New CMMC Proposed Rule

New CMMC Propsoed Rule

The Department of Defense (DoD) disclosed its long-awaited proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC) on December 26, 2023. This regulatory framework, focused on cybersecurity, is poised to have a considerable impact on the majority of government contractors. The rule applies to contractors engaged in the processing of sensitive data, such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), in the course of DoD contract execution.

While building upon the existing security requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, the CMMC program introduces heightened scrutiny into the realm of contractors’ cybersecurity compliance. Notably, the potential consequences for non-compliance gain significance in the context of the Department of Justice’s Civil Cyber Fraud Initiative and the potential for False Claims Act litigation. If the proposed rule is ratified, it will substantially reshape the CMMC landscape, introducing a requirement for senior company officials to affirm each self-assessed or certified CMMC level, thereby amplifying the associated legal compliance risks.

Contractors must proactively ready themselves for the impending implementation of CMMC. It is essential for companies to ensure they allocate the requisite resources for compliance, necessitating collaboration across various corporate facets, including information security, legal, compliance, supply chain, and business operations.

Comments on the proposed rule will be open for submission until February 26, 2023.

How We Got Here

Over the course of the last decade, the Department of Defense (DoD) has been actively involved in regulating the cybersecurity requirements associated with contracts, leading to the formulation of the present proposed rule. The inception of the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS 7012) dates back to 2013, with multiple modifications made thereafter. The DoD mandated a deadline for its implementation, set at December 31, 2017, and subsequently incorporated DFARS 7012 into nearly all of its contracts.

As time progressed, the DoD identified a lack of consistent implementation of DFARS 7012 requirements by contractors, resulting in an ongoing risk of sensitive data loss. In 2019, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) Program, unveiling its initial version (CMMC 1.0) and the corresponding DFARS Clause 252.204-7021 through an Interim Rule in September 2020. Concurrently, the Interim Rule introduced two clauses, DFARS 252.204-7019 and DFARS 252.204-2020, with the aim of assessing contractor adherence to cybersecurity requirements. Through these new clauses, the DoD aimed to strengthen DFARS 7012 cybersecurity compliance, incorporating both self-assessments and third-party assessments.

In November 2021, the DoD introduced “CMMC 2.0,” outlining an updated program structure featuring tiered levels of security and implementation, assessment requirements, and implementation through contracts. The latest proposed rule defines a revamped CMMC 2.0 Program, outlining requirements for both the program and each CMMC level.

Model Overview

The proposed rule upholds the three-tiered CMMC model introduced in CMMC 2.0:

CMMC Level 1 encompasses 15 requirements detailed in the Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). Its intended application is for contractors involved in the storage, processing, or transmission of Federal Contract Information (FCI).

CMMC Level 2 includes 110 requirements derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2. This level is expected to be relevant for a wide range of contractors engaged in the storage, processing, or transmission of Controlled Unclassified Information (CUI).

CMMC Level 3 integrates 24 selected requirements from NIST SP 800-172 in addition to the complete implementation of NIST SP 800-171. It is specifically tailored for a smaller subset of Department of Defense (DoD) contractors handling high-value CUI during storage, processing, or transmission.

The determination of the applicable CMMC Level for each procurement will be the responsibility of the DoD, and contractors are mandated to secure CMMC certification before being considered eligible for contract or subcontract awards under solicitations requiring CMMC compliance.


Government contractors entrusted with regulated data in the context of DoD contracts, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), must adhere to the Cybersecurity Maturity Model Certification (CMMC). These requirements are expected to be integrated into all Department of Defense (DoD) solicitations surpassing the micro-purchase threshold, except for procurements exclusively designated for commercially available off-the-shelf (COTS) items.

Notably, the proposed rule does not extend the applicability of CMMC requirements to government information systems operated by contractors in support of the government. Additionally, the DoD holds the discretionary authority to potentially waive CMMC program requirements ahead of solicitations, but only in “very limited circumstances.”

Implementation Timeline

Following the proposed CMMC regulatory framework by the Department of Defense (DoD), companies are advised to embark on compliance programs. The proposed rule articulates a well-structured four-phase implementation plan. The initial phase kicks off on the effective date of the CMMC rule, entailing CMMC Level 1 or Level 2 self-assessments as prerequisites for being considered for awards under pertinent solicitations and contracts.

Phase two, slated to commence six months after the initiation of phase one, involves CMMC Level 2 certification assessments. Subsequent to that, phase three, beginning one year after the commencement of phase two, introduces CMMC Level 3 certification requirements. The inclusion of CMMC requirements as award conditions will be determined at the discretion of DoD Program Managers until the full implementation in Phase 4. The DoD aims to incorporate CMMC requirements in all applicable solicitations starting from October 1, 2026.


The proposed assessment requirements present a combination of self-assessments and third-party assessments, contingent upon the criticality of the data at stake. According to the proposed rule, CMMC Level 1 assessments are exclusively self-assessments, compelling contractors to validate their own compliance with CMMC security controls. These contractors must submit their assessment scores to the Department of Defense’s (DoD) Supplier Performance Risk System (SPRS) prior to contract award and on an annual basis thereafter.

