CMMC 2.0: Two Key Points

The CMMC 2.0 proposed rule is officially published in the Federal Register December 26, 2023, with a 60-day comment period extending through February 26, 2024. 88 Fed. Reg. 89,058 (Dec. 26, 2023). The proposed requirements for 32 C.F.R. part 170 “Cybersecurity Maturity Model Certification (CMMC) Program” are subject to change based on responses to public comments. Also, certain matters will be addressed in a second, separate rulemaking, which will update the DFARS contractual implementation of CMMC in title 48 of the Code of Federal Regulations.

There is much to unwrap in this holiday gift from DoD, but two key points are confirmed and fleshed out in the proposed rule: 1) the window is closing for contractors to come into full compliance with cybersecurity requirements to remain eligible for award of defense contracts and subcontracts involving controlled unclassified information (CUI); and 2) the vast majority of contractors will not be able to self-assess compliance with CUI safeguarding requirements but will need to retain a CMMC Third Party Assessment Organization (C3PAO) to perform a certification assessment.

The proposed rule contemplates a four-phased approach for DoD to include CMMC program requirements in solicitations and contracts. Implementation will begin with Phase 1, which starts on the effective date of the CMMC revision to DFARS 252.204-7021–a date presumably to be set in the follow-on DFARS CMMC rulemaking. Phase 2 will begin six months after the start of Phase 1; Phase 3 will begin a year after the start of Phase 2; and Phase 4 “full implementation,” when applicable CMMC program requirements must be included in all solicitation and contracts as a condition of award and as a condition of award of options, will begin a year after the start of Phase 3, a total of 2.5 years after the start of Phase 1. 32 C.F.R. § 170.3(e)(1)-(4). As early as Phase 1, however, DoD intends to include CMMC Level 1 or Level 2 Self-Assessment requirements in applicable contracts and solicitations as a condition for award. DoD may also include Level 1 or 2 Self-Assessment as a condition for option exercise for previously awarded contracts in Phase 1 and will have discretion to include Level 2 Certification Assessment requirements in solicitations and contracts as well. ?

Defense contractors and subcontractors will not be required to have CMMC certification to submit proposals, but will need to be certified at the appropriate level to be eligible for award (unless a waiver is granted, which will only be available “in very limited circumstances”). Contractors will be able to use Plans of Action and Milestones (POA&Ms) to address certain requirements that are scored as “not met” in a CMMC assessment. POA&Ms will be strictly limited, however, permitted only for Levels 2 and 3, only if the assessment score divided by the total number of security requirements is greater than or equal to 0.8, only for selected requirements, and subject to a mandate to be “closed out” within 180 days of initial assessment. 32 C.F.R. § 170.21. Contractors will be able to receive awards with conditional certifications that include POA&Ms, subject to the aforementioned limitations–but the 180-day clock will be ticking.

Again, no effective date has been established for the revision to DFARS 252.204-7021. It could take a year or a year and a half (or more) for the second CMMC rule with DFARS updates to be published, undergo public comment, and be revised and finalized by DoD. But once that happens, DoD will start to include CMMC Level 1 and 2 requirements in solicitations and contracts, and defense contractors will need CMMC assessments to receive contract awards. Contractors will need to meet most security requirements even for a conditional assessment, and will need to meet the balance of the requirements within six months of initial assessment.

Defense contractors with contracts and subcontracts containing DFARS 252.204-7012 have been required to implement NIST SP 800-171 on covered information systems since December 31, 2017. Many contractors have struggled to meet some of the requirements, however. In a November 30, 2023 special report, the DoD Office of Inspector General described common cybersecurity weaknesses it identified in five audits and five investigations conducted on contractor information systems from 2018 to 2023. DoD OIG identified as common weaknesses that contractors did not meet NIST SP 800-171 requirements to enforce the use of multi-factor authentication and strong passwords; generate and review network, system and user activity reports; disable inactive user accounts; implement physical security controls for facilities containing their networks and systems; identify and mitigate network and system vulnerabilities in a timely manner; and scan for viruses and malicious code. Contractors struggling to meet these and other NIST SP 800-171 requirements will need to find a way to get into compliance to remain eligible for contract awards as DoD stands up the CMMC program.

Most defense contractors subject to CMMC Level 2 will likely be required to undergo a third-party assessment by a C3PAO and achieve “Certification Assessment.” As DoD had previously indicated, the solicitation or contract will indicate whether self-assessment or certification assessment applies, and some contracts will be subject to CMMC Level 2 Self-Assessment. Program managers and requiring activities will decide the certification level and assessment type based on the type and sensitivity of information to be processed, stored, or transmitted on a contractor information system, including consideration of five factors identified at 32 C.F.R. § 170.5(b).

The proposed rule cost impact analysis is telling, however. DoD estimated the number of entities by type and assessment level using historical metrics gathered for CMMC 1.0 and subject matter expertise from Defense Pricing and Contracting (DPC) and DCMA DIBCAC. DoD’s estimate assumed that approximately 95% of contractors and subcontractors subject to CMMC Level 2 would undergo Certification Assessment rather than Self-Assessment (76,598 out of 80,598). 88 Fed. Reg. at 89,085 (Table 3). As DoD notes, some contractors “may elect to complete a self-assessment or pursue a certification assessment . . . in an effort to distinguish themselves as competitive for efforts that require an ability to adequately protect CUI.” But DoD’s assumption that 95% will go through Certification Assessment suggests that comparatively few contractors with contracts involving CUI will be eligible for self-assessment. This is consistent with the vision for CMMC from the outset as a move away from a self-certification system.

The proposed rule includes helpful information on a range of other subjects, including CMMC scoring methodology; assessment appeals; scoping; requirements for external service providers (ESPs); and subcontract flow downs, among other things. Other matters are unaddressed by the proposed rule, including problems with inconsistent marking of CUI (overmarking and undermarking). But in the final resolve, the proposed rule is the latest reminder that cybersecurity requirements are and will remain mandatory for most companies to do business with DoD, that the time to achieve full compliance is running out, and that DOD will strictly limit self-certification and will mostly require certification assessments by C3PAOs to demonstrate that all security requirements are met when a contract or subcontract involves CUI.