The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:
- Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
- Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
As expected, the new CMMC rule will require contractors (including subcontractors) to meet one of three CMMC Levels based on the type of information they will receive under the DoD contract:
- CMMC Level 1: Contractors must implement the 15 security requirements currently required by FAR 52.204-21. Contractors must verify compliance with these security requirements by performing an annual self-assessment and uploading the results to the Supplier Performance Risk System (“SPRS”). In addition, a contractor “senior official” will be required to annually affirm continuing compliance with the security requirements through SPRS.