For CMMC Level 2, either a self-assessment or a certification assessment conducted by a third-party assessment organization (C3PAO) is mandated. This assessment must be completed before contract award and repeated every three years. The proposed rule does not explicitly outline how the DoD will determine the contracts subject to self-assessments versus certification assessments. In the case of CMMC Level 3, certification assessments will be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), necessitating completion before contract award and recurrence every three years.

Plan of Action and Milestone (POA&M) Limitations

As per the proposed rule, the Cybersecurity Maturity Model Certification (CMMC) introduces the utilization of Plans of Action and Milestones (POA&Ms) for specific requirements and within defined time constraints. Notably, Level 1 assessments do not permit the use of POA&Ms.

For CMMC Level 2 assessments, the use of POA&Ms is generally restricted for security requirements with a point value exceeding 1, except in the case of Controlled Unclassified Information (CUI) Encryption under specific circumstances. However, allowances are made if the assessment score divided by the total number of security requirements is 0.8 or higher, and the control is not on the list of prohibited controls for POA&Ms.

In Level 3 assessments, the use of POA&Ms is allowed under the condition that the assessment score divided by the total number of security requirements is 0.8 or higher, and the control is not among the prohibited controls for POA&Ms. Each POA&M must be resolved, with all requirements fulfilled, within 180 days of the assessment. A closeout assessment, focusing solely on the unmet requirements identified by the POA&Ms, must confirm the closure. It is crucial to emphasize that CMMC does not entertain requests for waivers related to any CMMC security requirement.

Conditional and Final Certifications

According to the proposed rule, assessments can lead to either a Final Certification or a Conditional Certification, contingent on a contractor’s implementation of all necessary security controls. A contractor who achieves the minimum passing score and fully implements all required security controls will receive a final certification. However, if Plans of Action and Milestones (POA&Ms) persist at the end of an assessment, the contractor will be issued a Conditional Certification.

Contractors are mandated to address and complete their POA&Ms, ensuring the full implementation of pending controls within 180 days from the initial assessment. Failure to meet this requirement may result in contractual consequences, including termination, and render the contractor ineligible for future contracting opportunities that necessitate compliance with the Cybersecurity Maturity Model Certification (CMMC).

Senior Affirmations

In accordance with the proposed rule, an annual affirmation of compliance with mandated security requirements is required from both the prime contractor and any relevant subcontractor. Furthermore, at CMMC Levels 2 and 3, contractors are mandated to affirm their compliance post each CMMC assessment, whether it is a self-assessment or an assessment certification, as well as following the resolution of any Plans of Action and Milestones (POA&M) close-outs.

These CMMC affirmations, similar to self-assessment scores, must be electronically submitted through the Supplier Performance Risk System (SPRS). Contractors are ineligible for awards under solicitations stipulating Cybersecurity Maturity Model Certification (CMMC) compliance until their affirmations are submitted.

Contractors are urged to diligently verify their CMMC compliance status prior to affirmation submissions. Presenting an affirmation that inaccurately represents a contractor’s CMMC compliance status could be interpreted by the government as a false statement, potentially resulting in procurement consequences such as contract termination or debarment. Additionally, the False Claims Act (FCA) may entail damages and/or fines in such instances.

Key Insights

As the final rule awaits publication, companies can initiate preparations for Cybersecurity Maturity Model Certification (CMMC) compliance by taking the following steps.

1. Formulate and Refine a System Security Plan (SSP) 

In anticipation of a self-assessment or certification assessment, a company must complete the necessary documentation, a System Security Plan (SSP), elucidating the implementation of security controls. An effective SSP necessitates the company’s awareness of the presence and pathways of regulated data (e.g., Federal Contract Information or Controlled Unclassified Information) within its network.

2. Develop an Enterprise-Wide Compliance Strategy

A thorough engagement with all stakeholders of a compliance team is crucial for developing a compliance strategy that outlines how the company will manage and protect its data. This strategy should assess technical gaps and legal risks and detail how they will be addressed. It also guides decisions on network structure and determines whether the company aims for a conditional or final certification.

3. Consider a Dedicated Federal Environment

Companies may contemplate establishing a dedicated environment to house regulated data based on the volume of regulated data and the challenges associated with implementing security controls company-wide. Segregating regulated data into a dedicated environment can minimize legal risks, streamline technical implementation, and reduce resource costs.

4. Conduct Confidential Compliance Assessments

Contractors are advised to conduct compliance assessments under attorney-client privilege to test their ability to meet CMMC requirements without exposing the company to risk if gaps are identified. Engaging legal counsel with technical capabilities to conduct assessments or direct assessments by third parties can help mitigate the risk of having to disclose assessment findings during legal proceedings or investigations.

5. Formulate and Refine Corporate Policies

While technological solutions are integral to meeting CMMC requirements, the efficacy of a company’s cybersecurity also hinges on the policies governing the use of such technology and the regulation of data traversing through it. Establishing a practice of formulating robust internal cybersecurity policies, creating incident response plans, and updating all relevant documents for currency and accuracy is essential.

Embark on the path to CMMC compliance with confidence. If you find yourself in need of assistance or have questions about navigating the intricacies of CMMC, reach out to us. Our experienced team is here to provide the support and expertise you require. Contact us today for personalized solutions and let us help you achieve and maintain CMMC compliance.