New CMMC Proposed Rule
The Department of Defense (DoD) disclosed its long-awaited proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC) on December 26, 2023. This regulatory framework, focused on cybersecurity, is poised to have a considerable impact on the majority of government contractors. The rule applies to contractors engaged in the processing of sensitive data, such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), in the course of DoD contract execution.
While building upon the existing security requirements outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, the CMMC program introduces heightened scrutiny into the realm of contractors’ cybersecurity compliance. Notably, the potential consequences for non-compliance gain significance in the context of the Department of Justice’s Civil Cyber Fraud Initiative and the potential for False Claims Act litigation. If the proposed rule is ratified, it will substantially reshape the CMMC landscape, introducing a requirement for senior company officials to affirm each self-assessed or certified CMMC level, thereby amplifying the associated legal compliance risks.
Contractors must proactively ready themselves for the impending implementation of CMMC. It is essential for companies to ensure they allocate the requisite resources for compliance, necessitating collaboration across various corporate facets, including information security, legal, compliance, supply chain, and business operations.
Comments on the proposed rule will be open for submission until February 26, 2023.
How We Got Here
Over the course of the last decade, the Department of Defense (DoD) has been actively involved in regulating the cybersecurity requirements associated with contracts, leading to the formulation of the present proposed rule. The inception of the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS 7012) dates back to 2013, with multiple modifications made thereafter. The DoD mandated a deadline for its implementation, set at December 31, 2017, and subsequently incorporated DFARS 7012 into nearly all of its contracts.
As time progressed, the DoD identified a lack of consistent implementation of DFARS 7012 requirements by contractors, resulting in an ongoing risk of sensitive data loss. In 2019, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) Program, unveiling its initial version (CMMC 1.0) and the corresponding DFARS Clause 252.204-7021 through an Interim Rule in September 2020. Concurrently, the Interim Rule introduced two clauses, DFARS 252.204-7019 and DFARS 252.204-2020, with the aim of assessing contractor adherence to cybersecurity requirements. Through these new clauses, the DoD aimed to strengthen DFARS 7012 cybersecurity compliance, incorporating both self-assessments and third-party assessments.
In November 2021, the DoD introduced “CMMC 2.0,” outlining an updated program structure featuring tiered levels of security and implementation, assessment requirements, and implementation through contracts. The latest proposed rule defines a revamped CMMC 2.0 Program, outlining requirements for both the program and each CMMC level.
Model Overview
The proposed rule upholds the three-tiered CMMC model introduced in CMMC 2.0:
CMMC Level 1 encompasses 15 requirements detailed in the Federal Acquisition Regulation (FAR) clause 52.204-21(b)(1). Its intended application is for contractors involved in the storage, processing, or transmission of Federal Contract Information (FCI).
CMMC Level 2 includes 110 requirements derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2. This level is expected to be relevant for a wide range of contractors engaged in the storage, processing, or transmission of Controlled Unclassified Information (CUI).
CMMC Level 3 integrates 24 selected requirements from NIST SP 800-172 in addition to the complete implementation of NIST SP 800-171. It is specifically tailored for a smaller subset of Department of Defense (DoD) contractors handling high-value CUI during storage, processing, or transmission.
The determination of the applicable CMMC Level for each procurement will be the responsibility of the DoD, and contractors are mandated to secure CMMC certification before being considered eligible for contract or subcontract awards under solicitations requiring CMMC compliance.