DOD Finalizes CMMC 2.0 Program Final Rule

PDF

On Tuesday, October 15, 2024, the U.S. Department of Defense (“DOD”) issued its final rule for its much anticipated Cybersecurity Maturity Model Certification (“CMMC”) program.  The CMMC program will eventually require one of three levels of cybersecurity requirements to defense contracts and solicitations, depending on the sensitivity of the information the contractors are handling.

Evolution of the CMMC Rule

Development of the CMMC rules began in 2019 as a means of moving away from the current “self-attestation” regime under DFARS 252.204-7012, which requires contractors to implement the security requirements under NIST SP 800-171. After heavy criticism over the interim rule which was published in September 2020, DOD initiated an internal review and ultimately published draft “Version 2.0” of the CMMC program structure in November 2021. That was followed by DOD’s proposed rule for the CMMC program in December 2023. 

The Three CMMC Levels

The CMMC final rule contemplates that contractors must meet one of three CMMC levels, with escalating cybersecurity requirements for each level depending on the contract requirements.  The CMMC level for a contract, which must also flow down to subcontractors, will be selected by the manager of the relevant program based on the type and sensitivity of the information used. Senior DOD officials will be involved in the decision process when determining whether a contractor warrants a Level 3 requirements.  Notably, senior DOD acquisition executives have some flexibility to waive the inclusion of CMMC requirements within particular solicitations or contracts.

• Level 1, the “basic cybersecurity” level, requires that contractors processing, storing or transmitting federal contract information (“FCI”) must comply with the 15 existing cybersecurity standards in the Federal Acquisition Regulation’s (“FAR’s”) existing “Basic Safeguarding of Covered Contractor Information Systems” clause. Contractors with Level 1 requirements also must submit, through an Affirming Official,  an annual affirmation of their CMMC compliance. 
• Level 2 applies to contractors handling controlled unclassified information (“CUI”), and requires contractors to implement the 110 security controls under revision 2.0 of NIST SP 800-171. (In May 2024, NIST finalized a new version of SP 800-171, but the new version will be incorporated in future amendments to the rule.) While some contractors at Level 2 may self-attest their CMMC compliance, most will be required to have independent third parties (“CMMC Third-Party Assessment Organizations” or “C3PAO”) assess their compliance.  These third-party assessments are valid for three years, although contractors with Level 2 self-assessment or third-party certification requirements must still file an annual affirmation of compliance.
• Level 3 applies to contractors that handle CUI associated with “a critical program or high value asset.” Those companies must be Level 2 certified and must meet 24 additional security requirements from NIST’s SP 800-172 standard in addition to the SP 800-171 requirements.  Assessments of Level 3 compliance will be conducted by the DOD’s Internal Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC. Like Levels 1 and 2, contractors with Level 3 requirements also must submit an annual affirmation of compliance.

Eligibility Impacts of the CMMC Rule

Compliance with CMMC is a condition of eligibility for a contract award. However, if a contractor has an assessment score greater than 0.8 of the requirements for a Level 2 or 3 contract, with certain conditions, it can receive conditional eligibility premised upon a plan of actions and milestones (“POA&M”) for compliance with the remaining requirements.  The POA&M will have to be met within 180 days or “standard contractual remedies,” such as potential termination or disqualification, may apply.

Preliminary Thoughts on Changes in the Final Rule.

The final rule is dense and addresses a host of industry comments and concerns.  Below we address some of the changes that surfaced in the final rule.

The proposed rule contemplated a four-phase rollout process which remains in the final rule with a few changes.  For instance, the final rule extends the first phase from 6 months to 1 year, which is a welcome change for the defense industrial base. During this first phase, CMMC requirements will start being included in certain contracts requiring Level 1 or Level 2 self-assessments.  During the next two one-year phases, CMMC requirement will be expanded to contracts that will require Level 2 third-party certification requirements, and then to contracts with Level 3 requirements, with full implementation across all DOD contracts (with limited exceptions) by the time the third phase is complete, with the fourth phase being full implementation.

The Pentagon intends to include CMMC requirements in all solicitations on or after Oct 1, 2026, when applicable (subject to certain waivers that could be issued prior to issuing the solicitation).

The final rule also removed a requirement from the proposed rule applicable to external service providers (ESPs).  ESPs that are cloud services providers (CSPs) who do not process, store, or transmit CUI, are not required to meet FedRAMP requirements in DFARS clause 252.204-7012. Similarly, non-CSP ESPs who do not process, store, or transmit CUI, do not require CMMC assessments.

In another welcome move from industry, the final rule also added definitions for “enduring exception” and “temporary deficiency”.  These definitions injected some flexibility into the CMMC program as they permit contractors to have a security requirement be deemed “met” so long as certain conditions are satisfied.

The final rule also discussed mergers and acquisitions (“M&A”) for contractors with CMMC requirements.  In a prefatory section entitled “Reassessment,” DOD reiterated that self-assessments and certifications are valid for a fixed duration and for a particular scope.  Thus, a “new assessment” is required “if there are significant architectural or boundary changes to the previous CMMC Assessment Scope.”  DOD stated that examples include, but were not limited to, “expansions of networks or mergers and acquisitions.”  Given the inclusion of this language, defense contractors should be mindful of changes during the annual affirmation process, regardless of whether there has been any M&A activity.

Impacts of the Final CMMC Rule

The DOD projects that annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be almost $4 billion, calculated for a 20-year horizon. For the government, they will be approximately $9.5 million, according to the projections.  More detailed cost projections for various compliance and self-assessment efforts are included in the final rule.

Industry stakeholders and trade associations have raised concerns that, with an already shrinking industrial base, the rule may discourage some companies from taking on defense contracts in the future, and could have a disproportionally larger impact on smaller companies. They also cite the need to keep in mind the appropriate balance between the need for security and minimizing barriers for industry meeting customer needs. Importantly, some stakeholders have also called for the DOD to better identify and clarify exactly what information is and is not “CUI” for CMMC purposes (beyond that provided in the final rule or the regulatory definition) as it moves forward with the CMMC program.

Next Steps and Final Thoughts

While the final rule was published in the Federal Register on October 15, it is expected to continue evolving over time to address evolving cybersecurity standards, threats, and other relevant changes. The final rule will become effective on December 16, 2024, and is incorporated into the regulations as 32 C.F.R. part 170.

In parallel with the CMMC program rule, DOD also issued a proposed rule on August 15, 2024 which would amend the DFARS to set out how contractual requirements related to the CMMC program will be incorporated into defense contracts. Comments on that proposed rule were due on October 15, 2024.  We anticipate that a final version of that DFARS rule will be published by mid-2025, the effective date of which will trigger the CMMC program’s phase-in process.

Finally, it is worth noting that while some contractors expressed concern at exposure under the False Claims Act (“FCA”), DOD responded that issues related to FCA liability are outside the scope of its CMMC program rule.  Nevertheless, because defense contractors are required to annually affirm compliance (notwithstanding self-attestations and certifications) under the CMMC rule, contractors must be mindful of FCA exposure, particularly in light of DOJ’s Civil Cyber-Fraud Initiative (here and here) and a recent case in which the DOJ intervened in a FCA lawsuit against Georgia Tech (here) involving NIST 800-171 compliance under the current DFARS rule.