Department of Defense Issues CMMC 2.0 Proposed Rule

On December 26, 2023, the Department of Defense (DoD) issued a long-awaited proposed rule that, if enacted, would establish the Cybersecurity Maturity Model Certification (CMMC) Program, which is intended to strengthen cybersecurity in the DoD contracting community. The proposed rule is the latest development in the long-running CMMC saga, which began in 2019. The initial stages of DoD’s CMMC effort peaked in September 2020 when DoD issued a rule establishing the initial CMMC Program (CMMC 1.0). DoD later rescinded CMMC 1.0 and, in November 2021, developed CMMC 2.0, which adjusted various aspects of the CMMC Program. The proposed rule seeks to codify CMMC 2.0 with some adjustments from past CMMC 2.0 guidance documents. Comments on the proposed rule are due February 26, 2024.

In this Advisory, you will find the following:

I. Summary

II. Current Cybersecurity Requirements for Defense Contractors

• FAR 52.204-21
• DFARS 252.204-7012
• DFARS 252.204-7019 and DFARS 252.204-7020

III. CMMC

• Applicability
• CMMC Levels
• Assessments and Affirmations
• Cloud Products and Services
• Subcontractors
• Waivers

IV. Takeaways

I. Summary

• Overview: CMMC is DoD’s consolidated framework of cybersecurity requirements for unclassified non-federal information systems that defense contractors (including prime contractors and subcontractors) use to store, process, or transmit federal contract information (FCI) or controlled unclassified information (CUI) when performing DoD contracts. The proposed rule would create CMMC in the new 32 C.F.R. Part 170, but it does not propose new or revised Defense Federal Acquisition Regulation Supplement (DFARS) clauses. DoD does not anticipate issuing new DFARS provisions (though it might ultimately decide to do so), but it will revise DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, and likely other clauses, in a future rulemaking. We anticipate that DoD will make any changes to the DFARS through an interim rule (rather than a proposed rule) because DoD is providing the Defense Industrial Base (DIB) with an opportunity to comment on the substance of CMMC through this proposed rule and issuing an interim rule would allow DoD to implement CMMC faster.
• Applicability: With the exception of contracts exclusively for commercially available off-the-shelf (COTS) items, CMMC will apply to all DoD contracts exceeding the micro-purchase threshold in which defense contractors will store, process, or transmit FCI or CUI using unclassified non-federal information systems. The proposed rule would allow DoD to waive CMMC requirements for particular procurements, though the proposed rule is light on details.
• CMMC Levels: CMMC 2.0 is, in many ways, a simplified version of CMMC 1.0. DoD proposes replacing the more complicated five “Maturity Levels” from CMMC 1.0 with three “CMMC Levels.” Those CMMC Levels align more closely with existing cybersecurity requirements:

• Plans of Action and Milestones (POA&Ms): DoD will only permit use of POA&Ms for specific security controls in NIST SP 800-171 and NIST SP 800-172, and contractors must close out all POA&Ms within 180 days.
• Assessments: The proposed rule contemplates different types of assessments depending on the CMMC Level and DoD discretion. For CMMC Level 1, defense contractors must perform Self-Assessments. For CMMC Level 2, DoD may, depending on the contract, require either a Self-Assessment or a Certification Assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). For CMMC Level 3, DoD will assess compliance with NIST SP 800-172. DoD proposed a process for resolving disputes between contractors and C3PAOs and the Accreditation Body.
• Affirmations: Defense contractors must affirm compliance with the applicable CMMC Level after each assessment, after POA&M closeout, and annually thereafter. Affirmations must be submitted by a “senior official” of the contractor (i.e., the person responsible for ensuring compliance with CMMC).
• Timing: Unlike CMMC 1.0, DoD will not use a pilot program. Instead, DoD plans to implement CMMC in four phases over a three-year period:

• Enforcement: The proposed rule vests the CMMC Program Management Office (PMO) with authority to investigate allegations that an active CMMC Self-Assessment or CMMC Certification Assessment is inaccurate. The PMO may launch an investigation based on, among other things, “reports from the CMMC Accreditation Body, a C3PAO, or anyone knowledgeable of the security processes and activities of the OSA.”¹ The CMMC PMO can then revoke the assessment.

II. Current Cybersecurity Requirements for Defense Contractors

CMMC is premised largely on existing cybersecurity obligations, but it introduces additional requirements. Thus, familiarity with certain existing FAR and DFARS cybersecurity requirements is important for understanding CMMC.

FAR 52.204-21: FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, provides the most basic cybersecurity requirements for government contractors. That clause establishes 15 baseline security controls for any information system “owned or operated by a contractor that processes, stores, or transmits” FCI (i.e., “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government”).

