Proposed CMMC Rule: A Transformative Step for Defense Industry Security

On December 26th, the DoD released the Proposed CMMC Rule, introducing pivotal changes and a phased approach that will notably influence the implementation of CMMC requirements. Learn more about what to anticipate.

Proposed CMMC Rule and its Impact on the Defense Industry

The Department of Defense published the Proposed CMMC Rule on December 26, 2023. The Proposed Rule represents a pivotal step in the cybersecurity of the Defense Industrial Base (DIB). With the Proposed CMMC Rule, DoD has made significant changes that will have long-term impacts on how CMMC 2.0 requirements are implemented in the DIB Supply chain.

Key Components of the Proposed CMMC Rule

  • Formal establishment of the CMMC Program.
  • Definition of security controls for each of the three CMMC levels.
  • Establishment of processes and procedures for assessing and certifying compliance with CMMC requirements.
  • Definition of roles and responsibilities for the Federal Government, contractors, and third parties in the assessment and certification process.
  • Addition of a new Part 170 to Title 32 of the Code of Federal Regulations. The Proposed Rule does not fundamentally modify FAR or the DFARS. Also, Proposed Part 170 to Title 32 codifies the three CMMC Levels through Appendix A-CMMC Model Overview     
  • Proposal of a separate rulemaking (DFARS2019-D041) that will address CMMC Contractual Processes assessing Contractors' implementation of the Cybersecurity requirements.

Proposed CMMC Rule's Key Highlights

Exhibit 1 CMMC Model 2.0 Overview

Changes in the CMMC Assessment Method and Limited Use of POA&M

The Proposed Rule establishes and defines the security controls for the 3-tiered CMMC model.  

  • CMMC Level 1: Basics of Federal Contract Information (FCI) Protection Security Specifications and Self-Assessment: The focus of the foundational level is on safeguarding Federal Contract Information (FCI). It mandates compliance with 15 basic cybersecurity practices derived from the FAR clause 52.204-21. These practices are intended to protect FCI from unauthorized access and disclosure. Contractors at this level must conduct an annual self-assessment, verifying adherence to these security controls.
  • Compliance Affirmation and POA&M Limitations: The DoD has mandated not to allow the use of POA&Ms at Level 1. In the latest iteration, Level 1 does not permit the use of Plans of Action & Milestones (POA&Ms) for unmet requirements, emphasizing the need for immediate and complete compliance. Contractors are required to affirm their compliance status annually in the DoD’s Supplier Performance Risk System (SPRS), ensuring a continuous commitment to protecting FCI.
  • CMMC Level 2: Enhanced Protection of Controlled Unclassified Information (CUI), NIST SP 800-171 Rev2 Alignment and Scoring System: Level 2 extends to contracts involving Controlled Unclassified Information (CUI). It aligns with the National Institute of Standards and Technology’s (NIST) Special Publication(SP) 800-171 Rev 2 (NIST SP800-171 Rev 2), incorporating its 110 security requirements. A new scoring system under this level evaluates the extent of implementation of these controls, establishing a quantitative measure of compliance.
  • Self-Assessments vs. Certification Assessments: At Level 2, contractors may be required to undergo either a self-assessment or a third-party certification assessment, determined by the Department of Defense (DoD), based on the sensitivity of the CUI involved. Self-assessments involve contractors evaluating their compliance and reporting SPRS scores to the SPRS. At the same time, certification assessments are conducted by accredited C3PAOs (CMMC Third-Party Assessment Organizations).
  • CMMC Level 3: NIST SP 800-171 Rev 2 and additional alignment to 800-172 Advanced Security for High-Sensitivity Contracts: Level 3 is designed for contracts requiring advanced cybersecurity protection due to the heightened sensitivity of the information involved. In addition to meeting all Level 2 requirements (NIST SP800-171 Rev 2), Level 3 incorporates 24 additional controls from NIST SP800-172. This level is applicable to a smaller subset of the DIB, addressing threats from advanced persistent threats (APTs) and requiring a more rigorous assessment process by the DCMA’s DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).
CMMC Rulemaking will affect 63% of DIB Contractors at CMMC 2.0 Level 1
Exhibit 2: Percentage of DIB Contractor affected by CMMC Proposed Rule at different CMMC Levels

Phased Implementation of CMMC

The Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC) in defense contracts through a four-step plan. This gradual approach helps defense contractors and subcontractors adapt to new cybersecurity rules, with each step having its specific features and deadlines.

