On December 26, 2023, the Department of Defense (“DoD”) belatedly gifted defense contractors and subcontractors a Proposed Rule on the Cybersecurity Maturity Model Certification (“CMMC”) Program. DoD also released eight CMMC guidance documents, providing interested parties a one-two combo of what to expect under the Program. The Proposed Rule has already received over 100 comments. With commenting open until February 26, 2024, will DoD proceed with a final rule, or is the Proposed Rule a Groundhog Day scenario with DoD further delaying final implementation of the CMMC Program?
First announced in 2019, the CMMC Program was designed to verify the protection of sensitive unclassified information shared between DoD and its contractors and subcontractors or generated by contractors or subcontractors on behalf of DoD. In September 2020, DoD published an interim rule on the Program (“CMMC 1.0”), Defense Federal Acquisition Regulation Supplement (“DFARS”) Case 2019-D041, to establish the Program’s basic framework. In November 2021, DoD updated the Program as CMMC 2.0 by revising the Program’s structure and requirements, including streamlining the CMMC levels from five to three. Now, more than two years later, the Proposed Rule intends on implementing the Program through formal rulemaking—almost.
While there is still rulemaking left to accomplish, namely as it relates to the operative contract clause(s), the Proposed Rule creates the new 32 C.F.R. Part 170 to “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have… implemented required security measures [to safeguard sensitive unclassified information.]” The Proposed Rule addresses certain policy problems, identified by DoD to include:
- Verifying contractor cybersecurity requirements, as current regulations do not provide DoD with an assessment of a defense contractor’s or subcontractor’s implementation of the information protection requirements within pertinent clauses;
- Implementing cybersecurity requirements by specifying the required CMMC level in the solicitation; and
- Addressing scaling challenges by utilizing a private-sector accreditation structure.
To address these policy problems, the Proposed Rule establishes the CMMC Program Management Office, which is empowered to investigate and act upon assessments that have been called into question. See 32 C.F.R. § 170.6(b). Further, the Proposed Rule would require that solicitations specify the CMMC level for a particular requirement and require an assessment as a condition of contract award. See id. at § 170.3(e). Finally, the Proposed Rule would establish an Accreditation Body responsible for authorizing and ensuring the accreditation of CMMC Third-Party Assessment Organizations (“C3PAOs”) to scale assessment needs at CMMC Level 2. See id. at § 170.8.
The CMMC Basics
Consistent with CMMC 2.0, the Proposed Rule utilizes three CMMC assessment levels. The highest level, CMMC Level 3, is for those requirements with heightened security concerns, particularly to address the risk of an Advanced Persistent Threat, defined in the Proposed Rule to mean “an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).” Level 2, just one rung below, will operate where most contractors burdened by DFARS 252.204-7012 have been required to operate. And Level 1 will effectively be a new requirement levied on a bevy of contractors that may not have even begun thinking of cybersecurity as something necessary for the operation of their business or their contracts/subcontracts. Taking its cue from Federal Acquisition Regulation (“FAR”) 52.204-21, contractors focused on Level 1 will be assessed against their ability to properly safeguard Federal Contract Information (“FCI”).