Understanding the Proposed Changes to the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program

On August 15, 2024, the U.S. Department of Defense (DoD) took a significant step in enhancing cybersecurity within its supply chain by publishing a proposed rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS). This proposed rule outlines the contractual framework for the agency’s Cybersecurity Maturity Model Certification (CMMC) 2.0 program. As organizations within the DoD supply chain prepare for compliance, understanding the implications of this proposed rule is crucial.

What is CMMC and How Has it Evolved?

The CMMC program was first introduced by the DoD in June 2019 as a response to growing cybersecurity threats facing defense contractors. Prior to CMMC, contractors were required to self-certify their compliance with DoD cybersecurity requirements under DFARS 252.204-7012. However, this self-certification model lacked the rigor needed to ensure the protection of sensitive, unclassified information shared between the DoD and its contractors.

CMMC introduced a more structured approach, requiring independent third-party assessments to verify compliance with specific cybersecurity standards, including the NIST SP 800-171 security controls. The program aims to ensure that all defense contractors and subcontractors meet stringent cybersecurity requirements, thereby safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

In November 2021, the DoD revised the CMMC framework to CMMC 2.0 in response to industry feedback. This updated model features a tiered approach to cybersecurity requirements, allowing companies to implement standards based on the sensitivity of the information they handle. It also emphasizes the importance of assessments and formalizes the implementation of these requirements through contracts.

Where Are We Now?

The formal rollout of the CMMC program is on the horizon, with two proposed rules currently navigating the federal rulemaking process. Once finalized, these rules will require nearly all recipients of DoD funding to comply with CMMC 2.0 cybersecurity requirements in most DoD solicitations and contracts.

The first proposed rule, issued in December 2023, outlines the technical and reporting requirements for CMMC under a new section of the Code of Federal Regulations at 32 CFR Part 170. The comment period for this rule has closed, and the final rule is expected soon. The second proposed rule, released on August 15, 2024, amends the DFARS to require contracting officers to incorporate CMMC certification requirements into DoD procurements.

This proposed rule includes several key modifications to the DFARS, including:

1. References to CMMC 2.0 Requirements: It adds references to the new CMMC requirements outlined in 32 CFR Part 170.
2. Definitions: It introduces definitions for Controlled Unclassified Information (CUI) and DoD-unique identifiers.
3. Solicitation Provisions: It establishes a solicitation provision to be included in all contracts covered by CMMC 2.0.
4. Revisions to Existing Clauses: It revises existing DFARS clause language to align with the new requirements.

The proposed rule also outlines a three-year phased rollout, with full implementation expected by Year 4.

When Does CMMC Apply?

Once both proposed rules are finalized, a three-year phase-in period will commence. During this time, if a CMMC requirement is included in a contract, the contractor must comply and flow down applicable certification requirements to subcontractors. After the phase-in period, CMMC will apply to all DoD solicitations and contracts valued above the current micro-purchase threshold, except for commercially available off-the-shelf items.

Contracting officers will be prohibited from making awards or extending contract periods if the contractor has not provided evidence of certification for the required CMMC level. This evidence must be established at the time of award and reasserted annually in the Supplier Performance Risk System (SPRS) for all information systems handling FCI or CUI.

Key Takeaways and Next Steps

The comment period for the 32 CFR rule has closed, and the final rule is anticipated soon. The comment period for the 48 CFR proposed rule remains open until October 15, 2024. While the government is not obligated to publish a final rule within a specific timeframe, there is a strong desire within the DoD to implement the CMMC program promptly.

Organizations within the DoD supply chain should take proactive steps to prepare for compliance with CMMC 2.0. This includes:

• Assessing Current Cybersecurity Posture: Organizations should evaluate their existing cybersecurity measures against the NIST SP 800-171 standards to identify gaps and areas for improvement.
• Developing a Compliance Plan: A tailored compliance plan should be developed, considering potential business opportunities and ongoing security initiatives.
• Planning for Security Assessments: Organizations should begin planning for security assessments and CMMC certification activities, ideally under the guidance of outside counsel to protect the results under attorney-client privilege.

In conclusion, the proposed changes to the CMMC 2.0 program represent a significant shift in how the DoD approaches cybersecurity within its supply chain. By understanding these changes and taking proactive steps toward compliance, organizations can better position themselves for future opportunities within the defense contracting landscape.