The CMMC 2.0 Program Has Arrived!

CMMC 2.0: Bottom Line Up Front

On October 15, 2024, the U.S. Department of Defense (DoD) published a Final Rule implementing the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. The Final Rule, which is being codified at 32 C.F.R. Part 170 and will be effective as of December 16, 2024, provides the DoD with the framework to strengthen the cybersecurity posture of the U.S. Defense Industrial Base (DIB) and applies to defense contractors and subcontractors that process, store, or transmit unclassified information.

Companies should be aware of the fact that the DoD has also initiated a Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC 2.0 Program, which will be finalized early next year. Once the DFARS has been updated, the DoD will begin to include CMMC 2.0 Program requirements in all solicitations and contracts for which a defense contractor or subcontractor will process, store, or transmit unclassified information, and companies will be required to possess the appropriate level of CMMC certification as a condition of contract award.

What Is the CMMC 2.0 Program?

CMMC 2.0 is a DoD framework intended to enhance protection of unclassified information that is designated as either federal contract information (FCI) or controlled unclassified information (CUI) within the DIB and throughout the DoD supply chain. The CMMC 2.0 Program will put an end to DIB contractors self-attesting to compliance with cybersecurity requirements. Going forward, while self-attestation will be permitted in some instances, in many cases companies will be required to submit to objective third-party assessments and obtain certifications at the CMMC 2.0 Program level applicable to the contract they will be performing. The DoD intends to use the CMMC 2.0 Program framework to provide comfort that companies that are part of the DIB ecosystem are meeting federal cybersecurity requirements applicable to non-federal IT systems that process FCI and CUI.

The CMMC 2.0 Program framework builds upon cybersecurity requirements that have been in place for some time and will not impose any new requirements other than the third-party assessment and certification requirements. The existing cybersecurity requirements upon which the CMMC 2.0 Program is built currently include:

1. FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (which contains 15 basic safeguarding requirements and procedures that contractors and subcontractors must implement to ensure the protection of FCI).
2. DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (which requires contractors to implement several key requirements essential for safeguarding CUI in accordance with the most recent version of the NIST SP 800-171).
3. DFARS 252.204-7019, Notice of NISTSP 800-171 DoD Assessment Requirements (which implements DFARS 252.204-7012 and requires a company to have at least a Basic NIST SP 800-171 DoD Assessment that is currently posted in the Supplier Performance Risk System [SPRS]).
4. DFARS 252.204-7020 (which provides the government access to a company’s IT systems when necessary to conduct or renew a higher-level cybersecurity assessment).
5. DFARS 252.204-7021 (which lays the groundwork for rollout of the CMMC 2.0 Program by requiring contractors to have a current CMMC certificate for the level required by the contract being performed and necessitates the flow down of this requirement to subcontractors).

These regulations seek to ensure that all defense contractors and subcontractors will comply with applicable cybersecurity requirements prior to contract award. At this time, the CMMC 2.0 Program is not applicable to commercial off-the-shelf procurements.

Assessments and Affirmations Required for CMMC Levels 1-3

Contractors bidding on DoD contracts with FCI or CUI will be informed by the solicitation of the applicable CMMC 2.0 Program level required to be considered eligible for award.

Level 1 applies to basic safeguarding of FCI and requires companies to fully implement the 15 cybersecurity requirements set forth in FAR 52.204-21. Contractors will be allowed to self-assess and post their assessment scores in SPRS, which will remain valid for one year from the date of assessment. Importantly, companies will not be permitted to partially implement the 15 cybersecurity requirements. This means that a company will no longer be allowed to implement a Plan of Action & Milestones (POAM) as a way to meet all cybersecurity requirements.

Level 2 applies to broad protection of CUI and requires companies to implement all 110 controls set forth NIST SP 800-171A R2, as required by DFARS 252.204-7012. At this level, the solicitation will dictate whether a company may self-assess and post its score in SPRS or will be required to engage a Third-Party Assessment Organization (C3PAO) to assess its implementation of the 110 controls and enter a score for the contractor into CMMC Enterprise Mission Assurance Support Service (eMASS). Level 2 permits conditional certification if 80% of the 110 controls are met as long as the company completes 100% implementation of all 110 controls within six months (or 180 days) and the company conducts a POAM closeout assessment and affirmation, which will be posted in either SPRS or eMASS.

Level 3 is required to ensure higher-level protection of CUI against advanced persistent threats and requires contractors to achieve Level 2 certification via a C3PAO and implement 24 additional selected security requirements from the NIST SP 800-172 (February 2021). Once these requirements have been met, the company will contact the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to verify its implementation via assessment. The DIBCAC will enter the contractor’s score into eMASS. Scores are valid for three years and must be annually affirmed in SPRS by a contractor’s affirming official. Level 3 also permits a company to obtain a conditional certification; a POAM must be closed out within six months and will be permitted only in the case of noncritical security requirements. If a POAM is implemented, a company will be required to obtain a POAM closeout assessment from the DIBCAC.

Takeaways

There are several factors that companies should consider with the impending implementation of the CMMC 2.0 Program:

• CMMC 2.0 certification requirements will be flowed down to all subcontractors at all tiers that will be handling FCI and CUI. This means that prime contractors will be responsible for ensuring subcontractors have the appropriate CMMC 2.0 Level certification prior to awarding a subcontract. Until there is an electronic method for doing so, this means prime contractors will need to rely on written certifications from subcontractors.
• CMMC 2.0 will apply to all DoD solicitations and contracts over the micro-purchase threshold that handle FCI and CUI. While the proposed DFARS amendment is purportedly going to require contracting officers to specify the CMMC level required in the solicitation, because of the broad proscriptive language it is likely that DoD will simply include the clauses in all contracts whether or not FCI and CUI are present. This is the same approach DoD has used for the DFARS 252.204-7012. The result is that the company will be required to understand whether the contract actually requires a CMMC level, depending on whether FCI and CUI will actually be processed, stored, or transmitted.
• CMMC 2.0 does not require all of a company’s IT systems to comply with these applicable cybersecurity requirements — only those systems processing, storing, or transmitting FCI and CUI. Companies will need to understand which of their systems may be processing, storing, or transmitting FCI and CUI and to ensure that such information remains segregated.  
• Contracting officers will not be permitted to award a contract if the contractor does not have a current certification for the required CMMC level in SPRS at the time of award. Because implementing cybersecurity standards and obtaining CMMC level certifications from third parties are time-consuming and cost-prohibitive, contractors will need to balance the cost of implementation against the possibility of award and cannot afford to wait for an award to begin implementation of cybersecurity requirements.
• Companies should expect to see increased enforcement actions related to compliance with the requirements of the CMMC 2.0 Program. The U.S. Department of Justice has targeted companies that fail to fully implement and document compliance with NIST SP 800-171 as required by DFARS 252.204-7012, and it will likely increase its scrutiny of companies that fail to comply with the ongoing compliance, assessment, and certification requirements associated with the CMMC 2.0 Program.

Goodwin’s Government Contracts and Grants Team is well versed in assisting companies as they navigate the changing regulatory landscape. Please contact the authors of this alert if you have questions.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.