Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.
To cut to the chase, if you are a current or prospective defense contractor, there is no need to fret now that full compliance is required by December 16, 2024. Rather, DoD intends to roll out the CMMC Program in four phases. However, contractors should plan now, if they have not already done so, to inventory their DoD contracts and subcontracts, identifying where the CMMC Program may apply. In addition, defense contractors should proactively plan to determine what activities they must undertake to achieve, pursue, and maintain defense contracts expected to be covered by the CMMC Program. So, instead of focusing on the myriad issues inherent in the CMMC Program—which this site will address in subsequent articles—here we will simply focus on the Program’s applicability and rollout to better help companies prep for the Program’s landing.
The Who and the What: At its foundation, the CMMC Program will apply to “all DoD contracts and subcontract awardees that process, store, or transmit information” that constitutes FCI or CUI. Using the definition at FAR 4.1901, FCI is essentially nonpublic information provided by or generated for the government under a contract. FCI does not include government information provided to the public or simple transactional information, such as invoicing or payment processing information. Using the definition at 32 C.F.R. §2002.4(h), CUI is unclassified “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The phrase “process, store, or transmit” is given particular meaning under the Final Rule, with the terms to mean the following:
- “Process” means “data can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).”
- “Store” means “data is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).”
- “Transmit” means “data is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).”
When applicable, prime contractors and subcontractors throughout the supply chain at all tiers must comply with the CMMC Program. That said, not all information systems that process, store, or transmit FCI or CUI are covered under the Final Rule. Specifically, a contractor’s/subcontractor’s operation of a federal information system on behalf of the government is outside the scope of the CMMC Program. Further, although the program applies to acquiring commercial items greater than the micro-purchase threshold ($10,000), it does not extend to acquisitions exclusively for commercially available off-the-shelf items.
The How and the When: As mentioned earlier, DoD intends to implement the CMMC Program in four phases. These four phases will play out over the course of three years. Each successive phase builds on the preceding phase while onboarding additional security controls required at the higher CMMC levels. Rather than beginning phased implementation of the CMMC Program on December 16, 2024, when the Final Rule becomes effective, DoD plans to begin when the Final Rule amending 48 C.F.R. Part 204 implementing the CMMC acquisition rule takes effect. However, once that rule becomes effective:
- Phase 1 will implement and cover requirements for all applicable DoD solicitations and contracts requiring a CMMC Level 1 (self-assessment) or CMMC Level 2 (self-assessment) certification as a condition of contract award.
- Phase 2, beginning one calendar year following Phase 1’s start date, builds on Phase 1 and will implement and cover requirements for all applicable DoD solicitations and contracts requiring a CMMC Level 2 (C3PAO) certification as a condition of contract award.
- Phase 3 will begin one calendar year following Phase 2’s start date, building on Phase 2 by implementing and covering requirements for all applicable DoD solicitations and contracts requiring a CMMC Level 2 (C3PAO) certification as a condition of contract award and as a condition to exercising an option period on a contract awarded after the effective date. Phase 3 will also implement and cover requirements for CMMC Level 3 (DIBCAC) for all DoD solicitations and contracts as a condition of contract award.
- Phase 4, which begins one year following Phase 3’s start date, will include CMMC requirements in all applicable DoD solicitations and contracts, including contract option exercises, shifting the Program from an onboarding process to a steady state.
Now that the DoD has laid out, albeit roughly, how it intends to roll out the CMMC Program, defense contractors must determine whether they are SPRS-ready. SPRS, or the Supplier Performance Risk System, is where a contractor’s CMMC Level certification results, assessment score, and status are retained. Additionally, if applicable, the closeout assessment results from any Plan of Action & Milestones (POA&Ms), and required affirmations of continued compliance under the CMMC Program, are also retained in SPRS. A POA&M documents those security requirements that a contractor has not met due to an assessment, the resources required to remediate those security gaps, and a milestone schedule to resolve those gaps. These artifacts and the frequency of when they must be updated in SPRS ultimately depend on the CMMC-level certification sought. Therefore, knowing what is required under each level is necessary.
Levels and Assessments: The Final Rule establishes three CMMC levels and four assessment methods. At CMMC Levels 1 and 2, self-assessment by the contractor is available. At CMMC Level 2, a contractor may also undergo a CMMC assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). At CMMC Level 3, only government personnel, through the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), perform the assessment.
