The Cybersecurity Maturity Model Certification (CMMC) Program has been a headache for many defense contractors since the idea was first introduced in 2019. The program seeks to protect unclassified information, including federal contract information (FCI) and controlled unclassified information (CUI) not intended for public release, shared by the Department of Defense (DOD) with its contractors and subcontractors. In December 2023, the DOD proposed a rule to formally codify the CMMC Program in a phased rollout. The DOD has now released a proposed rule (Proposed Rule) relevant to Phase 1, another steps towards the ultimate goal of requiring certain DOD contractors handling sensitive information to achieve a particular CMMC level as a condition of contract award. DOD contractors that process, store, or transmit FCI or CUI (or plan to do so in the future) must become familiar with the CMMC Program as it could ‘make‑or‑break’ winning or losing major government contracts.
General Overview of CMMC
DOD procuring activities will assign solicitations and contracts a certain CMMC level depending on the type and sensitivity of information being shared with or developed by the awarded contractor (or its subcontractors). There are three CMMC levels. CMMC Level 1 requires a contractor to self-assess and attest to compliance with all 15 basic safeguarding requirements to protect FCI currently listed in Federal Acquisition Regulation (FAR) clause 52.204-21. CMMC Level 2 can require a self-assessment or a certification depending on the solicitation/contract. For the self-assessment, contractors will need to verify that all applicable security requirements, as listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, have been implemented for any relevant assets, as is already required by Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204–7012. For the certification, one of the major differences is that an authorized or accredited C3PAO[1] is required to validate implementation of the NIST SP 800-171 security requirements. And finally, CMMC Level 3 requires that the DOD assess a contractor’s implementation of all CMMC Level 2 requirements as well as those additional, enhanced security requirements from NIST SP 800-172. For CMMC Levels 2 and 3, contractors that do not have a high enough total assessment score may need to create and implement a Plan of Action and Milestones (POA&M) that must be closed out within 180 days to achieve the requisite level.
Phased Rollout of CMMC
DOD initially (and ambitiously) expected CMMC to be fully implemented by October 2026. The December 2023 proposed rule regarding implementation of CMMC into Title 32 of the Code of Federal Regulations was significant but did not address implementation of the program’s requirements into solicitations. The phased rollout of CMMC is as follows:
- Phase 1 begins once the DFARS 252.204-7021 rulemaking becomes effective. CMMC Level 1 and Level 2 Self-Assessment requirements will be included as conditions to contract award in all applicable solicitations.
- Phase 2 starts six months following the beginning of Phase 1. CMMC Level 2 Certification requirements will be included as conditions to contract award in all applicable solicitations.
- Phase 3 proceeds one year after the start of Phase 2. CMMC Level 2 Certification requirements will be included as a condition of exercising an option period. Also, CMMC Level 3 Certification requirements will be included in all solicitations as a condition of contract award.
- Phase 4 initiates one year after Phase 3 begins and requires full implementation of the CMMC Program. All three level requirements must be included as (1) conditions to contract award in all solicitations and (2) conditions to exercise option periods in all contracts.
This Proposed Rule addresses how DOD plans to implement the CMMC Program into solicitations moving forward. Once the Proposed Rule goes through appropriate notice-and-comment rulemaking, a subsequent final rule is published, and the DFARS revisions made effective, then Phase 1 will have officially begun.
Proposed DFARS Revisions
Two notable revisions are described in the Proposed Rule:
First, DFARS 252.204-7021 – Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, will be included in all solicitations, contracts, and task/delivery orders that require contractors to have a CMMC certificate or CMMC self-assessment at a specific level, except for acquisitions of solely commercially available off-the-shelf items. The clause will have a placeholder for the Contracting Officer (CO) to assign the applicable CMMC Level to the solicitation/contract. The requisite CMMC Level must be maintained for the entire life of the contract for all applicable information systems and contractors will need to notify the CO within 72 hours if there is a lapse or change in a CMMC certificate/self-assessment level during performance. In addition, contractors and subcontractors will need to complete and maintain annually (or when a change to CMMC compliance status occurs) an affirmation of continuous compliance in the Supplier Performance Risk System (SPRS) for the relevant security requirements depending on the CMMC level.
Second, a new clause DFARS 252.204-7YYY – Notice of Cybersecurity Maturity Model Certification Level Requirements will be implemented to, like above, notify contractors of the applicable CMMC certificate or self-assessment level. It expressly provides that apparently successful offerors will be ineligible for contract award if they do not have current results for their CMMC certificates/self-assessments, at the minimum level required by the solicitation, uploaded into SPRS. Current means:
- for CMMC Level 1 Self-Assessments, not older than 1 year with no changes in CMMC compliance since the date of the assessment;
- for CMMC Level 2, not older than 3 years with no changes in CMMC compliance since the date of the assessment;
- for CMMC Level 3, not older than 3 years for Level 3 certificates with no changes in CMMC compliance since the date of the assessment; and
- for affirmations of continuous compliance with 32 C.F.R. part 170, not older than 1 year with no changes in CMMC compliance since the date of the affirmation.
Key Takeaways
- Application to Contracts. Phase 1 of the Rollout does not begin until the effective date of the Final Rule implementing CMMC into the DFARS. Of course, COs do have the discretion to bilaterally incorporate the clause in contracts in effect prior to the effective date of the clause with appropriate consideration.
- Current Certifications/Self-Assessments in SPRS. Understanding when certifications/self-assessments expire will be crucial to winning contract awards. Having a certification or self-assessment expire even one day prior to contract award will cost contractors major contract opportunities.
- Flow-downs to Subcontractors. Contractors must flow down CMMC’s requirements to applicable subcontractors. While no tool exists that would allow subcontractors to electronically share the results of their assessments with their prime contractors, the prime contractor is expected to work with its suppliers to conduct verifications as it would under any other clause requirement that applies to subcontractors.
- Joint Venture Compliance. In the previous interim rule applicable to CMMC 1.0, many commenters asked how to handle CMMC certifications and CMMC self-assessments for joint ventures. DOD has explained that each individual venturer that has a requirement for CMMC would be required to comply with the requirements related to the individual entity’s information systems that process, store, or transmit FCI or CUI during contract performance.
- Protesting CMMC-Related Issues. The potential protest grounds for CMMC requirements are numerous. For example, in the post-award context, if an agency removes an offeror from consideration of award for failing to have the requisite CMMC Level at the time of proposal submission as opposed to at the time of award, the agency’s conduct in this regard could be considered “unreasonable” and/or “arbitrary and capricious” depending on the protest forum the offeror selects.
Comments on the Proposed Rule are due by October 15, 2024, and can be submitted here. PilieroMazza attorneys are monitoring any new developments related to the Proposed Rule and will provide an update when the rule becomes final. If you have questions regarding this client alert, please contact Cy Alba, Daniel Figuenick, or another member of the Firm’s Government Contracts or Cybersecurity & Data Privacy practice groups.
____________________
Looking for practical insights on gaining a competitive advantage through a deeper understanding of the government’s compliance requirements? Check out PilieroMazza’s podcasts “GovCon Live!” and “Clocking in with PilieroMazza.”
[1] A C3PAO is a service provider organization that the CMMC Accreditation Body (CMMC-AB) has accredited and authorized to conduct CMMC assessments and submits findings and certify that Organizations Seeking Certification (OSCs) comply with the relevant CMMC 2.0 maturity level.