CMMC – DoD Advances Rules for Contractor Cybersecurity Requirements

This week the Department of Defense (DoD) officially released their CMMC proposed acquisition rule on the Federal Register. Once finalized, the rules will govern which companies will be eligible for DoD contracts and at which levels.

The DoD chose to go the route of Proposed Rule vs. Interim Rule, which stretches out the timeline for CMMC refinement and implementation, rather than immediately implementing elements of CMMC into acquisitions as the program is refined. The result is that CMMC implementation will stretch throughout 2024 and 2025, and into 2026.

Contractors can weigh-in on the DoD’s proposed rule during the public comment period, which is open through February 26, 2024.

CMMC Implementation – Key Takeaways

• CMMC 2.0 – Those who have been watching the evolution of the CMMC program will recall the concerns over the cost of preparing for and undergoing third-party cybersecurity assessments for defense industrial base (DIB) companies – especially small businesses. Those concerns in the originally proposed program led the Pentagon to revise the CMMC program to its current 2.0 version, simplifying the certification levels and providing for lower cost self-attestations for certain contracts and information.
• Cybersecurity Standards – Contractors will be assessed against National Institute of Standards and Technology (NIST) cybersecurity standards for protecting Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) on non-federal systems, based on standards from NIST SP 800-171r2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and supporting NIST standards. Although these NIST standards are already required to be applied under Defense Federal Acquisition Regulations (DFARS), CMMC will verify contractor compliance.
• Phased Implementation – The DoD is taking a four-phased implementation approach over a three-year period to provide appropriate ramp-up time, to minimize the financial impacts to defense contractors, especially small businesses, and disruption to the existing DoD supply chain.
• Timeline – DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations issued on or after October 1, 2026. However, DoD also says that during the intervening three-year implementation period, federal program managers “will have discretion to include CMMC requirements or exclude them and rely upon existing DFARS Clause 252.204–7012 requirements,” (which requires compliance with NIST 800-171 security controls and tracks with CMMC Level 2.)
• Flow-down Requirements – Prime contractors will be responsible for flowing down the CMMC requirements to their subcontractors.
• Contractor Implementation Guidance – Concurrent with the proposed rule, DoD also released implementation guidance to help contractors prepare for their appropriate certification level assessments – from Level 1 through Level 3 – covering both contractor self-assessments as well as assessments by an accredited Certified Third-Party Assessment Organization (C3PAO).

Contractor Implications

Defense contractors are finally able to see the firming-up of the DoD’s plans for CMMC, although much of these details were outlined when the DoD announced CMMC 2.0 revisions. Many astute companies have been working to implement the NIST standards in compliance with the DFAR and in preparation for CMMC. For companies that have waited to begin preparing, the proposed rule lays out the time they have left to get on board, although some opportunities may be missed on contracts that begin including CMMC requirements earlier in the phase-in period. Anticipating which contracts these might be becomes a bit of a prognostication exercise. Keep close tabs on your market research resources and watch for signals from individual program management offices.

For early-adopter companies that have prepared for advanced assessments and certifications, this may be the time to begin courting potential teaming partners, using your CMMC readiness to set you apart from other firms.

Finally, and this is not directly associated with DoD contracts or with CMMC, but observant contractors will have noticed that some civilian agencies are looking to raise the bar for their contractors’ cybersecurity practices. For example, the Department of Homeland Security (DHS) is planning their own Cybersecurity Readiness Factor contract requirement program. While DHS will not adopt the same certification schema as DoD, their CRF program is based on the same NIST standards. DHS contractors should be getting their own cyber-houses in order as DHS prepares to roll out their CRF program. Other civilian agencies are sure to adopt similar approaches going forward.