DFARS 252.204-7012: Defense contractors that use covered contractor information systems (i.e., unclassified non-federal information systems that store, process, or transmit covered defense information)² are subject to broader requirements. DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires such contractors to provide “adequate security” for these information systems. Specifically, for covered information systems other than cloud services, defense contractors must comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (typically the version in effect when DoD issued the relevant solicitation unless amended). NIST SP 800-171 establishes 110 security controls and requires contractors to develop a system security plan (SSP) that, among other things, explains how those controls have been implemented. For any unimplemented controls, the contractor must prepare a POA&M that provides a path forward to implement those controls and explains how the contractor will mitigate risks in the interim. Cloud services provided by an external cloud service provider (CSP) must meet security requirements equivalent to at least the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. Additionally, DFARS 252.204-7012 mandates cyber incident reporting and related requirements.

DFARS 252.204-7019 and DFARS 252.204-7020: At a high level, DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, requires offerors subject to DFARS 252.204-7012 to undergo a NIST SP 800-171 assessment in accordance with DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, and have a current assessment score (i.e., a score from an assessment conducted within the past three years) in the DoD Supplier Performance Risk System (SPRS) to be eligible for award of a prime contract. DFARS 252.204-7020 also prohibits prime contractors from awarding a subcontract if the prospective subcontractor has a covered contractor information system and has not completed the required assessment.

III. CMMC

DoD developed CMMC to address pitfalls in, and monitor compliance with, these FAR and DFARS clauses and otherwise bolster cybersecurity across the DIB. Below is an overview of the key elements of DoD’s proposed CMMC program.

A. Applicability

With the exception of contracts solely for COTS items, CMMC will apply to all DoD prime contracts and subcontracts where the prime contractor or subcontractor “handles FCI or CUI on its own contractor information systems.”³

B. CMMC Levels

CMMC 2.0 replaces the five maturity levels from CMMC 1.0 with three “CMMC Levels.” Below is a chart summarizing the CMMC Levels, followed by a more in-depth discussion of each level.

1. CMMC Level 1 (FCI and FAR 52.204-21; 32 C.F.R. § 170.15)

CMMC Level 1 is largely coextensive with FAR 52.204-21. Defense contractors that use non-federal information systems to store, process, or transmit FCI must implement the 15 security requirements in that clause. Unlike FAR 52.204-21, however, defense contractors will be required to formally self-assess their compliance with FAR 52.204-21, report Self-Assessment information in the SPRS, and “annually affirm continuing compliance” in the SPRS.

2. CMMC Level 2 (CUI and DFARS 252.204-7012; 32 C.F.R. § 170.16)

CMMC Level 2 generally aligns with the security provisions in DFARS 252.204-7012 (i.e., covered contractor information systems must comply with NIST SP 800-171), with important differences:

• Limitations on POA&Ms: POA&Ms would be limited to specific security controls and must “be closed out within 180 days of the assessment.”
• Assessments: The proposed rule contemplates two types of assessments: Self-Assessments performed by the contractor and CMMC Level 2 Certification Assessments performed by CMMC Third-Party Assessment Organizations (C3PAOs). Each contract will specify the type of assessment required. Self-Assessments are valid for three years, and defense contractors must enter assessment information into the SPRS.⁴ CMMC Level 2 Certifications are valid for up to three years, and C3PAOs enter assessment information into the CMMC Enterprise Mission Assurance Support Service (eMASS), which automatically transmits assessment information to the SPRS. Defense contractors with High confidence assessments under DFARS 252.204-7020 will be a step ahead, as DoD intends to allow contractors to rely upon those assessments for CMMC Level 2.
• Affirmation: Contractors must affirm compliance in the SPRS following each assessment, POA&M closeout, and annually.

3. CMMC Level 3 (CMMC Level 2, Plus Certain NIST SP 800-172 Controls; 32 C.F.R. § 170.17)

CMMC Level 3 builds upon CMMC Level 2. In addition to meeting CMMC Level 2, contractors must implement specific requirements from NIST SP 800-172.

• Limitations on POA&Ms: POA&Ms will be limited to specific security controls and must be closed out within 180 days of the assessment.
• Assessments: Defense contractors leverage CMMC Level 2 certifications, and DoD (through the Defense Contract Management Agency (DCMA), Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)), assesses compliance with the additional NIST SP 800-172 requirements. CMMC Level 3 assessments are valid for up to three years, and the DoD assessor enters assessment information into eMASS, which transmits that information to the SPRS.
• Affirmation: Contractors must affirm compliance in the SPRS following each assessment, POA&M closeout, and annually.

C. Assessments and Affirmations

Assessments will be based on the CMMC Scoring Methodology,⁵ which bears similarities to the NIST SP 800-171 DoD Assessment Methodologies. For each security control, the contractor will receive a finding of “MET,” “NOT MET,” or “NOT APPLICABLE.” Currently, DFARS 252.204-7012 vests the DoD CIO (or an authorized representative of the DoD CIO) with authority to adjudicate variances from NIST SP 800-171, including determining whether specific controls are nonapplicable or authorizing an alternative security measure.⁶ It is not clear whether DoD intends to maintain this process before a defense contractor or whether a C3PAO can declare a security control “NOT APPLICABLE” under the CMMC Scoring Methodology.

