DoD Issues Proposed Rule Implementing CMMC

DoD Issues Proposed Rule Implementing CMMC

January 11, 2024, Covington Alert

On December 26, 2023, the Department of Defense (DoD) issued its long-awaited proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule). CMMC has faced a long and tortuous path that started with Executive Order (EO) 13556 “Controlled Unclassified Information” in November 2010. This EO established a common nomenclature for marking controlled unclassified information (CUI) and allowed for standardized guidance on safeguarding such data.

In 2016, DoD amended the Defense Federal Acquisition Regulation Supplement (DFARS) to add a clause, DFARS 252.204-7012 (the DFARS 7012 clause), requiring DoD contractors to report cyber incidents and to safeguard certain DoD CUI in accordance with the 110 security controls identified in NIST SP 800-171. Four years later, DoD announced CMMC 1.0 and issued an interim rule that addressed the initial vision for CMMC. This initial rule envisioned a five-year phase in period and included five levels of safeguarding requirements. DoD received approximately 750 comments on this rule and as a result DoD conducted an internal review of CMMC. In November 2021, DoD announced CMMC 2.0, which is the basis for the current Proposed Rule.

The Basics

The proposed CMMC program is intended to be a mechanism for verifying that DoD contractors have implemented information security controls already required by the DFARS 7012 clause and the Federal Acquisition Regulation (FAR) (with the exception of CMMC Level 3, which does impose new security controls as further discussed below). Thus, the Proposed Rule is intended to strengthen rather than replace the current DoD information safeguarding regime by tying contractor compliance with that regime, as measured by CMMC assessments, to eligibility for contract award.

The proposed CMMC program has three primary features.

• First, CMMC employs a three-tiered security model (down from the five tiers in CMMC 1.0). Each tier features increasingly strict safeguarding obligations, and higher tiers will apply to programs that DoD deems to involve storage, processing, and transmission of relatively more sensitive DoD information. The DFARS 7012 clause is the current standard for safeguarding sensitive unclassified DoD information on contractor systems and on cloud systems that contractors rely on. Although the DFARS 7012 clause likely will be modified, the Proposed Rule is clear that the basic structure is likely to stay in place as to cyber incident reporting and certain other aspects of that rule.
• Second, CMMC imposes a number of assessment and certification requirements on contractors. Some of these assessments are self-assessments performed by contractors and some require assessments either by a third party (C3PAO) or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessments permit limited use of Plans of Action and Milestones (POA&M) documents to satisfy requirements for certain security controls that have not been fully implemented at the time of assessment, but any deficiencies must be resolved within 180 days of the assessment.
• Third, as with all current agency cybersecurity requirements, the CMMC will be implemented via contracts, as will requirements for various certifications by “senior officials” of the contractor. Notably, the contractual processes that will be used to implement CMMC will be covered in a separate rule (DFARS Case 2019-D041 – Assessing Contractor Implementation of Cybersecurity Requirements). Government information systems that are operated by contractors and subcontractors on behalf of the Government are not covered by the Proposed Rule.

There are some inconsistencies between the Proposed Rule and the current DFARS 7012 clause that we would expect to be addressed in later rulemaking proceedings. First, the Proposed Rule uses the term CUI rather than the term “covered defense information” or CDI used in the DFARS 7012 clause. If the two rules were not made consistent, it could cause inadvertent gaps and potentially subject contractors to DoD requirements with regard to CUI not tied to performance of a DoD contract. Second, the Proposed Rule explicitly relies on NIST SP 800-171 Rev. 2, whereas the DFARS 7012 clause imposes the version of NIST SP 800-171 in effect at the time a solicitation is issued. Given that NIST has Revision 3 of NIST SP 800-171 out for comment, this could result in some inconsistencies between the Proposed Rule and the DFARS 7012 clause.

CMMC Model

As noted above, there are three security levels under CMMC 2.0.

• Level 1 applies where contractors will store, process, or transmit a class of information known as “Federal Contract Information” (FCI). FCI is defined by FAR 52.204-21 to mean “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” FCI is generally inclusive of CUI, but CUI is a narrower category of information that triggers additional safeguarding requirements as set forth under Level 2 and Level 3.
• Level 2 applies where contractors will store, process, or transmit CUI on their information systems or on third party cloud systems. CUI is generally defined by 32 CFR 2002.4 as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
• Level 3 applies where contractors will store, process, or transmit CUI on their information systems or on third party cloud systems that DoD program offices consider to be especially sensitive and that may require heightened protections against advanced persistent threats.

