts involving Federal Contract Information (FCI)[1] only, CMMC Level 1 requires compliance with FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. This clause, which already applies to most FAR-based contracts, mandates compliance with 15 security requirements deemed “elementary for any entity wishing to achieve basic cybersecurity” by the DoD CIO. Contractors must fully comply with all 15 obligations; no plans of action and milestones (POA&Ms) for future implementation of compliance are permitted.

Level 2: This level applies to contracts involving Controlled Unclassified Information (CUI).[2] The CMMC requirements mirror existing contractor obligations to protect CUI under DFARS 252.204-7012, which requires defense contractors and subcontractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The clause also requires use of cloud service provider systems that meet the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate or higher standards.

The proposed regulation reiterates the DFARS 252.204-7012 obligation to comply with NIST SP 800-171. Interestingly, it specifically refers to revision 2 of the publication, although NIST has recently released a new revision 3.

Level 3: CMMC Level 3 is designed to include enhanced protection of CUI against Advanced Persistent Threats (APTs). An APT is an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). Level 3 contractors and subcontractors must meet all of the requirements of CMMC Level 2, plus an additional 24 selected security requirements from NIST SP 800-172, Enhanced Security Requirements for Controlled Unclassified Information, as detailed in the proposed rule. DoD-specified parameters (Organization-Defined Parameters) may modify the NIST SP 800-172 requirements (see table 1 to 32 CFR § 170.14(c)(4)[3]).

2. Assessment and Affirmation Requirements

Under the new requirements, every DoD contractor (and most subcontractors) will now need to perform (or have performed by a third party) an assessment of cybersecurity compliance and file a report in the DoD Supplier Performance Risk System (SPRS). In addition, contractors and applicable subcontractors must now complete and submit affirmations of compliance consistent with the requirements for their CMMC level. These affirmations may be considered express representations for False Claims Act purposes and thus should be taken very seriously. They are to be provided by an organization’s “senior official who is responsible for ensuring . . . compliance with CMMC Program requirements.” 32 CFR § 170.22.

Level 1: At Level 1, the prime contractor and applicable subcontractors must annually perform a self-assessment of full compliance with FAR 52.204-21, and a senior officer must annually affirm continued compliance with these security requirements in SPRS. Entities can, but are not required to, hire a third party to conduct the assessment.

Level 2: Under current requirements, contractors and subcontractors that process, store, or transmit CUI must conduct a self-assessment of compliance with NIST SP 800-171 and develop a System Security Plan (SSP) documenting such compliance and a POA&M for those areas where security gaps exist. Contractors and subcontractors must also upload a self-assessment score in the SPRS.

Level 2 will now require either a self-assessment or a CMMC Level 2 certification assessment by a CMMC third-party assessment organization (C3PAO). The contracting agency will determine the appropriate means of assessment based upon the sensitivity of the CUI involved in any given program. If the agency requires a C3PAO assessment, the contractor or subcontractor seeking certification must hire a CMMC-certified C3PAO to verify implementation of security requirements. Whichever means are used, assessments must be performed at least every three years (third-party assessments will be valid for up to three years). While POA&Ms are still allowed, any POA&M items must be closed out within 180 days of the assessment date. Moreover, certain requirements are mandatory and cannot be listed in a POA&M at all. There is also a minimum required score in order to receive a Conditional Certification Assessment, which becomes a Final Certification Assessment once all POA&M items are addressed.

Finally, senior officials from the prime contractor and applicable subcontractors must initially and then annually affirm compliance with the required security controls, and also confirm POA&M closeout. This activity takes place in SPRS.

Level 3: Contractors and subcontractors that are required to meet CMMC Level 3 must have an assessment and certification performed by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessments are valid for up to three years. As with Level 2, POA&Ms are permitted and they are subject to a minimum score and certain non-negotiable requirements.

In addition, a senior official from the prime contractor and any applicable subcontractors will be required to affirm in SPRS their continuing compliance with the specified security requirements after every assessment, including POA&M closeout, and annually thereafter.

3. Scoping

A prerequisite for assessment is a scoping exercise, through which the contractor or subcontractor will determine which information technology systems and assets must be included in a given assessment. In other words, the organization seeking assessment must define the boundaries for the CMMC assessment. It is possible for contractors to have different enclaves or segments within their systems assessed at different CMMC levels.

