On December 26, 2023, the Department of Defense (“DoD”) belatedly gifted defense contractors and subcontractors a Proposed Rule on the Cybersecurity Maturity Model Certification (“CMMC”) Program. DoD also released eight CMMC guidance documents, providing interested parties a one-two combo of what to expect under the Program. The Proposed Rule has already received over 100 comments. With commenting open until February 26, 2024, will DoD proceed with a final rule, or is the Proposed Rule a Groundhog Day scenario with DoD further delaying final implementation of the CMMC Program?

First announced in 2019, the CMMC Program was designed to verify the protection of sensitive unclassified information shared between DoD and its contractors and subcontractors or generated by contractors or subcontractors on behalf of DoD. In September 2020, DoD published an interim rule on the Program (“CMMC 1.0”), Defense Federal Acquisition Regulation Supplement (“DFARS”) Case 2019-D041, to establish the Program’s basic framework. In November 2021, DoD updated the Program as CMMC 2.0 by revising the Program’s structure and requirements, including streamlining the CMMC levels from five to three. Now, more than two years later, the Proposed Rule intends on implementing the Program through formal rulemaking—almost.

While there is still rulemaking left to accomplish, namely as it relates to the operative contract clause(s), the Proposed Rule creates the new 32 C.F.R. Part 170 to “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have… implemented required security measures [to safeguard sensitive unclassified information.]” The Proposed Rule addresses certain policy problems, identified by DoD to include:

  • Verifying contractor cybersecurity requirements, as current regulations do not provide DoD with an assessment of a defense contractor’s or subcontractor’s implementation of the information protection requirements within pertinent clauses;
  • Implementing cybersecurity requirements by specifying the required CMMC level in the solicitation; and
  • Addressing scaling challenges by utilizing a private-sector accreditation structure.

To address these policy problems, the Proposed Rule establishes the CMMC Program Management Office, which is empowered to investigate and act upon assessments that have been called into question. See 32 C.F.R. § 170.6(b). Further, the Proposed Rule would require that solicitations specify the CMMC level for a particular requirement and require an assessment as a condition of contract award. See id. at § 170.3(e). Finally, the Proposed Rule would establish an Accreditation Body responsible for authorizing and ensuring the accreditation of CMMC Third-Party Assessment Organizations (“C3PAOs”) to scale assessment needs at CMMC Level 2. See id. at § 170.8.

The CMMC Basics

Consistent with CMMC 2.0, the Proposed Rule utilizes three CMMC assessment levels. The highest level, CMMC Level 3, is for those requirements with heightened security concerns, particularly to address the risk of an Advanced Persistent Threat, defined in the Proposed Rule to mean “an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).” Level 2, just one rung below, will operate where most contractors burdened by DFARS 252.204-7012 have been required to operate. And Level 1 will effectively be a new requirement levied on a bevy of contractors that may not have even begun thinking of cybersecurity as something necessary for the operation of their business or their contracts/subcontracts. Taking its cue from Federal Acquisition Regulation (“FAR”) 52.204-21, contractors focused on Level 1 will be assessed against their ability to properly safeguard Federal Contract Information (“FCI”).

Those familiar with CMMC 2.0 will be familiar with the general framework under the Proposed Rule. The Proposed Rule builds on CMMC 2.0, aligning requirements more closely with existing and emergent cybersecurity requirements using the applicable level determined by the type of information processed, stored, or transmitted through a contractor’s/subcontractor’s information system. An overview of each level is as follows:

CMMC Level 1 (Self-Assessment)

  • In-Scope Assets: These include all assets that process, store, or transmit FCI or “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government,” exclusive of “information provided by the Government to the public (such as on public websites) or simple transactional information.”
  • Security Requirements: Assessments will evaluate compliance with FAR 52.204-21 (15 security requirements).
  • Plan of Action and Milestones (“POA&M”): POA&Ms are not allowed. All controls must be operational for assessment.
  • Other Considerations: Other assets, i.e., Internet of Things (“IoT”) devices (defined in NIST SP 800-172A); Operational Technology (“OT”), which is programmable systems or devices that interact with the physical environment; or Government Furnished Equipment (“GFE”) (defined in FAR 45.101), are not part of a CMMC Level 1 assessment.
  • Assessment and Affirmation: Self-Assessments required annually, with the results posted in the Supplier Performance Risk System (“SPRS”). In addition, a senior official of the contractor, and any applicable subcontractor, must complete an affirmation of continued compliance in SPRS annually.

