CMMC Barrels Closer to Implementation with Latest Proposed Rule Establishing DFARS Contract Clauses

09/10/2024|7 minute read

Cybersecurity Maturity Model Certification (CMMC) is coming - and now appears to be coming faster than many defense contractors believed. In the latest signal of CMMC's forward momentum, the Department of Defense (DoD) issued a proposed rule on August 15, 2024, amending Title 48 CFR (Cybersecurity Requirements Proposed Rule), which defines how CMMC requirements should be implemented. The comment period runs through October 15, 2024. Assuming the companion 2023 proposed rule that establishes the CMMC 2.0 program (CMMC 2.0 Proposed Rule) is finalized by the end of 2024, defense contractors could begin seeing CMMC requirements in their contracts by spring 2025. With these updated timelines, and because the proposed rules require a contractor's compliance before contract award, defense contractors should begin the CMMC compliance process now (if they have not already done so) to avoid missing out on potential future contracts.

Background

Cybersecurity requirements for defense contractors are not novel. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which took effect in 2017, requires most defense contractors handling Covered Defense Information to implement the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Contractors self-certify compliance with the controls, and DoD verification has been rare. Recognizing that self-attestation has led to lax compliance with the NIST controls, DoD launched the CMMC initiative to increase compliance through third-party verification. The first iteration, CMMC 1.0, would have required defense contractors to obtain third-party assessments across all five of the framework's certification levels to receive a contract award.

In March 2021, in response to about 750 public comments, many of which expressed concern about the broad third-party assessment requirement and its burden on small contractors, DoD initiated an internal review of CMMC's implementation. Several months later, in November 2021, DoD announced its intent to update the CMMC program. This update created CMMC 2.0, which consolidated the compliance levels from five to three and allowed for self-assessments for Level 1 and some of Level 2. The three CMMC 2.0 compliance levels for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are:

While the CMMC 2.0 Proposed Rule created the CMMC 2.0 framework, it did not explain how DoD would implement the CMMC. The Cybersecurity Requirements Proposed Rule helps bridge this gap.

The Cybersecurity RequirementsProposed Rule

The Cybersecurity Requirements Proposed Rule tells us how DoD will verify that contractors are CMMC compliant, which DFARS provisions DoD must include in solicitations and contracts, and the timeline DoD will follow to implement CMMC.

Compliance Verification

To achieve an award or extend a period of performance, contractors must verify their CMMC compliance in the Supplier Performance Risk System (SPRS) by the time the contract is awarded. This means many contractors must start their compliance process now to help ensure compliance by the time DoD begins inserting CMMC provisions in new contracts and extensions. For each system that will be used in performance of the contract that will process, store or transmit FCI or CUI, a contractor must verify (1) the results of a current CMMC certificate or self-assessment at the level required by the solicitation or higher, and (2) a current affirmation of continuous compliance with CMMC. SPRS will assign a DoD Unique Identifier (DoD UID) to each system subject to verification, and the contractor must provide the DoD UID to the contracting officer to assess compliance.

The Cybersecurity Requirements Proposed Rule uses the following definitions of "current":

Contractors must notify contracting officers within 72 hours when there are any lapses in information security or changes in CMMC compliance. However, the proposed rule does not define what constitutes either a lapse in information security or changes in CMMC compliance. At a minimum, this ambiguity could effectively expand a contractor's "cyber incident" reporting obligations in DFARS 252.204-7012.

The ambiguity might also require contractors to overreport on changes to their environments. For example, the CMMC 2.0 Proposed Rule indicates that infrastructure modifications may require a new assessment. Therefore, an on-premises to cloud migration, for example, may be considered an infrastructure change even if both environments are CMMC compliant. This requirement could also lead to the unintended consequence that contractors forgo upgrades and changes to their cybersecurity programs for fear of losing certification, which is inconsistent with the need to evolve and adapt as the threat landscape changes. We will be watching for further clarity to these provisions as DoD finalizes the rule.

Updates to DFARS

Notice: A new DFARS provision, 252.204-7YYY (which will receive a number when the rule is finalized), will require contracting officers to designate a CMMC level for each solicitation. The prime contractor, and any subcontractors that will process, store or transmit FCI or CUI on behalf of the prime contractor, must reach the stated CMMC level by the time the contract is awarded.

Definition of CUI: The revised DFARS 252.204-7021 adopts the definition for "controlled unclassified information" or CUI that applies to other governmental agencies. In the revised clause, CUI is defined as "information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls." This definition, however, does little to help contractors identify CUI. As a result, identifying CUI will likely continue to be one of the preliminary hurdles contractors face when attempting to implement the required cybersecurity controls. Indeed, DoD dismissed multiple commenters' pleas that DoD train personnel to mark CUI.