Assessment and Safeguarding Requirements

As noted, the CMMC incorporates increasing levels of security requirements and more stringent assessment obligations that contractors need to meet. If a contract contains a CMMC requirement, the contractor must meet the designated CMMC level by the time of award or option period exercise.

The first step for any assessment is determining what is within scope. The Proposed Rule and accompanying Guidance Documents address the information systems that are in scope for assessments. For all assessments, assets that process, store, or transmit either FCI or CUI (depending on the type of assessment) are generally within scope. The Guidance Document on Scoping makes clear that for Level 2 and 3, the contractor must be prepared to “justify the inability of an Out-of-Scope Asset to store, process, or transmit CUI.” All three CMMC levels also recognize “Specialized Assets” – “assets that can process, store, or transmit CUI but are unable to be fully secured.” For Level 1, these assets are out of scope. For Level 2 assessments, contractors must reflect them in their security documentation and explain how they are managing the assets with their risk-based policies and procedures, but these assets are not assessed against other CMMC requirements. Examples of Specialized Assets cited in the Proposed Rule include government furnished equipment, certain industrial systems, and certain test equipment. For Level 3, these assets will be assessed against Level 3 requirements. Level 2 also recognizes “Risk Managed Assets” – “assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place,” which must be included in the contractor’s security documentation and assessed against Level 2 requirements. Both Levels 2 and 3 recognize “Security Protection Assets” – assets that provide “security functions or capabilities” regardless of “whether they process, store or transmit CUI” and require assessment against the applicable security requirements. The Guidance Documents on Scoping at each Level provide additional guidance on how different types of assets must be reflected in contractor security documentation and how they will be assessed for compliance with security requirements.

For CMMC Level 1, federal contracts and subcontracts involving the transfer of FCI to a non-Government organization must follow the requirements specified in FAR 52.204-21. Contractors are required to verify through self-assessment that all applicable security requirements in FAR 52.204-21, which match up to 17 of the security controls in 800-171 Rev 2, have been fully implemented. The self-assessment must be performed using the objectives defined in NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information). The Proposed Rule describes these requirements as “elementary for any entity wishing to achieve basic cybersecurity.” CMMC adds a requirement that contractors conduct an annual self-assessment regarding the controls in FAR 52.204-21 and a certification of compliance from a senior official within the company must be entered into the Supplier Performance Risk System (SPRS) each year. Full compliance with all the requirements is necessary to meet CMMC Level 1 and no POA&Ms are permitted.

For CMMC Level 2, some contracts will be designated as ones where a self-assessment is sufficient, and others will be designated as requiring an assessment by an authorized or accredited C3PAO. Under both scenarios, contractors are expected to meet the 110 security controls in NIST SP 800-171. Both permit POA&M for requirements that are not fully met at the time of the assessment but as discussed below, a minimum score must be achieved. As noted above, rather than stating that compliance must be with the version of NIST SP 800-171 in effect at the time of the solicitation, (like the DFARS 7012 clause), the Proposed Rule explicitly relies on Revision 2. This could cause some confusion as Revision 3 is already in draft form. For Level 2 self-assessments, contractors are required to input the results of the self-assessment (including overall score and whether POA&Ms are needed) into SPRS on a triennial basis. For a Level 2 assessment that requires a 3PAO, assessment results are submitted into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. The information submitted to eMASS is more detailed than the information from a self-assessment and includes a list of the artifact names used in the assessment.

CMMC Level 3 assessments are conducted by DCMA’s DIBCAC. Receipt of a CMMC Level 2 Final Certification Assessment for information systems within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC Level 3 Certification Assessment. If, during the assessment, DCMA DIBCAC determines that a Level 2 requirement is not met, the Level 3 assessment may be placed on hold or terminated. In addition to the Level 2 requirements, contractors must meet 24 additional security requirements from NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, Rev. 2.” DCMA DIBCAC will communicate the results of the assessment to the contractor through a CMMC Assessment Findings Report. Contractors are required to retain the hashed artifacts used as evidence during the assessment process for 6 years from the date of the assessment. DCMA DIBCAC will submit the assessment results and the list of artifact names into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS.

As noted above, DoD posted additional guidance documents regarding the CMMC assessments. Those eight documents can be viewed here. For each Level there is an Assessment Guide and a Scoping Guide. There is also an Overview of the CMMC model and a CMMC Hashing Guide.