  • Phase 1: Initial Implementation (0-6 Months) In the initial six months following the finalization of DFARS 252.204-7021 (part of DFARSS Case 2019-D041), the focus will be on integrating CMMC Compliance requirements into DoD contracts to establish basic cybersecurity measures for contractors managing Federal Contract Information (FCI). Contracts will primarily demand Level 1 or Level 2Self-Assessments.
  • Phase 2: Expansion of Requirements (6-18Months) With Phase 2, the DoD starts including Level 2 Certification Assessment requirements in contracts with Controlled Unclassified Information (CUI), enhancing security to protect sensitive information better.
  • Phase 3: Broadening the Scope (18-30 Months) In the third phase, all relevant DoD contracts and solicitations will require CMMC Level 3 Certification Assessment. This phase is crucial for contractors dealing with sensitive information as it requires advanced cybersecurity practices and controls.
  • Phase 4: Full Integration (30+ Months) The final phase represents the full implementation of CMMC requirements in all DoD contracts, covering optional periods as well. At this point, all contractors must fully comply with their specific CMMC levels.

Overall, these four phases will be implemented over three years, with full implementation of all CMMC Program requirements in DoD solicitations and contracts expected by October 1, 2026.

Impact of the CMMC Proposed Rule on Defense Contractors and Subcontractors

CMMC rulemaking has widespread effects, impacting different types of contracts and CMMC levels, and includes both cloud and external service providers. It requires increased cybersecurity measures for contractors, subcontractors, and service providers.

Contract and Subcontract Requirements:

Varied Contract Type and Direct Implication on CMMC Level

Although the CMMC Proposed Rule applies to all contracts/subcontracts involving processing, storing, or transmitting CUI or FCI on contractor information systems, it excludes contracts under $10,000 and those exclusively for commercially available off-the-shelf (COTS) items.

Flow down of CMMC Requirements to Subcontractors

The proposed rule mandates that subcontractors throughout the supply chain comply with CMMC. The specific CMMC Level required for a subcontractor will align with the type of information they handle, which may differ from the prime contractor.

Waivers

The proposed rule allows DoD Program Managers to seek approval to waive CMMC requirements in certain circumstances. However, the details of this process are not fully outlined.

Cloud and External Service Providers

The proposed rule extends its reach to cloud service providers (CSPs) and external service providers (ESPs). CSPs involved in contracts will need to align with Federal Risk and Authorization Management Program (FedRAMP) Moderate ensuring a baseline level of security. ESPs must mirror the CMMC level of the contractor they service, adding another layer of compliance requirements.

Cloud Products and Services: These will be subject to CMMC and must meet the FedRAMP Moderate Baseline security requirements to achieve CMMC Level 2.

CMMC Proposed Rule : Challenges and Opportunities
Exhibit 3: Challenges and Opportunities for DIB Contractors

Legal and Compliance Challenges for Defense Contractors

The CMMC framework introduces a significant compliance burden, particularly for small and medium-sized businesses, requiring considerable resources to adapt to the new standards. However, this challenge is balanced by the framework's objective to enhance the overall cybersecurity posture of the defense industry.

Misrepresentation Risks and the False Claims Act: Companies must accurately represent their cybersecurity programs under the False Claims Act's stringent requirements, as any deviation or misstatement, intentional or otherwise, could result in severe legal consequences, including significant penalties.

Strategic Importance of Accurate Representations: The CMMC framework requires contractors to commit to transparency, within accuracies risking reputation damage, legal issues, and potential contract exclusion.

Aligning CMMC with Contractual Obligations: Contractors must update their policies with current and future contract requirements, ensuring compliance and the security of Controlled Unclassified Information(CUI).

Strategic Approach for Transition to CMMC 2.0

  1. Gap Assessments: Contractors should regularly compare their cybersecurity measures against CMMC Compliance requirements to identify and address gaps.
  2. Policy Adaptation: Continuous updating of policies to align with CMMC changes is crucial.
  3. Expert Collaboration: Engaging with cybersecurity experts and legal counsel can provide valuable insights for compliance and risk management.
  4. Supply Chain Vigilance: Ensuring that subcontractors and suppliers meet CMMC requirements is essential for comprehensive security.

As a Cyber-AB authorized RPO, we recommend proactive preparation for the CMMC Rulemaking rather than adopting a wait-and-see approach. Ensure compliance, enhance cybersecurity and effectively secure your defense contracts with our expert guidance.