On October 15, 2024, the U.S. Department of Defense (DoD) published the final rule for the Cybersecurity Maturity Model Certification Program (CMMC).
When the rule was first proposed on December 26, 2023, the Office of Advocacy filed a comment letter outlining small business concerns. DoD’s final rule will impact all DoD contractors and will apply various National Institute of Standards and Technology (NIST) security requirements on all defense contractors.
Summary
CMMC requirements apply to all DoD solicitations and contracts pursuant to which a defense contractor or subcontractor will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on unclassified contractor information systems, including those for the acquisition of commercial items. There is a limited exemption for contracts that are solely commercially available off-the-shelf items.
Any security requirements by a prime contractor will flow to any subcontractor that interacts with the prime contractor’s FCI or CUI. Prime contractors have the option to enclave certain aspects of their operations to lessen the exposure of FCI and CUI to subcontractors. In addition to various levels of security requirements, CMMC requires a “senior level representative” to submit an affirmation of compliance annually.
Levels of Compliance
CMMC has three increasing levels of security compliance:
- Level 1 contractors are those handling Federal Contract Information (FCI). They will have a list of basic safeguarding requirements that are self-certified annually. All Level 1 requirements are described in the Federal Acquisition Regulation 52.204-21.
- Level 2 contractors are those that hold Controlled Unclassified Information (CUI). Almost all contractors on this level must be certified for the 110 security requirements described in NIST SP 800-171 by a CMMC Third Party Assessor Organization (C3PAO) along with the requirements outlined for Level 1 contractors.
- Level 3 contractors must satisfy all Level 1 and Level 2 requirements in addition to the 24 security measures described in NIST SP 800-172.
Steps Towards Implementation
Implementation of this rule will not go into effect until the U.S. Code is amended. The rule that would amend the U.S. Code has not been finalized. CMMC will be implemented with a Title 48 Code of Federal Regulations (CFR) rule that will go into the Defense Federal Acquisition Regulation Supplement (DFARS). Comments closed on this proposed rule on Tuesday, October 15, 2024. This will amend DFARS 204.75 and 252.204-7021 (and potentially add DFARS 252.204-7022). Importantly, this proposed rule has not yet been classified as final. While the CMMC rule is final and subject to a 60-day congressional review, it cannot be implemented until the DFAR rule becomes final.
Under the Congressional Review Act, Congress can block the rule from taking effect. Rules passed close to the next congressional session are subject to review by the current and the incoming Congress members next calendar year.
Potential timeline for the effective date of implementation:
CMMC will have a three-tiered certification structure: Level 1, Level 2, and Level 3.
- March 1, 2025: Level 1 and Level 2 assessments are required.
- March 1, 2028: Final stage of implementation. All contracts will have CMMC requirements.
If you have any questions, contact Major Clark at major.clark@sba.gov or David Mullis at david.mullis@sba.gov.