On December 26, 2023, the Department of Defense (“DoD”) belatedly gifted defense contractors and subcontractors a Proposed Rule on the Cybersecurity Maturity Model Certification (“CMMC”) Program. DoD also released eight CMMC guidance documents, providing interested parties a one-two combo of what to expect under the Program. The Proposed Rule has already received over 100 comments. With commenting open until February 26, 2024, will DoD proceed with a final rule, or is the Proposed Rule a Groundhog Day scenario with DoD further delaying final implementation of the CMMC Program?
First announced in 2019, the CMMC Program was designed to verify the protection of sensitive unclassified information shared between DoD and its contractors and subcontractors or generated by contractors or subcontractors on behalf of DoD. In September 2020, DoD published an interim rule on the Program (“CMMC 1.0”), Defense Federal Acquisition Regulation Supplement (“DFARS”) Case 2019-D041, to establish the Program’s basic framework. In November 2021, DoD updated the Program as CMMC 2.0 by revising the Program’s structure and requirements, including streamlining the CMMC levels from five to three. Now, more than two years later, the Proposed Rule intends on implementing the Program through formal rulemaking—almost.
While there is still rulemaking left to accomplish, namely as it relates to the operative contract clause(s), the Proposed Rule creates the new 32 C.F.R. Part 170 to “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have… implemented required security measures [to safeguard sensitive unclassified information.]” The Proposed Rule addresses certain policy problems, identified by DoD to include:
- Verifying contractor cybersecurity requirements, as current regulations do not provide DoD with an assessment of a defense contractor’s or subcontractor’s implementation of the information protection requirements within pertinent clauses;
- Implementing cybersecurity requirements by specifying the required CMMC level in the solicitation; and
- Addressing scaling challenges by utilizing a private-sector accreditation structure.
To address these policy problems, the Proposed Rule establishes the CMMC Program Management Office, which is empowered to investigate and act upon assessments that have been called into question. See 32 C.F.R. § 170.6(b). Further, the Proposed Rule would require that solicitations specify the CMMC level for a particular requirement and require an assessment as a condition of contract award. See id. at § 170.3(e). Finally, the Proposed Rule would establish an Accreditation Body responsible for authorizing and ensuring the accreditation of CMMC Third-Party Assessment Organizations (“C3PAOs”) to scale assessment needs at CMMC Level 2. See id. at § 170.8.
The CMMC Basics
Consistent with CMMC 2.0, the Proposed Rule utilizes three CMMC assessment levels. The highest level, CMMC Level 3, is for those requirements with heightened security concerns, particularly to address the risk of an Advanced Persistent Threat, defined in the Proposed Rule to mean “an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).” Level 2, just one rung below, will operate where most contractors burdened by DFARS 252.204-7012 have been required to operate. And Level 1 will effectively be a new requirement levied on a bevy of contractors that may not have even begun thinking of cybersecurity as something necessary for the operation of their business or their contracts/subcontracts. Taking its cue from Federal Acquisition Regulation (“FAR”) 52.204-21, contractors focused on Level 1 will be assessed against their ability to properly safeguard Federal Contract Information (“FCI”).
Those familiar with CMMC 2.0 will be familiar with the general framework under the Proposed Rule. The Proposed Rule builds on CMMC 2.0, aligning requirements more closely with existing and emergent cybersecurity requirements using the applicable level determined by the type of information processed, stored, or transmitted through a contractor’s/subcontractor’s information system. An overview of each level is as follows:
CMMC Level 1 (Self-Assessment)
- In-Scope Assets: These include all assets that process, store, or transmit FCI or “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government,” exclusive of “information provided by the Government to the public (such as on public websites) or simple transactional information.”
- Security Requirements: Assessments will evaluate compliance with FAR 52.204-21 (15 security requirements).
- Plan of Action and Milestones (“POA&M”): POA&Ms are not allowed. All controls must be operational for assessment.
- Other Considerations: Other assets, i.e., Internet of Things (“IoT”) devices (defined in NIST SP 800-172A); Operational Technology (“OT”), which is programmable systems or devices that interact with the physical environment; or Government Furnished Equipment (“GFE”) (defined in FAR 45.101), are not part of a CMMC Level 1 assessment.
- Assessment and Affirmation: Self-Assessments required annually, with the results posted in the Supplier Performance Risk System (“SPRS”). In addition, a senior official of the contractor, and any applicable subcontractor, must complete an affirmation of continued compliance in SPRS annually.
CMMC Level 2 (Self- or Third-Party Assessment)
- In-Scope Assets: These include assets that process, store, or transmit Controlled Unclassified Information (“CUI”), as defined at 32 C.F.R. § 2002.4(h). Also included are Security Protection Assets (i.e., assets that provide security functions or capabilities to the contractor’s assessment scope, regardless of whether these assets store, process, or transmit CUI); Contractor Risk Managed Assets (i.e., assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place); and Specialized Assets (i.e., IoT devices, OT, GFE, restricted information systems, etc.).
- Security Requirements: Assessments will be evaluated against the requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 Rev 2 (110 security requirements).
- POA&M: POA&Ms are allowed with any identified deficiencies remediated within 180 days.