CMMC Level 2 (Self- or Third-Party Assessment)

  • In-Scope Assets: These include assets that process, store, or transmit Controlled Unclassified Information (“CUI”), as defined at 32 C.F.R. § 2002.4(h). Also included are Security Protection Assets (i.e., assets that provide security functions or capabilities to the contractor’s assessment scope, regardless of whether these assets store, process, or transmit CUI); Contractor Risk Managed Assets (i.e., assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place); and Specialized Assets (i.e., IoT devices, OT, GFE, restricted information systems, etc.).
  • Security Requirements: Assessments will be evaluated against the requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 Rev 2 (110 security requirements).
  • POA&M: POA&Ms are allowed with any identified deficiencies remediated within 180 days.
  • Other Considerations: External Service Providers (“ESPs”) (i.e., managed service providers) utilized by the contractor to process, store, or transmit CUI or Security Protection Data (e.g., log data or configuration data) must have a CMMC Level 2 Final Certification Assessment. Contractors using a Cloud Service Provider (“CSP”) to store, process, or transmit CUI must comply with the requirements at 32 C.F.R. § 170.16(c)(2) or 170.17(c)(5) for a self-assessment or C3PAO assessment, respectively.
  • Assessment and Affirmation: Assessments must be completed and uploaded into SPRS triennially. Affirmation of continued compliance must be completed in SPRS annually.

CMMC Level 3 (DoD-Led Assessment)

  • In-Scope Assets: (1) Assets that process, store, or transmit CUI; (2) Security Protection Assets; (3) Contractor Risk Managed Assets; and (4) Specialized Assets.
  • Security Requirements: Assessments will evaluate compliance with NIST SP 800-171 Rev 2 and NIST SP 800-172 (24 selected security requirements).
  • POA&M: POA&Ms are allowed with any identified deficiencies remediated within 180 days.
  • Other Considerations: ESPs utilized by the contractor must have a CMMC Level 3 Final Certification Assessment. Contractors using a CSP must comply with the requirements at 32 C.F.R. § 170.18(c)(5).
  • Assessment and Affirmation: Assessments must be completed and uploaded into SPRS triennially. Affirmation of continued compliance completed in SPRS annually.

The Proposed Rule also provides guidance on the relationship between CMMC Levels 2 and 3. Before a contractor can proceed with a CMMC Level 3 assessment of its information systems, the contractor must have first obtained a CMMC Level 2 Final Certification Assessment of those systems. This requires that the assessment scope at CMMC Level 3 be equal to or a subset of a contractor’s CMMC Level 2 assessment scope. Further, any CMMC Level 2 POA&M items must be closed prior to a contractor’s initiation of a CMMC Level 3 certification assessment.

External IT Resources

As illustrated above, the Proposed Rule expands the scope of cyber assessment to a new subset of contracts and enhances the assessment scope under CMMC Levels 2 and 3 to include ESPs and CSPs, depending on how they integrate with a defense contractor’s information system. Under the Proposed Rule, an ESP consists of “external people, technology, or facilities that an organization utilizes for [the] provision and management of comprehensive [information technology (‘IT’)] and/or cybersecurity services[.]” If a contractor uses ESP assets to process, store, or transmit CUI or Security Protection Data (e.g., log data or configuration data), ESP assets must similarly undergo a CMMC Level 2 or 3 Final Certification Assessment.

The Proposed Rule defines a CSP as “an external company that provides a platform, infrastructure, applications, and/or storage services [through the provisioning of scalable computing resources through a ‘cloud’ environment] for its clients.” Under the Proposed Rule, defense contractors and subcontractors undergoing a CMMC Level 2 or 3 assessment may use a cloud environment to process, store, or transmit CUI in the execution of a contract or subcontract, provided that the CSP’s product or service offering is either: (1) Federal Risk and Authorization Management Program (“FedRAMP”) Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace or (2) not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets the security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. In addition, the CMMC assessment scope will encompass the contractor’s on-premises infrastructure connecting to the CSP’s product or service offering. This requires the documentation of security requirements in the contractor’s System Security Plan (“SSP”). Defense contractors will need to work through the additional complexities and costs of using ESPs/CSPs while demonstrating compliance with the Program.

