Defense Department Unveils Final Rule for CMMC 2.0 Program

The Time Is Now for Defense Contractors To Get Compliant. 

If you work for a defense contractor or subcontractor responsible for handling controlled unclassified information (CUI) and/or federal contract information (FCI), the U.S. Department of Defense posted the final rule for the highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0 or the Final Rule). Issuance of the Final Rule (full text available here in PDF format) likely means DoD will begin implementing new, stringent cybersecurity standards for defense contractors at some point in early-to-mid 2025.   

Defense contractors and subcontractors should be actively working to implement the security requirements set forth in NIST 800-171, in preparation for CMMC compliance. It is worth noting that defense contractors have been contractually required to comply with the NIST 800-171 standards - including the obligation to rapidly report “cyber incidents” - since 2016 under the existing DFARS 252.204-7012 clause. CMMC 2.0, in certain respects, attempts to formalize foundational requirements that are presently in DoD contracts and subcontracts.

Defense contractors and subcontractors who know they will be within the scope of CMMC 2.0 requirements should be taking proactive measures to prepare for security assessments and CMMC certification activities that may be needed for the organization to formally evaluate and achieve compliance in an efficient manner.

The Complicated Legal Two-Step That Must Occur

The DoD has indicated it would only begin phasing in the CMMC 2.0 cybersecurity requirements after it successfully amended the U.S. Code.  In particular, amendments are proposed to the U.S. Code in both Title 32 (where the substantive security requirements of CMMC 2.0 reside) and in Title 48 (where the DFARs contract clause itself resides). Thus, the implementation of CMMC 2.0 could be held up by these Code amendments. At present, this scenario seems unlikely, and defense contractors should begin preparing now for CMMC 2.0 rollout.

Overview of the CMMC 2.0 Framework

CMMC 2.0 is based on a tiered cybersecurity framework requiring defense contractors that work with CUI and/or FCI to meet one of three levels of compliance, which is predicated on the sensitivity of the information they handle.

According to § 170.3 of the Final Rule, CMMC 2.0 applies to “all DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” In addition, CMMC 2.0 applies to “private-sector businesses or other entities comprising the CMMC Assessment and Certification Ecosystem.”

CMMC 2.0 requirements apply to all DoD solicitations and contracts pursuant to which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on unclassified contractor information systems, including those for the acquisition of commercial items. There is a limited exception for contracts solely focused on commercially available off-the-shelf items.

The tiered “CMMC level requirements” are described in §§ 170.14 – 170.18 of the Final Rule. The tri-tier framework establishes three organizational maturity levels. Each level contains its own requirements, which may include an obligation to undergo an independent third-party certification by an accredited organization. The three levels described in the Final Rule include:

• CMMC Level 1 – Applicable to contractors only responsible for handling FCI.
• CMMC Level 2 – Applicable to contractors responsible for handling CUI.
• CMMC Level 3 – Applicable to contractors supporting DoD’s most critical programs and technologies.

Defense contractors classified at Level 1 will require an annual self-assessment and affirmation that would assert the contractor has implemented all the basic safeguarding requirements to protect federal contract information, as set forth in 32 CFR 170.14(c)(2).

Defense contractors classified at Level 2 and Level 3 will need to be prepared to undergo a third-party assessment conducted by a CMMC Third Party Assessor Organization (C3PAO). A C3PAO assessment will be effective for three years. That period, however, may be reduced if the federal contractor modifies an assessed system. The assessment framework is described in §§ 170.8 – 170.13 of the Final Rule.

Level 2 defense contractors are required to implement the 110 security measures set forth in NIST SP 800-171, along with all Level 1 obligations. Level 3 defense contractors will need to satisfy all Level 1 and Level 2 requirements, along with 24 additional security measures set forth in NIST SP 800-172.

In addition to regular assessments, the Final Rule requires a “senior level representative” from the contractor to submit an affirmation of compliance. Affirmations must be submitted on an annual basis and after each CMMC assessment (whether it is a self-assessment or an assessment certification), including after any closeout of a Plan of Action and Milestones (POA&M). According to § 170.22 of the Final Rule, the affirmation must attest that the defense contractor “has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC Status for all information systems within the relevant CMMC Assessment Scope.”

Limited Waiver of CMMC Requirements

According to § 170.5(d) of the Final Rule, “in very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive or Component Acquisition Executive in the DoD, or as delegated, may elect to waive inclusion of CMMC Program requirements in a solicitation or contract” (emphasis added). Thus, there is the rare possibility of a waiver of these requirements.  Even if a waiver is granted, defense contractors and subcontractors must “comply with all applicable cybersecurity and information security requirements.”

DoD’s language describing the waiver process indicates defense contractors and subcontractors should not rely on a potential waiver to circumvent CMMC 2.0 requirements. DoD is stating, in plain language, that a waiver is not something that will be generally granted and is only an option under specific, “limited circumstances.”

CMMC 2.0 Compliance Recommendations

The time is now for defense contractors and subcontractors to get compliant with the cybersecurity requirements set forth in the Final Rule. To help strengthen your organization’s compliance posture, consider taking the following proactive steps:

• Develop and implement a CMMC Readiness Plan. All contractors that currently handle, or would like to handle, FCI or CUI in the future should put a plan in place to become CMMC certified. Regardless of whether contractors plan to certify now, contractors should begin aligning their security posture to CMMC’s requirements before it is fully implemented.
• Review and Update Internal Cybersecurity Policies: Now that CMMC 2.0 is upon us, take the time to review and update your internal policies and procedures governing the handling of regulated data, including CUI and FCI. Importantly, make sure those policies and procedures align with NIST 800-171.
• Develop a System Security Plan (SSP): To prepare for a self-assessment or 3CPAO assessment under CMMC 2.0, consider developing an SSP that details how security controls are implemented. Creating an SSP can also help your organization in identifying what regulated data currently exists on your network and how that regulated data is handled.
• Analyze the Impact of CMMC 2.0 on Suppliers: Since CMMC 2.0 applies at all tiers of the defense supply chain, consider taking proactive steps to engage with suppliers and teaming partners to assess the impact of CMMC 2.0’s requirements.
• Consider a Dedicated Federal Environment on Your Network: If your organization is responsible for handling a large volume of FCI and/or CUI, it may be worthwhile to set up a dedicated network environment to manage this data. Taking steps to segment regulated data to a dedicated environment can help mitigate certain legal and regulatory risks by reducing the network areas containing regulated data and decreasing the chances of comingling regulated data with other data types.

If you are a defense contractor or subcontractor looking for guidance on how to become compliant with CMMC 2.0, or on other contracting compliance issues, please contact a member of the Woods Rogers Cybersecurity & Data Privacy practice team or Construction & Government Contracts practice team.