CMMC – Key Details Are Set for DoD’s Contractor Cybersecurity Program

On October 15, the Department of Defense (DoD) posted the final Cybersecurity Maturity Model Certification (CMMC) Program rule (a.k.a. Title 32 Code of Federal Regulations (CFR) rule) to the Federal Register. This first of two CMMC rules lays out in detail the structure, requirements and other elements of the overall CMMC Program. This rule has an effective date of December 16, 2024.

The second, complementary CMMC rule – the 48 CFR rule – to establish the CMMC acquisition and contract clause requirements is expected early-mid 2025, per DoD’s announcement of the final 32 CFR rule being published. Details of DoD’s proposed CMMC acquisition rule is available here.

Below are some of the key aspects of the 32 CFR final rule that are of interest to DoD contractors. Some details have not substantively changed from the proposed rule, while others have had their final details adjusted or clarified by DoD.

CMMC Certification Levels

The final program rule maintains the three-tiered certification levels – Levels 1 through 3 – as outlined when the DoD issued its CMMC 2.0 Program revision in November 2021. This includes the bifurcation of Level 2, based upon the nature and sensitivity of the data handled by the contractor.

Phased Implementation

This final rule lays out a four-phased implementation approach, intended to address ramp-up issues across all affected parties/segments (industry, assessors, DoD). Key elements include:

• Phase 1 begins on the effective date of the 48 CFR CMMC Acquisition rule, (expected early-mid 2025, per DoD’s announcement linked above.)
• DoD will begin by adding Level 1 and Level 2 self-assessment/attestation requirements in Phase 1 and add increasingly higher certification Levels in subsequent Phases.
• Subsequent phases begin 1 year after the start date of the previous phase.
• Full implementation (Phase 4) is anticipated early-mid 2028, given DoD’s stated expectations for the completion of the 48 CFR rule.

Certification Requirements

Contractors will need to obtain the CMMC certification level designated in contract solicitations by the time of contract award or option period exercised, per the latest final rule.

Contractor CMMC Assessments

The rule sustains the approach under CMMC 2.0 in which contractors requiring the more stringent Level 2 and Level 3 certifications to obtain independent assessments and certifications by CMMC third party assessment organizations (C3PAOs). A question so far has been when can/should contractors begin pursuing these assessments.

Entities may begin seeking assessments under the 32 CFR CMMC Program rule, which states the phase-in plan “does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts.” (My assumption is that this applies upon the rule’s December 16, 2024 effective date, but this may not preclude companies from pursuing them sooner.)

Some Questions Remain

The finalization of the CMMC Program rule should finally dispel most questions of whether the program will become a reality. That said, there are still some ambiguities left to clarify on how CMMC will roll out.

Implementation Discretion: The 32 CFR gives DoD some discretion and latitude in how they roll out the program and apply these certification level requirements. For example, the rule includes phrases such as, “DoD intends to include the requirement for CMMC Statuses…,” “DoD may, at its discretion, include the requirement…,” and “DoD may, at its discretion, delay the inclusion of requirement for…” These caveats leave the impression that this will likely impact specific solicitations and contracts vs. slow down the implementation of CMMC Program as a whole.

Timing of the final CMMC Acquisition Rule: DoD says they anticipate the 48 CFR rule that will establish the CMMC acquisition and contract clause requirements to be finalized in “early-mid 2025.” The public comment period on the proposed rule closed on October 15, so now the DoD and their regulatory counterparts at the Office of Information and Regulatory Affairs (OIRA) are adjudicating those comments and making final adjustments. Given that the 48 CFR rule is significantly shorter and tighter in scope, it is possible that we could see this rule finalized on the earlier side of this time frame, meaning that Phase 1 could commence early in 2025.

Contract Selection Process: In the phased rollout, it remains unclear how DoD will choose exactly which contracts or recompetes will get CMMC contract clauses first and what that selection process will be. Much of the discussion to date has been around high-priority programs. However, since Phase 1 focuses on implementing the lower CMMC levels, it is possible we could see CMMC added to a large swath of less-sensitive contracts, impacting a significant portion of DoD contractors and subcontractors that fall within the self-assessment categories. We shall see how DoD chooses to communicate their decision process and exercise the flexibilities provided in the 32 CFR rule.

Assessor Capacity: The CMMC accreditation body, the Cyber AB, has been building capacity and certifying third-party assessors that will be needed for some Level 2 and all Level 3 certifications. Some questions remain as to whether there will be sufficient capacity to meet the demand for these assessments as the rollout commences, and how contractors will fall in the pecking order of priority if assessment scarcity exists. Granted, the phased approach buys some time to build capacity, but the need for hundreds of companies (or more) to obtain Level 2 and Level 3 certification assessments raises concerns among many.

The DoD embarked on the CMMC effort more than five years ago, with the underlying priority of protecting Controlled Unclassified Information (CUI) stemming back to 2010. Now with the initial launch of the revised program within sight, time will tell how the implementation goes.