Level 1 (All the DIB): Once the CMMC Program begins rolling out, CMMC Level 1 (self-assessment) will apply to solicitations and contracts under which a defense contractor’s information system processes, stores, or transmits FCI. CMMC Level 1 requires a contractor to meet all 15 security requirements specified at FAR 52.204-21(b)(1), Basic Safeguarding of Covered Contractor Information Systems. At CMMC Level 1, an assessment is pass/fail, as no POA&Ms are permitted. Assessments must be performed, and the results must be uploaded to SPRS annually. Further, all CMMC Level 1 self-assessments require affirmation of continued compliance. That affirmation must come from a senior-level representative of a defense contractor who is responsible for ensuring the defense contractor’s compliance with the CMMC Program requirements and has the authority to affirm the contractor’s continuing compliance with the specified security requirements.
Level 2 (Most of the DIB): If a DoD solicitation or contract calls for a contractor’s information system to process, store, or transmit CUI, a CMMC Level 2 Status is required at a minimum. At CMMC Level 2, the contractor may conduct an assessment through a self-assessment or C3PAO. At CMMC Level 2, in addition to meeting all 15 security requirements resident in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, a contractor must meet all 110 security controls identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
If a defense contractor cannot meet all security controls specified in NIST SP 800-171 Rev. 2, a contractor may achieve only a Conditional CMMC Level 2 (self-assessment or C3PAO) Status. A Conditional CMMC Level 2 Status requires a contractor to prepare a POA&M aimed at remediating any security controls it has not met and post its POA&M compliance results, demonstrating it has remediated the control gaps in SPRS, within 180 days from the date its Conditional CMMC Level 2 Status was conferred. A contractor’s failure to meet all security controls identified in the POA&M within that time period will result in its Conditional CMMC Level 2 Status expiring. CMMC Level 2 assessments are required every three years, and a defense contractor must submit affirmations after every assessment, including POA&M closeout, and annually thereafter.
Level 3 (You Know Who You Are): CMMC Level 3 is the highest level under the CMMC Program and requires a contractor to implement the greatest number of security controls. At CMMC Level 3, in addition to meeting all security controls required at CMMC Level 1 and CMMC Level 2, a defense contractor must meet 25 select security controls derived from NIST SP 800-172 (Feb. 2021), Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. These enhanced controls are to deal with the Advanced Persistent Threat, which is “an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).” These enhanced security controls at CMMC Level 3 are also modified by Organization-Defined Parameters (ODPs). The Rule defines ODPs as providing “selection and assignment operations to give organizations flexibility in defining variable parts of those requirements,” which the DoD, not the contractor, determines.
At CMMC Level 3, only government personnel, through DIBCAC, perform the assessment. In addition, a contractor may not simply skip over the other levels to undergo a CMMC Level 3 assessment. Rather, a contractor must have a Final CMMC Level 2 (C3PAO) Status before undergoing a Level 3 certification assessment. A CMMC Level 3 assessment must be conducted every three years (including a Level 2 (C3PAO) assessment, since it is a prerequisite). Similar to the process for CMMC Level 2, a contractor that does not meet all security controls may be allowed to obtain a Conditional Level 3 Status in conjunction with a POA&M, which must be successfully closed out within 180 days from the date the Conditional Level 3 Status was conferred. Further, the contractor must submit affirmations after every assessment, including POA&M closeout, and annually thereafter.
