Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On November 4, 2021, the U.S. Department of Defense (DoD) announced its strategic direction for the Cybersecurity Maturity Model Certification (CMMC) program, which introduced an enhanced CMMC 2.0 framework. That same day, DoD published an advanced notice of proposed rulemaking that identified CMMC updates and ways forward. These new changes, however, will not become mandatory until DoD’s rulemaking process is complete and the new CMMC requirements are implemented into acquisition regulations.
DoD announced its strategic direction for the Cybersecurity Maturity Model Certification (CMMC) program on November 4, 2021. The announcement marks the completion of an internal review and the implementation of an enhanced CMMC 2.0 program. CMMC 2.0 builds upon the initial CMMC framework to improve DoD contractor cybersecurity against evolving threats. Through version 2.0, DoD seeks to simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy, and contracting requirements; focus the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and increase DoD oversight of professional and ethical standards in the assessment ecosystem.
DoD first introduced CMMC 1.0 in January 2020 (see our prior discussion of CMMC 1.0 here). CMMC created a unified cybersecurity standard and certification program for companies in the defense industrial base (DIB) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with and handled by DoD contractors and subcontractors on contractor information systems.
In September 2020, DoD published an interim rule addressing CMMC including a requirement for DoD contractors to have an appropriate CMMC level certification prior to contract award and during contract performance (see our previous comments on the rule here). The interim rule went into effect on November 30, 2020, and created a new Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, while implementing a five-year phase-in piloting strategy with the goal to include CMMC requirements in all DoD contracts by 2026.
Most recently, however, DoD issued an advanced notice of proposed rulemaking in the Federal Register, suspending CMMC piloting efforts and indicating that it will not approve inclusion of CMMC requirements in DoD solicitations until the new CMMC 2.0 changes take effect.
Through CMMC 2.0, DoD has introduced several key changes that build on and refine the original CMMC framework, described in more detail here. The main changes are as follows:
Instead of five levels of cybersecurity maturity (e.g., basic cyber hygiene through advanced/progressive), CMMC 2.0 has been streamlined to only include three increasingly progressive levels:
Foundational / Level 1 (same as previous level 1)
Advanced / Level 2 (previous level 3)
Expert / Level 3 (previous level 5)
DoD has indicated that if contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply across the board, while in cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
By eliminating all maturity processes and the CMMC unique security practices, CMMC 2.0 now aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. For instance, Level 2 maps directly to the 110 security requirements listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, while Level 3 will include essentially all 110 controls of NIST SP 800-171, plus a subset of controls from NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.[1]
CMMC 2.0 has eliminated the CMMC Third Party Assessment Organization (C3PAO) assessments for Level 1. This change should reduce costs and barriers for smaller businesses, as those companies only handling FCI will still be allowed to attest to their compliance with the 17 cybersecurity practices that map to those in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Accordingly, those contractors that do not handle information deemed critical to national security will be required to perform annual self-assessments against the articulated cybersecurity standards. This will be accompanied by an annual affirmation from a senior company official that the company is meeting requirements. DoD intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS). For those companies that can self-attest to their compliance, they should consider the risk of false claims lawsuits from the Department of Justice’s Civil Division, given the increased scrutiny in this area.
CMMC Level 2, which was the former Level 3, is now bifurcated:
A subset of Level 2 companies who will not be handling information deemed critical to national security will be allowed to demonstrate compliance through self-assessments and provide an annual affirmation that the company is meeting requirements.
However, those Level 2 companies managing information critical to national security will be required to undergo third-party assessments by the CMMC Accreditation Body (CMMC-AB) C3PAOs. If subject to this requirement, the contractor will be fully responsible for obtaining the necessary assessment and certification. After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD.[2] These third-party assessments will be required on a triennial basis.
4. CMMC Level 5 (now Level 3) requirements are under development
The new Level 3 will largely rely on NIST SP 800-172, which is a supplement to NIST SP 800-171 that provides enhanced cybersecurity controls to protect CUI associated with a critical program or a high value asset from advanced persistent threats. We previously wrote about NIST SP 800-172 (formerly NIST SP 800-171B) here. Level 3 will include the highest priority, most critical defense programs and will require government-led assessments. DoD has indicated that the government-led assessments will be required on a triennial basis. The more detailed assessment requirements are currently under development, but will likely be similar to those assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center.
DoD has indicated that it will create a Plan of Action and Milestone (POA&M) process, which is a significant change to the CMMC program. CMMC had initially required 100 percent compliance for contractors to obtain a certification for their desired CMMC level, but CMMC will allow for POA&Ms to complete CMMC requirements. DoD hopes to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. DoD also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification. DoD will also establish a minimum score requirement to support certification with POA&Ms.
The waiver process is new to CMMC and will require senior DoD leadership approval and will have a limited duration. Specifically, a DoD program office will be required to submit a justification package that includes the specified timeline and associated risk mitigation plan. The additional specifics of the waiver requirements will be implemented as part of the rulemaking process, but DoD has indicated that a waiver will apply to an entire CMMC requirement, not individual cybersecurity practices.
The CMMC 2.0 changes will be implemented through the rulemaking process. Specifically, DoD will pursue rulemaking in: 1) title 32 of the Code of Federal Regulations (CFR), to establish the CMMC 2.0 program; and, 2) title 48 CFR, to implement any needed changes to the CMMC program content in 48 CFR.
Both rules will have public comment periods, and CMMC will not become mandatory until the title 32 and title 48 CFR rulemakings are complete. At that time, contractors should then expect to see the required CMMC level in solicitations and Requests for Information, if utilized.
While DoD will be implementing changes to the CMMC program through additional rulemaking,[3] it encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. DoD is also exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. The Department intends to post the CMMC 2.0 model for Levels 1 and 2, their associated Assessment Guides, and scoping guidance to their website in the coming weeks for informational purposes. Level 3 information will likewise be posted as it becomes available.
If you have questions about CMMC and how the requirements may apply to you, please contact an author of this post or the Hogan Lovells lawyer with whom you regularly work.
[1] DoD has indicated that Level 3 is currently under development, so it is not clear how DoD will determine which enhanced controls will apply. For instance, it is not clear if this will occur on a case-by-case business as NIST SP 800-172 itself states that “[t]here is no expectation that all of the enhanced security requirements will be selected by federal agencies implementing this guidance. The decision to select a particular set of enhanced security requirements will be based on the mission and business needs of federal agencies and guided and informed by ongoing risk assessments.”
[2] DoD has indicated that it will be storing self-assessment results on SPRS while CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC eMASS will automatically post a copy of a company’s CMMC certificate to the SPRS. The detailed results of a CMMC assessment will not be made public. If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.
[3] For instance, DoD has indicated that it will address equivalent standards (e.g., Federal Risk and Authorization Management Program (FedRAMP)) and the application of CMMC to non-U.S. companies through the rulemaking process.