Adjudication and Appeals

The Proposed Rule also provides an appeal process for contractors disappointed with the outcome of a Level 2 assessment performed by a C3PAO. The Proposed Rule requires C3PAOs to establish a process by which to address all appeals arising from a CMMC Level 2 assessment. Appeals a C3PAO is unable to resolve are elevated to the Accreditation Body, a DoD-approved organization responsible for authorizing and accrediting members of the CMMC Assessment and Certification Ecosystem, for resolution. However, what recourse a defense contractor may have regarding an unfavorable decision from the Accreditation Body the Proposed Rule does not provide, merely stating that the decision of the Accreditation Body is final. See id.at § 170.8(b)(16).

So Now What?

The above summary merely skims the surface of the Proposed Rule. For convenience, please find here a double-sided “Place Mat” intended to help readers and leaders understand the ins and outs of what we know and don’t know about CMMC. When combined, the Proposed Rule and CMMC guidance documents total nearly 580 pages. Further, the Proposed Rule itself incorporates by reference a multitude of additional standards and guidelines applying to the Program. Contractors would benefit from a careful review of the Program as envisioned in the Proposed Rule.

In addition, CMMC compliance will not come cheap for defense contractors and subcontractors. Table 32 of the Proposed Rule estimates that complying with the Program will run small entities $2.6 million in annualized costs over a 20-year horizon in 2023 dollars at a 7 percent discount rate. Providing some solace, perhaps, is the fact that the Proposed Rule anticipates a four-phased implementation approach of the Program, once effective.

It remains to be seen what changes DoD makes with the Proposed Rule once the comment period closes. Given the number of comments received already and the effect the Program will have on defense contractors and subcontractors, DoD could very well go back to the drawing board, prolonging the winter without a final rule. Contractors, however, should proactively review their information systems’ security requirements against the existing requirements at FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, and the Proposed Rule to ensure they stay ahead of—or at least with—the curve.

Photo of Alex Major Alex Major

Mr. Major is a partner and co-leader of the firm’s Government Contracts & Export Controls Practice Group. Mr. Major focuses his practice on federal procurement, cybersecurity liability and risk management, and litigation. A prolific author and thought leader in the area of cybersecurity…

Mr. Major is a partner and co-leader of the firm’s Government Contracts & Export Controls Practice Group. Mr. Major focuses his practice on federal procurement, cybersecurity liability and risk management, and litigation. A prolific author and thought leader in the area of cybersecurity, his professional experience involves a wide variety of litigation and counseling matters dealing with procurement laws and federal regulations and standards. His diverse experience includes complex litigation in federal court under the qui tam provisions of the False Claims Act and bid protest actions. He counsels all sizes of companies on issues relating to compliance with government regulations including, among other things, cybersecurity (NIST, FIPS, FedRAMP, and DFARS) requirements, multiple award schedule compliance, Section 508 issues, country of origin requirements under the Buy American and Trade Agreements Acts, cost accounting, and small business requirements. He also regularly conducts internal investigations to assist companies ensure that they are in full compliance with the law.

Read more about Alex MajorEmailAlexander's Linkedin Profile
Show more Show less
Photo of Philip Lee Philip Lee

Philip Lee represents government contractors in a broad range of industries including professional services, information technology, and aerospace in bid protests, investigations, contract claims, including terminations for convenience and default, and disputes between subcontractors and prime contractors. He leverages his legal experience and…

Philip Lee represents government contractors in a broad range of industries including professional services, information technology, and aerospace in bid protests, investigations, contract claims, including terminations for convenience and default, and disputes between subcontractors and prime contractors. He leverages his legal experience and practical knowledge to assist companies with the review and analysis of federal and state solicitations, compliance with federal procurement regulations and related statutes, including small business regulations and issues, and the preparation and negotiation of teaming agreements, joint venture agreements, and subcontracts.

Prior to joining the firm, Philip was an attorney-advisor for the Department of Homeland Security where he provided legal advice and recommendations on a variety of procurement matters including research and development, tests, and evaluation activities performed by public and private sector entities. He also previously served as a contracting officer with the Department of the Interior and was responsible for ensuring contracts, modifications, and both government and contractor performance were compliant with statutory law, the Federal Acquisition Regulation (FAR), and appropriations law.

Philip’s previous experience as both a government attorney and contracting officer provides a unique government contracts perspective to government contractors.  This includes real-world experience in all aspects of the procurement cycle, from pre-solicitation to contract award and administration.  Philip’s practical experience in federal procurement was further augmented while serving as an attorney-advisor where he counseled contracting officers with solicitation and pre-award reviews as well as defending bid protests before the Government Accountability Office.  Philip’s unique insight provides a valuable perspective to government contractors and their procurement issues.

Read more about Philip LeeEmail
Show more Show less