The Department of Defense (DoD) recently issued a memo titled, "Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements." The memo reinforces existing information regarding the Controlled-Unclassified Information (CUI)-centric cybersecurity program but also brings into the fold some interesting points the Defense Industrial Base (DIB) should consider as it prepares for a full-fledged roll-out of CMMC 2.0, barring any redirect from the current administration.
The memo reminds the DIB that the final publication of the CMMC 2.0 DFARS 48 CFR Rule must be published before the phased roll-out can begin, i.e., before contractors will see the CMMC 2.0 requirements and the requisite CMMC level show up in DoD contracts or subcontracts. Until the rule is finally implemented through 48 CFR, CMMC 2.0 simply does not apply to any procurement. Appended to the memo are two attachments: (1) Cybersecurity Maturity Model Certification Level Determination; and (2) Cybersecurity Maturity Model Certification Waiver Applicability and Reporting Requirements. The attachments set forth guidelines for how a program office will determine which CMMC 2.0 level (1 through 3) applies to a procurement and the appropriateness of granting waivers, respectively.
The memo and attachments highlight the following key points, which DIB contractors should consider in their go-forward approach toward CMMC 2.0 compliance:
- The phased roll-out begins on the publication date of the final DFARS 48 CFR Rule by implementing Level 1 requirements for contracts containing Federal Contract Information. Level 2 Certification requirements for contracts containing CUI will follow as needed one year later, and Level 3 Certification requirements for contracts containing CUI in need of enhanced protections will follow as needed in two years;
- Non-FAR based grants and other legal agreements will be required to follow CMMC requirements just like FAR based procurements;
- CMMC Level 2 Self-Assessments are only allowable for CUI existing outside of the National Archive's CUI Registry Defense Organizational Index Grouping. For example, if the CUI is export controlled data but not listed under any of the five Defense categories of data then one may be able to self-assess;
- CMMC Level 2 Certifications are going to be required for CUI existing inside of the Defense Organizational Index Grouping (i.e., within the five Defense categories of data);
- Waivers will not likely be granted for Level 1 and Level 2 Self-Assessment procurements. In rare cases, a certification waiver may be granted in lieu of the assessment requirements of Level 2 and Level 3;
- Contractors don’t ask for waivers—the Program Manager and requiring activities determine waiver appropriateness which is subject to executive-level approval;
- Waivers are not available for procurements requiring performance by cleared defense contractors; and
- Securing a waiver doesn’t excuse those DIB contractors pursuing the procurement from following other cybersecurity requirements such as FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, DFARS 252,204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and the underlying cybersecurity standards which remain in effect during a waiver, if otherwise applicable. The waiver only applies to the need to perform the assessment.
Reading between the lines, DIB contractors should expect CMMC 2.0 requirements to be pursued pervasively by the DoD grant and procurement offices. Contractors cannot rely on being able to self-assess because of how narrowly defined the CUI criteria is for the Level 2 Self-Assessment and should not count on an assessment waiver being granted for a particular procurement especially if you are a cleared defense contractor. Contractors should prepare to follow cybersecurity requirements even in cases where a waiver has been granted. Again, the waiver only releases contractors from the assessment requirement of CMMC 2.0, not from the cybersecurity requirements themselves.
The memo also outlines DoD’s next steps, including updating DoD instructions to reflect the policies set forth in the memo and the attachments. As the specifics of the program, including logistical considerations, continue to take shape, these resources once available should give DIB contractors additional insight into CMMC 2.0 mechanics to continue to inform an effective approach toward compliance.
The Morris, Manning & Martin, LLP Government Contracts team continues to closely track cybersecurity updates, including developments to CMMC 2.0 and is available to advise clients as the compliance regime continues to shift and develop.
