As the presidential race rages on, so too does the race to fully implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. The CMMC 2.0 program impacts Defense Industrial Base (DIB) contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The rules established under this program are intended to protect the DIB against the loss of sensitive information and intellectual property.
To recap, the CMMC 2.0 program is being implemented in Titles 32 and 48 of the Code of Federal Regulations (CFR). The 32 CFR proposed rule was published in the Federal Register on December 26, 2023, and it is currently under review for finalization after receipt of more than 700 public comments.
On August 15, 2024, the Department of Defense (DoD) published its proposed rule at 48 CFR to implement CMMC 2.0 into the Defense Federal Acquisition Regulation Supplement (DFARS) and incorporate the CMMC 2.0 program contractual requirements. Interested parties are encouraged to submit public comments until the deadline of October 15, 2024.
The 48 CFR rule proposes to:
- Add references to the CMMC 2.0 program requirements proposed at 32 CFR part 170;
- Add definitions for CUI and DoD unique identifier (DoD UID) to the subpart;
- Establish a solicitation provision (DFARS 252.204-7YYY-exact number to be assigned), and prescription; and
- Revise the existing clause language (DFARS 252.204-7021) and prescription, which includes noteworthy requirements such as notifying the Contracting Officer within 72 hours when there are any “lapses in information security” or “changes” in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract; annual affirmations; reporting and tracking requirements in Supplier Performance Risk System (SPRS) and DoD UID assignments; and subcontractor flow down requirements.
As of this writing, 12 comments on the proposed rule have been received, covering important topics such as asking the DoD to clarify certain undefined terms from DFARS 252.204-21, i.e., “lapses in information security" (emphasis added) and “any changes to the list of DoD UIDs applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract” (emphasis added).
After reviewing and addressing the comments, DoD is expected to publish the final 48 CFR rule in the first quarter of 2025. Once effective, covered contractors need to implement the rule requirements in accordance with the program’s three-year phased roll-out schedule, implementing the CMMC level detailed in solicitations or contracts. For example, if contracts are likely to require a level 2 C3PAO certification, then contractors do not need to implement the rule requirements until they show up in solicitations or contracts during phase 2. After the phased roll-out, the requirements will apply universally to all FCI and CUI contracts which will specify the required CMMC level that offerors and contractors need to achieve.
Members of the DIB are encouraged to prepare for imminent implementation of the 48 CFR rule in the event substantive changes are not made before the final rule is issued. DIB members should also keep in mind that additional supporting rules and guidance for CMMC 2.0 are in the beginning stages of development and review with the DoD (e.g., updating DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting to harmonize certain terminology, etc.), the impacts of which are yet to be seen. Additionally, the DoD could rescind the effective class deviation, which waives the requirement to meet the standards of the latest version of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, currently Revision 3. Most contractors achieving CMMC 2.0 compliance are only in compliance with Revision 2 as of today.
Thus, covered DIB contractors should take immediate action to:
- Obtain CMMC certification (or self-assessment) at the anticipated level required (it is anticipated that many contractors will be required to possess a Level 2 CMMC certification) for each affected system;
- Prepare to maintain CMMC certification, if required, for each affected system throughout the performance of the contract (and prepare to affirm compliance on an annual basis);
- Share the results of the CMMC certification(s) in the SPRS and track the DoD UIDs assigned to each CMMC-certified system;
- Assess your information systems and protocols to ensure that DoD information is processed, stored, and transmitted, meeting the standards and requirements of the CMMC certification for that system;
- Consider the level of effort required to meet NIST SP 800-171 Rev. 3 standards and begin to implement such standards to the extent possible to prepare for whenever the current DoD class deviation is rescinded;
- Require subcontractors and suppliers to affirm their own continuous compliance with the CMMC requirements and require them to notify you when compliance changes (i.e., use representation and warranty statements, attestations, etc.); and
- Implement a policy to notify the contracting officer within 72 hours of any lapses in information security or changes in the status of the CMMC certification or self-assessment levels.
The Morris, Manning & Martin, LLP Government Contracts team continues to closely track cybersecurity updates, including developments to CMMC 2.0 and is available to advise clients as the compliance regime continues to shift and develop.