All assets that process, store, or transmit FCI must be included in a Level 1 assessment. See 32 CFR § 170.19(b).

A Level 2 assessment must include not only assets that process, store, or transmit CUI, but also all assets that provide security protections for these assets. In addition, Contractor Risk Managed Assets, which are assets that can, but are not intended to, process, store, or transmit CUI (because of security policies, procedures, or practices) and Specialized Assets, which are assets that can process, store, or transmit CUI but are unable to be fully secured (including Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), and the defined terms Restricted Information Systems and Test Equipment), are documented, but are not part of the assessment. See 32 CFR § 170.19(c).

Level 3 follows the Level 2 process but Specialized Assets are also included within the assessment scope. See 32 CFR § 170.19(d).

4. Scoring

The 15 Level 1 criteria are to be evaluated on a simple MET/NOT MET basis. To certify compliance, all criteria must be MET.

The proposed rule sets forth the assessment scoring methodology to be used to measure implementation status of requirements for CMMC Levels 2 and 3. See 32 CFR §§ 170.24(c)(2) &(c)(3). For Level 2, the maximum score is equal to the total number of security requirements for the level (110). If a requirement is NOT MET, the associated value for that requirement is deducted from the score, which could result in a negative score. All Level 3 requirements use a point value of one, which is added or subtracted based on whether the criteria is MET or NOT MET.

5. Implementation Through Contracts

Once CMMC is fully implemented, DoD contractors handling sensitive information will be required to achieve the agency-designated CMMC level as a condition of contract award. Solicitations for DoD contracts involving the processing, storing, or transmitting of FCI or CUI on contractor systems will assign a CMMC level and assessment type (i.e., self-assessment, third-party, or government assessment) requirement which must be met before the agency can award a contract.

The DFARS clauses will also need to be modified in the future to be consistent with the CMMC Program.

6. Applicability to Subcontractors

Under the current DFARS 252.204-7020, contractors must confirm, prior to the award of any contract, that their subcontractors that will process, store, or transmit CUI on subcontractor information systems have SPRS scores on file. DFARS 252.204-7021 additionally states that prime contractors are responsible for flowdown of applicable CMMC requirements to their contractors.

The proposed rule reiterates these obligations and confirms that prime contractors will identify for their subcontractors the required CMMC level in accordance with 32 CFR §170.23, if it is not already defined in the solicitation.

Subcontractors that are subject to CMMC must meet all of the assessment and accreditation requirements that are required of prime contractors for their designated CMMC Level.

7. Phase-in of Requirements

The implementation plan for CMMC consists of four phases. Phase 1, which involves implementation of Level 1 assessments and Level 2 self-assessments, begins on the effective date of the CMMC revision to DFARS 252.204–7021 (the DFARS clause implementing CMMC). Phase 2, which will add Level 2 Certification Assessments as a condition of award, begins six months thereafter. Phase 3, which adds in the requirement for Level 3 Certification Assessments as a condition of award and Level 2 Certification Assessments for exercise of options, will begin one year after that. Full implementation under Phase 4, which will include CMMC requirements in all solicitations and for all option periods on existing contracts, begins one year after the start date of Phase 3.

Although the timing above is dependent on the issuance of a revised DFARS clause, the DoD CIO has also stated in the proposed rule that the “DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations issued on or after October 1, 2026, when warranted by any FCI or CUI information protection requirements for the contract effort. In the intervening period, DoD Program Managers will have discretion to include CMMC requirements in accordance with DoD policies.” 

As a result, current cybersecurity requirements will continue to apply until CMMC is fully implemented in 2026 (or later if the past is prologue and there will be delays of CMMC implementation), unless otherwise reflected in a solicitation in the interim.

8. Other Items of Note

Additional Forthcoming Rules. The CMMC Program will be implemented through publication of final rules under titles 32 and 48 of the CFR. The proposed rule includes proposed language for 32 CFR Part 170, but not for CFR title 48. The new DFARS clauses in CFR title 48 will be forthcoming. The proposed rule also notes that additional regulations are required to direct DoD agencies’ implementation of the CMMC Program in solicitations and contract awards. The DoD CIO states: “CMMC-related contractual processes will be addressed in DoD’s DFARS Case 2019–D041, Assessing Contractor Implementation of Cybersecurity Requirements, which will be proposed by the Department in a separate rulemaking.” Information about who within government will make CMMC-related decisions, and how, will be important, particularly given the limited cybersecurity knowledge among contracting officers and strained agency cybersecurity resources. The proposed rule specifies only that “Program Managers and requiring activities” will identify the applicable CMMC level for any given procurement, using factors including, but not limited to, those specified in 32 CFR §§ 170.5(b)(1)–(5).