- Other Considerations: External Service Providers (“ESPs”) (i.e., managed service providers) utilized by the contractor to process, store, or transmit CUI or Security Protection Data (e.g., log data or configuration data) must have a CMMC Level 2 Final Certification Assessment. Contractors using a Cloud Service Provider (“CSP”) to store, process, or transmit CUI must comply with the requirements at 32 C.F.R. § 170.16(c)(2) or 170.17(c)(5) for a self-assessment or C3PAO assessment, respectively.
- Assessment and Affirmation: Assessments must be completed and uploaded into SPRS triennially. Affirmation of continued compliance must be completed in SPRS annually.
CMMC Level 3 (DoD-Led Assessment)
- In-Scope Assets: (1) Assets that process, store, or transmit CUI; (2) Security Protection Assets; (3) Contractor Risk Managed Assets; and (4) Specialized Assets.
- Security Requirements: Assessments will evaluate compliance with NIST SP 800-171 Rev 2 and NIST SP 800-172 (24 selected security requirements).
- POA&M: POA&Ms are allowed with any identified deficiencies remediated within 180 days.
- Other Considerations: ESPs utilized by the contractor must have a CMMC Level 3 Final Certification Assessment. Contractors using a CSP must comply with the requirements at 32 C.F.R. § 170.18(c)(5).
- Assessment and Affirmation: Assessments must be completed and uploaded into SPRS triennially. Affirmation of continued compliance completed in SPRS annually.
The Proposed Rule also provides guidance on the relationship between CMMC Levels 2 and 3. Before a contractor can proceed with a CMMC Level 3 assessment of its information systems, the contractor must have first obtained a CMMC Level 2 Final Certification Assessment of those systems. This requires that the assessment scope at CMMC Level 3 be equal to or a subset of a contractor’s CMMC Level 2 assessment scope. Further, any CMMC Level 2 POA&M items must be closed prior to a contractor’s initiation of a CMMC Level 3 certification assessment.
External IT Resources
As illustrated above, the Proposed Rule expands the scope of cyber assessment to a new subset of contracts and enhances the assessment scope under CMMC Levels 2 and 3 to include ESPs and CSPs, depending on how they integrate with a defense contractor’s information system. Under the Proposed Rule, an ESP consists of “external people, technology, or facilities that an organization utilizes for [the] provision and management of comprehensive [information technology (‘IT’)] and/or cybersecurity services[.]” If a contractor uses ESP assets to process, store, or transmit CUI or Security Protection Data (e.g., log data or configuration data), ESP assets must similarly undergo a CMMC Level 2 or 3 Final Certification Assessment.
The Proposed Rule defines a CSP as “an external company that provides a platform, infrastructure, applications, and/or storage services [through the provisioning of scalable computing resources through a ‘cloud’ environment] for its clients.” Under the Proposed Rule, defense contractors and subcontractors undergoing a CMMC Level 2 or 3 assessment may use a cloud environment to process, store, or transmit CUI in the execution of a contract or subcontract, provided that the CSP’s product or service offering is either: (1) Federal Risk and Authorization Management Program (“FedRAMP”) Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace or (2) not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets the security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. In addition, the CMMC assessment scope will encompass the contractor’s on-premises infrastructure connecting to the CSP’s product or service offering. This requires the documentation of security requirements in the contractor’s System Security Plan (“SSP”). Defense contractors will need to work through the additional complexities and costs of using ESPs/CSPs while demonstrating compliance with the Program.
Adjudication and Appeals
The Proposed Rule also provides an appeal process for contractors disappointed with the outcome of a Level 2 assessment performed by a C3PAO. The Proposed Rule requires C3PAOs to establish a process by which to address all appeals arising from a CMMC Level 2 assessment. Appeals a C3PAO is unable to resolve are elevated to the Accreditation Body, a DoD-approved organization responsible for authorizing and accrediting members of the CMMC Assessment and Certification Ecosystem, for resolution. However, what recourse a defense contractor may have regarding an unfavorable decision from the Accreditation Body the Proposed Rule does not provide, merely stating that the decision of the Accreditation Body is final. See id.at § 170.8(b)(16).
So Now What?
The above summary merely skims the surface of the Proposed Rule. For convenience, please find here a double-sided “Place Mat” intended to help readers and leaders understand the ins and outs of what we know and don’t know about CMMC. When combined, the Proposed Rule and CMMC guidance documents total nearly 580 pages. Further, the Proposed Rule itself incorporates by reference a multitude of additional standards and guidelines applying to the Program. Contractors would benefit from a careful review of the Program as envisioned in the Proposed Rule.
In addition, CMMC compliance will not come cheap for defense contractors and subcontractors. Table 32 of the Proposed Rule estimates that complying with the Program will run small entities $2.6 million in annualized costs over a 20-year horizon in 2023 dollars at a 7 percent discount rate. Providing some solace, perhaps, is the fact that the Proposed Rule anticipates a four-phased implementation approach of the Program, once effective.
It remains to be seen what changes DoD makes with the Proposed Rule once the comment period closes. Given the number of comments received already and the effect the Program will have on defense contractors and subcontractors, DoD could very well go back to the drawing board, prolonging the winter without a final rule. Contractors, however, should proactively review their information systems’ security requirements against the existing requirements at FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, and the Proposed Rule to ensure they stay ahead of—or at least with—the curve.