Affirmations are required at the intervals explained above, must be submitted in SPRS by a senior official of the contractor, and must include that official’s name, title, and contact information and the affirmation statement provided in the regulations.⁷ The official must be the senior official responsible for ensuring compliance with CMMC.

D. Cloud Products and Services

Cloud products and services will be subject to CMMC and must meet the FedRAMP Moderate Baseline security requirements to achieve CMMC Level 2. CSP offerings are considered CMMC Level 2-compliant if they are FedRAMP Authorized at the FedRAMP Moderate baseline or, alternatively, meet the FedRAMP Moderate baseline, as documented in the CSP’s SSP and a Customer Responsibility Matrix (CRM). On-premises cloud offerings must have a SSP and CRM and be assessed as part of CMMC assessments.⁸

E. Subcontractors

The proposed rule would require subcontractors throughout the supply chain to comply with CMMC.⁹ Prime contractors and higher-tier subcontractors must “require subcontractor compliance,” but the proposed rule would not require prime contractors or higher-tier subcontractors to monitor subcontractor compliance. The CMMC Level that will apply to a subcontractor is the CMMC Level that aligns with the type of information the subcontractor will store, process, or transmit, which may be different from the CMMC Level that applies to the prime contractor or a higher-tier subcontractor. For instance, a prime contractor with CUI would need to meet CMMC Level 2 requirements, but a subcontractor with only FCI would only need to achieve CMMC Level 1.

F. Waivers

The proposed rule would permit DoD “Program Managers to seek approval to waive inclusion of CMMC requirements in solicitations that involve disclosure or creation of FCI or CUI as part of the contract effort.”¹⁰ The proposed rule lacks details on the waiver process.

IV. Takeaways

• Start Preparing Now: Defense contractors should promptly develop or improve SSPs for covered contractor information systems and address and close open items in POA&Ms. Under the new regime, DoD will require accurate CMMC Level assessments as a condition of award and prior to DoD exercising option periods. The proposed rule would limit contractor flexibility to implement applicable security controls, including limiting POA&Ms to specific NIST SP 800-171 (CMMC Level 2) and NIST SP 800-172 (CMMC Level 3) controls and requiring those POA&Ms to be closed out within 180 days. Although this is a proposed rule, we do not expect material changes to the basic elements of CMMC. Defense contractors that delay these efforts might find themselves ineligible for contract awards and extensions or the target of investigations and enforcement actions, including under the False Claims Act (FCA).¹¹
• Open Questions Regarding Task and Delivery Orders: The proposed rule is not clear about how CMMC will apply to contract vehicles (e.g., IDIQ contracts) and task and delivery orders. Will DoD require assessments at the contract vehicle level (e.g., prior to award of an IDIQ contract)? If so, how will DoD determine which CMMC Level applies, since no work is performed and no information is exchanged prior to DoD issuing an order? Could DoD require CMMC Level 1 Self-Assessments at the IDIQ level and require compliance with CMMC Levels 2 and 3 depending on the nature of an order? We expect DoD to clarify this issue in the final rule or in revisions to DFARS 252.204-7021.
• Consider Scoping the Information Technology Environment: The proposed rule places the burden on the contractor of properly defining the information technology (IT) environment subject to CMMC assessments. This could prove to be a challenging process for contractors with dispersed information systems and may require changes to the IT environment. Consider an enterprise-wide approach or, alternatively, a segregated and dedicated environment for federal (or DoD) contracts. This could ease the scoping process and limit the risk of FCI or CUI spillage onto other systems.
• NIST SP 800-171 Revision 3: In May 2023, NIST released an initial public draft of Revision 3 to NIST SP 800-171. (We discussed that draft in a prior Advisory.) On November 9, 2023, NIST issued a final public draft of that revision. Revision 3, if issued, could create a conflict between CMMC and DFARS 252.204-7012. The proposed CMMC rule would require compliance with NIST SP 800-171 Rev 2 for CMMC Level 2. DFARS 252.204-7012, however, requires defense contractors to comply with the version of NIST SP 800-171 “in effect at the time the solicitation is issued or as authorized by the Contracting Officer.”¹² Perhaps DoD anticipates relying on Revision 2 on an ongoing basis under the “as authorized by the Contracting Officer” provision, but we expect DoD to clarify this issue in any revisions to DFARS clauses.
• Consider Involving Legal Counsel and a Third-Party Cybersecurity Consultant in Assessments: Defense contractors should involve legal counsel with proficiency in these cybersecurity requirements, including when conducting Self-Assessments and in connection with internal assessments prior to undergoing a Certification Assessment. Given the potentially significant consequences resulting from noncompliance, including CMMC PMO, DoD Office of Inspector General, and Department of Justice investigations and associated liability, involving legal counsel from the outset can support a contractor's efforts to achieve compliance and undertake any necessary remediation.
• Consider Submitting Comments: As noted above, DoD will likely revise various DFARS provisions through an interim rule, leveraging any comments that it receives on the substance of the pending CMMC proposed rule. Thus, defense contractors should consider submitting comments either independently or through an industry group by the February 26, 2024 deadline.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.