Alert 08.19.24
The Department of Defense Issues New Proposed Rule Implementing Contractual Requirements Related to CMMC 2.0
The DoD takes yet another step towards full implementation of CMMC 2.0.
Alert
10.24.24
On October 15, 2024, the Department of Defense (DoD) published a long-awaited final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program 2.0. The final rule will take effect on December 16, 2024. Spanning 146 pages in the Federal Register, this rule finalizes DoD’s regulations concerning CMMC 2.0. This rule does not, however, revise the DoD Federal Acquisition Regulation Supplement (DFARS). As we previously reported, in August DoD issued a proposed rule revising the DFARS to implement CMMC 2.0 in solicitations and contracts (the DFARS rule). The comment period for that proposed rule closed on October 15, 2024. Once the DFARS rule is also finalized, the phased roll out of the CMMC program will begin.
Under the final rule, CMMC 2.0 will maintain a tiered certification model consisting of Levels 1 through 3. Assets that achieve Level 1 will be permitted to handle Federal Contract Information, defined as information not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government. To achieve Level 1, an organization will be required to implement all 15 of the cybersecurity requirements set forth in FAR 52.204-21. An organization will be required to self-assess its compliance and submit the results of the self-assessment to the Supplier Performance Risk System (SPRS).
Only assets that achieve Level 2 or Level 3 will be permitted to handle Controlled Unclassified Information (CUI), a term that many commentors view as insufficiently defined. To achieve Level 2, an organization will be required to implement the 110 cybersecurity requirements of NIST SP 800-171. The final rule envisions two types of Level 2 assessments—Level 2 (Self) and Level 2 (C3PAO). To achieve Level 2 (Self), an organization will be required to conduct a self-assessment and submit the results to SPRS. Such self-assessments will need to be renewed annually. To achieve Level 2 (C3PAO), the assets will need to be assessed by a CMMC Third-Party Assessment Organization (C3PAO). A Level 2 (C3PAO) status will be valid for three years.
If a contractor does not meet all 110 NIST requirements on the date of its Level 2 assessment, it may still achieve a Conditional Level 2 Status. Notably, a contractor that has achieved a Conditional Level 2 Status will be eligible for Level 2 contract awards. To achieve a Conditional Level 2 Status, an organization must achieve at least 80% of the maximum score and must fully implement certain identified critical requirements. Requirements that are scored as “NOT MET” must be identified in a Plan of Action and Milestones (POA&M) to meet the CMMC requirement. Contractors must then remedy such open POA&M items within 180 days of receiving their Conditional CMMC Status. If they fail to achieve a Final Level 2 status within 180 days, their conditional status will expire, and they will no longer be eligible for Level 2 awards.
Among the changes from the proposed rule is a revision to the phased implementation schedule with the duration of each phase being extended from six months to one year. DoD will require Level 1 and Level 2 (Self) in applicable solicitations and contracts during Phase 1 of the CMMC 2.0 implementation. Phase 1 will begin when the final DFARS rule becomes effective. In Phase 2, which will begin one year after the start of Phase 1, DoD will also begin requiring Level 2 (C3PAO) in applicable solicitations and contracts. During Phase 2, DoD will retain the discretion to delay the requirement for CMMC Level 2 (C3PAO) compliance to an option period on the contract, instead of making it a condition for initial award.
During Phase 3, which will begin one year after the start of Phase 2, DoD will begin requiring CMMC Level 3 in applicable solicitations and contracts. To achieve Level 3, contractors will first need to achieve Level 2 (C3PAO). Additionally, they will need to meet 24 additional cybersecurity requirements selected from NIST SP 800-172 and have their compliance with these 24 requirements assessed by the Defense Contract Management Agency Defense Industrial Cybersecurity Assessment Center (DIBCAC). An organization will be able to receive a Conditional Level 3 Status if meets at least 80% of the 24 additional requirements and meets other identified critical requirements. Level 3 Status will also be valid for three years. During Phase 3, DoD will retain the discretion to delay the requirement for CMMC Level 3 compliance to an option period on the contract, instead of making it a condition for initial award.
Finally, one year after Phase 3 began, DoD will begin the final phase of CMMC 2.0 implementation, Phase 4. Once Phase 4 begins, DoD will begin requiring the appropriate Level 1, 2 or 3 Status in all solicitations and contracts, as applicable. It appears that once Phase 4 begins, DoD will lose the discretion to delay the achievement of the appropriate CMMC level to an option period, instead of making it a condition for award.
The phased approach to implementation will give contractors much needed time to obtain third-party or DIBCAC assessments, as such assessments will not be necessary until Phases 2 and 3, respectively. It will also give contractors at least two years before they will need to meet 24 additional cybersecurity requirements selected from NIST SP 800-172. However, because DoD will begin requiring Level 1 and Level 2 (Self) Status during Phase 1, contractors that do not meet all applicable requirements need to prepare for CMMC 2.0 immediately. Contractors need to ensure not only that they are in compliance with the relevant NIST requirements, but also that they and their supply chain have performed and documented the required self-assessments.
We will continue to monitor developments related to CMMC and other government cybersecurity requirements.