The SPRS Connection: Given that CMMC Level 2 (self-assessment and C3PAO) and Level 3 (DIBCAC) permit a defense contractor to obtain a Conditional CMMC status, what is the minimum score a contractor must obtain? To qualify for a conditional status, a contractor must obtain an assessment score (calculated based on the weighted value of the security controls) of 80 percent or 0.8 of the maximum value. Further, certain security controls must be met that cannot be remedied through a POA&M. The Final Rule provides that at CMMC Level 2, “[n]one of the security requirements included in the POA&M [shall] have a point value greater than 1…, except SC.L2–3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3.” Under CMMC Level 2 and Level 3, the following security controls must be met during the initial assessment (i.e., not eligible for remediation under a POA&M):
CMMC Must Have Security Controls | |
CMMC Level 2 Security Controls | CMMC Level 3 Security Controls |
AC.L2–3.1.20 External Connections (CUI Data) | IR.L3–3.6.1e Security Operations Center |
AC.L2–3.1.22 Control Public Information (CUI Data) | IR.L3–3.6.2e Cyber Incident Response Team |
CA.L2–3.12.4 System Security Plan | RA.L3–3.11.1e Threat-Informed Risk Assessment |
PE.L2–3.10.3 Escort Visitors (CUI Data) | RA.L3–3.11.6e Supply Chain Risk Response |
PE.L2–3.10.4 Physical Access Logs (CUI Data) | RA.L3–3.11.7e Supply Chain Risk Plan |
PE.L2–3.10.5 Manage Physical Access (CUI Data) | RA.L3–3.11.4e Security Solution Rationale |
SI.L3–3.14.3e Specialized Asset Security |
Thus, the 80 percent minimum score is a matter of qualified mathematics. At CMMC Level 2, a defense contractor must obtain an 80 percent score provided security controls not met do not have a point value greater than 1 (except SC.L2–3.13.11 CUI Encryption) and those select security controls listed in the table above are met. At CMMC Level 3, in addition to achieving a Final CMMC Level 2 Status, a contractor must meet the seven security controls identified above.
External Resources: If a contractor or subcontractor intends to use a cloud service provider (CSP) or an external service provider (ESP) to process, store, or transmit CUI in the performance of a DoD contract or subcontract, the contractor’s or subcontractor’s CSP and ESP must similarly comply with security controls outlined in the Final Rule. For CSPs, the CSP product or service offering must either (1) be FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline or (2) meet the security requirements equivalent to those established at the FedRAMP Moderate (or higher) baseline if a CSP’s product or service offering is not FedRAMP Authorized. If a defense contractor uses an ESP, it must document its relationship with and use of the services the ESP provides in its System Security Plan. ESP services within a defense contractor’s assessment scope must also be assessed against the applicable CMMC-level security requirements.
Subcontractors: As explained earlier, the CMMC Program applies to prime contractors and subcontractors at all tiers performing under a DoD contract that requires a contractor’s information system to process, store, or transmit FCI or CUI. Prime contractors must require subcontractors to comply with and flow down the applicable CMMC requirements, permeating all relevant tiers. The Final Rule provides that “when” in the performance of a subcontract:
- A subcontractor will only process, store, or transmit FCI (and not CUI), a CMMC Level 1 (self-assessment) Status is required.
- A subcontractor will process, store, or transmit CUI, a CMMC Level 2 (self-assessment) Status is a minimum requirement.
- A subcontractor will process, store, or transmit CUI and the prime contractor must hold a CMMC Level 2 (C3PAO) Status, the subcontractor must also hold a CMMC Level 2 (C3PAO) Status as a minimum requirement.
- A subcontractor will process, store, or transmit CUI and the prime contractor must hold a CMMC Level 3 (DIBCAC) Status, the subcontractor must hold a CMMC Level 2 (C3PAO) Status as a minimum requirement.
The minimum requirements when CUI is involved are to provide flexibility to the government if contract requirements dictate higher security controls. As the Final Rule provides, the solicitation or contract may provide specific guidance on CMMC flow-down, including requiring more stringent security controls.
We would be remiss if we did not explain what may happen to a contractor that cannot meet the CMMC level required in a DoD solicitation or contract. As previously noted, a Conditional CMMC status is only good for 180 days from the date of the conferred status. If a contractor cannot successfully remediate all tasks identified in its POA&M within that period, the conditional status expires, and the government may utilize standard contract remedies to resolve the contractor’s lack of compliance with the CMMC Program. This may include termination of the contract for the government’s convenience or default. It would be in any defense contractor’s best interest to proactively approach CMMC compliance rather than serve as a test case for what “standard contractual remedies will apply” to them.
While the above may be deemed the CMMC 2.0 “basics,” don’t be fooled by any relative straightforwardness or clear guidance. This is a challenging area of the law, not so much because of the technical nature of what CMMC 2.0 is imposing, but due to the actual nature of the data DoD insists is protected under the regime. Those nuanced areas will be the subjects of other, more focused blog postings aimed at helping defense contractors cut through the chaff and arrive at the major issues requiring the heavy lifting. But, for now, the industry finally has a fundamental and formalized map into the CMMC 2.0 Program.