UPDATE! CMMC 2.0
DoD Rings In 2024 With Proposed CMMC Rule
On December 26, the DoD unveiled the CMMC 2.0 proposed rule, a pivotal step towards unifying cybersecurity requirements for contractors and subcontractors within the Defense Industrial Base (DIB). Addressing the gaps in existing DFARS clauses, the rule will establish a centralized mechanism ensuring continuous compliance with cybersecurity standards. Anticipated for over two years, this rule follows the shift from CMMC 1.0 to CMMC 2.0 that occurred in November 2021. The final rule, expected in early 2025, will incorporate CMMC clauses into DoD contracts. Stakeholders, including the DoD, are encouraged to submit comments by February 26, 2024.
The requirements of the proposed rule will apply to all DoD contracts and subcontracts where the awardees will process, store, or transmit information that meets the definitions of Federal Contractor Information (FCI) or Controlled Unclassified Information (CUI) on non-federal information systems. The requirements will be implemented and incorporated within DoD solicitations and contracts.
The three maturation levels of CMMC 2.0
CMMC Level 1 (Foundational)
This is the foundational certification, that aligns with FAR 52.204-21's fifteen (15) security requirements using seventeen (17) security controls. Contractors, typically compliant with these obligations, undergo annual self-certification, entering results into the SPRS (Supplier Performance Risk System). A senior company official affirms initial and ongoing compliance, with submissions required before prime or subcontract awards, as well as annually post-award. No additional requirements are imposed beyond those in FAR 52.204-21.
CMMC Level 2 (Advanced)
The Level 2 requirements build upon CMMC Level 1 requirements, mirroring DFARS 252.204-7012 and NIST SP 800-171 Revision 2. The proposed rule grants DoD Contracting Officers discretion in determining self-assessment or third-party certification for CMMC Level 2 contracts based on program criticality and cyber threat severity. Contractors submitting self-assessments must follow similar procedures as CMMC Level 1, including an initial affirmation and subsequent submission of a Plan of Action and Milestones (POA&M) for incomplete requirements. CMMC Level 2 Certification Assessments involve engaging a C3PAO (CMMC Third Party Assessment Organization), with results entered into eMASS and transmitted to SPRS. Contractors affirm compliance initially, closing out all POA&M items/tasks, and annually thereafter, with the final certification valid for up to three years (if no major changes have occurred in your operations and systems).
CMMC Level 3 (Expert)
Level 3 introduces additional security requirements beyond existing regulations. The Defense Contract Management Agency's (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts certification assessments. A prerequisite for DIBCAC assessment is obtaining a CMMC Level 2 certification. DCMA's DIBCAC performs the assessment, uploading results to eMASS, which feeds into SPRS. Contractors, following similar procedures as other levels, submit initial compliance affirmation, POA&M closeout affirmation, and annual affirmations of continued compliance to SPRS. The required CMMC level for each contract shall be specified in individual solicitations, determined by DoD program managers based on the type of information processed through the contractor's information system during contract performance.
The DoD will implement CMMC requirements across four phases:
Phase 1, starting with the final rule, mandates DoD COs (contracting officers) to include CMMC Level 1 or Level 2 Self-Assessment completion in applicable contracts. Phase 1 also allows DoD discretion for CMMC Level 2 Certification Assessment in specific solicitations.
Phase 2 introduces Level 2 Certification Assessments to all relevant solicitations six months after Phase 1 begins. Similar DoD CO discretion for Level 3 certification is granted.
Phase 3 begins one year after the start of Phase 2, implementing CMMC Level 3 Certification Assessments for all applicable contracts.
Phase 4 begins one year after the start of Phase 3, incorporating CMMC program requirements in all relevant solicitations and contracts, including option periods for awards preceding Phase 4.
The full rollout is anticipated around 2027.
Third-Party Certification Process and Costs
The proposed rule mandates C3PAO (using U.S. citizens) engagement for CMMC Level 2 and Level 3 solicitations, often including C3PAO Assessment costs estimated at more than $100k (based on C3PAO availabilities – currently there are only 50 in the U.S., but is anticipated to double by EOY 2024). CMMC Level 3 adds customized recurring and nonrecurring engineering costs (recurring costs could be up to $500k per year, and nonrecurring could have 1-time costs into the millions of dollars). While enhancing resilience against cyber threats, the rule presents unavoidable financial burdens for defense contractors (and subcontractors). DoD acknowledges potential cost recovery for ongoing compliance but lacks clarity on pre-award cost recoupment. The rule's administrative and financial demands may lead some companies to reconsider participation in the defense industrial base. However, compliance can be viewed as a strategic advantage and an investment in future federal contracting success. One company we talked to, stated… “Most of my business comes from commercial customers, but most of my revenue comes from the few DoD-related customers.”
Flow Down Requirements
The proposed rule mandates CMMC requirements for prime contractors and subcontractors across all supply chain tiers processing FCI or CUI. Prime contractors must pass down CMMC obligations to subcontractors (which is not currently happening as often as it should be) based on the information's type and sensitivity. The required CMMC level for subcontractors depends on the information they handle—Level 1 for FCI and Level 2 for CUI. If a prime contractor needs a Level 2 or Level 3 Certification Assessment, subcontractors must align accordingly. However, the rule lacks clarity on when a subcontractor is required to undergo a Level 3 Certification Assessment. Matching CMMC levels is necessary when handling the same types of information between contractors and subcontractors.
Following a long wait, the proposed rule outlines the operation of the three-tiered certification program, but a final rule may take months, possibly a year, due to expected comments' complexity and volume. The comment period remains open until February 26, 2024 welcoming input from contractors seeking clarification or influencing the final rule's issuance.
Let us help you secure your data and secure your future.