Waivers. The proposed rule states that a “DoD Service Acquisition Executive or a Component Acquisition Executive may elect to waive inclusion of CMMC Program requirements in a solicitation or contract,” but the rule provides no further details about a waiver process other than that it may occur “in advance of the solicitation at the discretion of DoD in accordance with all applicable policies, procedures, and approval requirements,” 32 CFR § 170.2(c)(2). The rule does confirm that “[t]here is no process for organizations to request waiver of the CMMC solicitation requirements,” suggesting that any waiver request has to originate with the agency itself.

C3PAO Assessment and Training. The proposed rule describes a complex CMMC ecosystem whereby the DCMA DIBCAC will certify an Accreditation Body and C3PAOs and also conduct Level 3 assessments for organizations seeking certification. The Accreditation Body in turn will authorize and accredit C3PAOs and oversee the training of their assessors, instructors, and related professionals. Prior comments on earlier iterations of CMMC regulations reflected concern among the contractor community about assessors’ availability and lack of resources for CMMC certification. The proposed rule addresses these concerns through the planned phased implementation approach. The DoD CIO also states that the DoD may revisit the CMMC implementation plan if any capacity issues occur.

Assessment Disputes. Each C3PAO must have a formal process in place to address disputes related to perceived assessment errors, malfeasance, and unethical conduct that resolves disputes within set time frames. Unresolved disputes can be escalated to the Accreditation Body, whose decision is final. Disputes about CMMC levels required by solicitations must be directed to the contracting agency or contracting officer for the procurement.

Reliance on Prior DIBCAC Evaluations. To avoid duplicative evaluations, organizations that previously received a perfect score with no open POA&M from a DCMA DIBCAC High Assessment are automatically eligible for a CMMC Level 2 Final Certification Assessment. The latter will be valid for three years from the original DIBCAC High Assessment. Annual affirmations are still required.

Use of eMass. C3PAOs and DoD assessors are to enter their assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), which will then electronically transmit the assessment results into SPRS. eMass is a government-owned, web-based application currently run by the Defense Counterintelligence and Security Agency. Third-party assessment organizations will need to be given access to this system, and connectivity between eMASS and SPRS will need to be established.

External Service Providers and Cloud Service Providers. If a contractor uses an External Service Provider (ESP) to provision and manage its information technology (IT) and/or cybersecurity services (for example, an outsourced IT provider), the ESP must have a CMMC certification equal to or above the level of certification that the contractor is seeking. For Cloud Service Providers (CSP), which provide platform, infrastructure, applications, or cloud storage, the CMMC Program accepts FedRAMP Moderate or High authorization in some instances to meet the CMMC requirements.

Summary Chart of Requirements Under the Proposed Rule

The following briefly illustrates applicable requirements at each CMMC level under the proposed rule:

Applicable Cybersecurity Requirements

POA&M Permitted?

Assessment Requirements

Affirmation Requirements

Level 1

FAR 52.204-21

No

Annual self-assessment

At initial assessment, and then annually, in SPRS

Level 2

Level 1 requirements, plus NIST SP 800-171, Rev. 2

Yes, for some requirements, but must meet a minimum score and resolve any POA&M items within 180 days of assessment

Triennial assessment; either self-assessment or third-party assessment by CMMC C3PAO

At initial assessment, and then annually, in SPRS

Level 3

Level 2 requirements, plus 24 selected security requirements from NIST SP 800-172, including any DoD-specified parameters

Yes, but must have a Level 2 Final Certification Assessment and resolve any POA&M items within 180 days of assessment

Triennial assessment by DCMA DIBCAC

At initial assessment, and then annually, in SPRS

[1] FCI is defined in FAR 4.1901 as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.”

Unless otherwise noted herein, capitalized defined terms from the proposed rule are defined in proposed 32 CFR § 170.4.

[2] CUI is defined in 32 CFR § 2002 as “[a]ll unclassified information throughout the executive branch that requires any safeguarding or dissemination control.”

[3] References to 32 CFR Part 170 herein are to the draft regulations in the proposed rule.