Flowdown: Prime contractors must flow the CMMC certification requirements down to subcontractors at all tiers when the subcontractor(s) will process, store or transmit FCI or CUI on the prime contractor's behalf. The certification level required for subcontractors will be the same as it would be for the prime contractor if the prime contractor were handling the same information. The rules, however, are silent on how contractors must verify their subcontractors' compliance. Contractors lack access to a subcontractor's SPRS scores, so must therefore rely on other methods to confirm compliance, such as a screenshot of the SPRS scores or an attestation from the subcontractor.

Conflict in NIST revisions: Several commenters raised a concern about which version of NIST 800-171 will apply under these clauses - Revision 2 (which was the most current version through May 2024) or Revision 3 (which NIST published in May 2024). The conflict arises because DFARS 252.204-7012 requires compliance with the version of NIST SP 800-171 "in effect at the time the solicitation is issued…" while DFARS 252.204-7021 would require compliance with NIST 800-171 Rev. 2. DoD has temporarily addressed this conflict by issuing a class deviation that delays compliance with Revision 3. We expect DoD will leave this deviation in place until it can arrange for an orderly transition to Revision 3 across all relevant DFARS clauses. Thus, contractors may focus current compliance efforts on Revision 2, but should plan road maps for compliance with Revision 3.

Timeline - Three-Year Phased Rollout

For the first three years after the effective date of the final version of the Cybersecurity Requirements Proposed Rule, CMMC requirements will be included only in contracts specifically identified by the CMMC Program Office. Contractors will know that CMMC applies to the contract, and the specific compliance level required, based on the inclusion of DFARS 252.204-7YYY in the solicitation. Still, the Cybersecurity Requirements Proposed Rule does not specify how the Program Office will identify these contracts.

While this rollout ensures that only a limited number of prime contractors will need to be CMMC certified in the months to come, many subcontractors may need the certifications along with those primes. Where a solicitation includes the CMMC requirement, the prime contractor will almost certainly impose the requirement on its subcontractors as well, because prime contractors are tasked with ensuring their subcontractors meet these obligations.

After three years, CMMC requirements will be included in all solicitations and contracts - including solicitations and contracts for most commercial products and services that are not exclusively for commercially available off-the-shelf items - that require the contractor to process, store or transmit FCI or CUI on contractor information systems during contract performance. In year four, DoD estimates CMMC will affect 29,543 entities, of which about 70 percent will be small businesses. Again, these numbers only account for prime contractors, as DoD does not presently have visibility into the extent of subcontractors involved per award containing DFARS 252.204-7012.

Key Takeaways

As CMMC continues to evolve in its final push toward implementation, contractors should take several key points away from the latest Cybersecurity Requirements Proposed Rule:

1. The time for compliance is now. The latest Cybersecurity Requirements Proposed Rule leaves little doubt that the CMMC program is going forward after numerous fits and starts. Contractors cannot wait until the requirement starts appearing in solicitations to begin the certification process. According to the Government Accountability Office, the time between solicitation and contract award is typically about one month, leaving little time for contractors and subcontractors to obtain the required certification if they have not prepared for or already completed the required assessment(s).
2. CMMC and the increasing demand for and scrutiny of cybersecurity will remain a focus for regulators responsible for protecting sensitive data such as FCI and CUI. For the contractors and subcontractors handling this data, compliance and certification will be not a one-time event but an ongoing process. Between recertification, preventing lapses in compliance, notifying the contracting officer of changes, and understanding and implementing practices to address the potentially enhanced notification requirements, cybersecurity will need to remain a daily focus for DoD contractors.
3. Significant uncertainty remains. Contractors should diligently document their cybersecurity processes and any assumptions made during the certification process. These real-time explanations of the rationale behind the contractor's interpretation of the undefined (or ambiguously defined) aspects of CMMC may be critical to fend off future enforcement actions.

Where to Go from Here

For a contractor or subcontractor that will be subject to the CMMC requirements, there are steps that can be taken today to help prepare for the future.

We are here to help.

Our cross-disciplinary team of attorneys in our Government Contracts and Digital Assets and Data Management groups draws upon technical knowledge, unrivaled incident response experience, and outcomes from remediations of incidents and regulatory investigations to help organizations generate and implement solutions. This technical experience is coupled with our strong government contracting skills honed from decades advising and representing clients in all areas of public contract law.

We are closely following the ever-increasing cybersecurity requirements for government contractors. Whether you would like to better understand the current landscape or are ready to begin implementing your CMMC readiness plan, we are here to help.

Public link

Please use the above public link if you want to share this noodl on another website.