By: Paul Hawkins and Jake Noe
For quite some time, the Cybersecurity Maturity Model Certification (CMMC) program has been a major focus for DoD contractors, and a mainstay topic of conversation at conferences, networking events, panel discussions, and the like. Everyone agrees on the critical need to protect sensitive unclassified information from adversaries targeting the defense industrial base (DIB). While cybersecurity compliance is nothing new (contractors have been subject to the DFARS cybersecurity and reporting requirement for years), CMMC aimed to introduce a standardized and more tailored approach, making a company's assessed cybersecurity maturity a prerequisite for new contracts, moving away from a one-size-fits-all model. However, the implementation of these requirements has been inconsistent, leaving many contractors uncertain about their next steps and what to expect from future contracts.
Finally, on December 26, 2023, the DoD published its proposed rule to codify and implement “CMMC 2.0,” the DoD CMMC framework adopted and made available in November 2021. Comments from the public on the proposed rule are due no later than February 26, 2024, and a subsequent final rule officially implementing CMMC 2.0 will be forthcoming. The proposed rule spans over 80 pages, but below are the key, plain-language takeaways every defense contractor should know about this important development.
Three-tiered Model for Cybersecurity Standards
CMMC 2.0’s three-tiered model imposes progressively stricter security standards depending on the type and sensitivity of the information held by the contractor. As has been the case since the release of the original CMMC framework, being at a certain CMMC level (now Level 1, 2, or 3) will be required as a prerequisite to be awarded a contract.
Level 1 requires contractors to comply with the most basic cybersecurity standards and applies to situations where contractors will be storing Federal Contract Information (FCI) on their systems. Specifically, CMMC Level 1 requires compliance with the 15 security requirements found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. While Level 1 is the least onerous security standard and is based upon self-assessment, the proposed rule does include a requirement for an annual self-assessment and a senior official from the prime contractor and any applicable subcontractors to annually affirm continued compliance.
When contractors are required to store and process Controlled Unclassified Information (CUI) on their systems, they will need to be CMMC Level 2 compliant. Level 2 requires contractors to implement all 110 of the NIST SP 800-171 security requirements as has been required in the DFARS cybersecurity clause. This level also requires verifications and affirmations from “senior officials.” Level 2 can be attained either through self-assessment or third-party certification to be determined on a contract-by-contract basis.
Lastly, certain contracts will require the most heightened security standard, CMMC Level 3. This level requires full NIST SP 800-171 compliance plus additional controls from NIST SP 800-172. Level 3 contractors will also have to verify, through DoD assessment and certification, that all requirements have been met and a senior official from the prime contractor and any applicable subcontractors must affirm continuing compliance after every assessment and annually thereafter.
Of note in addition to the varying use of assessments and affirmations of compliance, DoD will still allow use of Plans of Action & Milestones (POA&Ms) for certain NIST security controls provided they are closed out within a certain timeframe.
DFARS Contract Requirements and CMMC 2.0 Implementation
The proposed rule largely leaves intact the existing DFARS clauses addressing cybersecurity and CMMC. While these provisions could be subject to future changes, they will be utilized as solicitation and contract provisions to implement these requirements.
Importantly, CMMC 2.0 does not feature a pilot program. Once this rule is made final, it will go into effect, but there has been proposed a four-phased implementation plan over a period of three years. While the implementation plan allows for a slower, phased roll-out of this, Level 2 third-party certifications (i.e., not self-assessments), for example, could be applicable to certain DoD procurements as early as the first phase. At year 3 after issuance of the new rules, all CMMC requirements will have to be strictly met prior to any new awards or options.
Actions to Take Now
As mentioned before, cybersecurity compliance and CMMC are not new. However, with full, official implementation now more imminent there are certain actions defense contractors can start taking.
Contractors must develop or review/update/improve their System Security Plan (SSP) that details the policies and procedures your organization has in place to comply with these requirements. SSPs are comprehensive and require detail on how the numerous cybersecurity controls have been implemented, monitored, and enforced. SSPs are to be submitted in the DoD’s Supplier Performance Risk System (SPRS). SPRS scores must be submitted before contract award and not be older than three years.
For subcontractors, primes are required to flow these requirements down in their subcontracts. In fact, prime contractors will not be allowed to award to subcontractors that do not have SPRS scores on file. So, contractors that perform primarily under subcontracts must start getting ahead of these requirements now.
Above is a brief overview of this proposed rule. While we are still just at the proposed rule stage, it is unlikely the final rule will be materially different. It is imperative for defense contractors to get or continue to be CMMC ready now in order to stay competitive in the defense space.
Disclaimer: This article is for information purposes only. Nothing in this article is, or is intended to be, legal advice. If you wish to discuss your particular and specific situation more in-depth, please consider contacting the government contracts attorneys at Reaves GovCon Group by emailing email@example.com.