Plans of Action & Milestones Permitted

Although POA&Ms are permitted, there are limitations imposed on their scope. A contractor is only permitted to have a POA&M for certain requirements scored as NOT MET during the CMMC assessment and only under the following conditions:

• Level 1 Self-Assessment - No POA&Ms are permitted.
• Level 2 CMMC Self-Assessment and CMMC Certification Assessment – A contractor may only have a POA&M for CMMC Level 2 if all the following conditions are met:
  • The assessment score divided by the total number of security requirements is greater than or equal to 0.8;
  • None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2–3.13.11CUI Encryption may be included on a POA&M if it has a value of 1 or 3; and
  • The POA&M does not include any of the following security requirements:
    • AC.L2–3.1.20 External Connections (CUI Data).
    • AC.L2–3.1.22 Control Public Information (CUI Data).
    • PE.L2–3.10.3 Escort Visitors (CUI Data).
    • PE.L2–3.10.4 Physical Access Logs (CUI Data).
    • PE.L2–3.10.5 Manage Physical Access (CUI Data).
• Level 3 Certification Assessment – A contactor is only permitted to have a POA&M for CMMC Level 3 if all the following conditions are met:
  1. The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and
  2. The POA&M does not include any of following security requirements:
  • IR.L3–3.6.1e Security Operations Center.
  • IR.L3–3.6.2e Cyber Incident Response Team.
  • RA.L3–3.11.1e Threat-Informed Risk Assessment.
  • RA.L3–3.11.6e Supply Chain Risk Response.
  • RA.L3–3.11.7e Supply Chain Risk Plan.
  • RA.L3–3.11.4e Security Solution Rationale.
  • SI.L3–3.14.3e Specialized Asset Security.

The closing of a POA&M must be confirmed by a POA&M Closeout assessment within 180-days of the initial assessment. For a Level 2 CMMC Self-Assessment, the contractor performs the assessment of the controls not met in the same manner as the initial self-assessment. For a Level 2 CMMC Certification Assessment, a C3PAO must perform the closeout assessment. For a Level 3 POA&M, DCMA DIBCAC must perform the POA&M closeout assessment.

Affirmations/Certifications

Affirmations are required for all CMMC assessments at the time of the completion of the assessment, and annually thereafter. All affirmations must be made by a senior official of the contractor who is “responsible for ensuring [contractor] compliance with CMMC program requirements” and must be submitted into SPRS. In addition, affirmations are required following a POA&M closeout assessment. The content of affirmations must include the name, title, and contact information for the affirming official, as well as an attestation that the contractor has implemented and will maintain implementation of all applicable CMMC security requirements for all relevant information systems. Affirmations will also be required from subcontractors.

Given the Civil Cyber Fraud Initiative announced by the U.S. Department of Justice (DOJ) in October 2021 and the increased emphasis by the Government overall in the cyber area, it is important that contractors have a clear process for ensuring compliance and for making these representations to the Government. Being ineligible for a particular contract is problematic, but being subject to a civil or criminal investigation for a false certification is far worse.

Subcontractors/Cloud Service Providers/External Service Providers

CMMC Level requirements apply to subcontractors throughout the supply chain if they process, store, or transmit FCI or CUI on contractor information systems in the performance of a government subcontract. Prime contractors are responsible for flowing down requirements for compliance to their subcontractors. As with prime contractors, if a subcontractor will only process, store, or transmit FCI (and not CUI) in performance of the subcontract, then Level 1 CMMC Self-Assessment is required for the subcontractor. If a subcontractor will process, store, or transmit CUI in performance of the subcontract, a Level 2 CMMC Self-Assessment is the minimum requirement for the subcontractor. If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the prime contractor has a requirement of Level 2 Certification Assessment, then Level 2 CMMC Certification Assessment is the minimum requirement for the subcontractor. If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the prime contractor has a requirement of Level 3 Certification Assessment, then Level 2 CMMC Certification Assessment is the minimum requirement for the subcontractor. It is unclear from the Proposed Rule when a subcontractor will be required to meet a Level 3 certification assessment, although the Proposed Rule does indicate that the prime contractor should consult with the program office where the prime contractor is uncertain about the appropriate subcontractor level to assign.

Cloud Service Providers (CSPs), which the rule defines as “an external company that provides a platform, infrastructure, applications, and/or storage services for its clients,” are also covered by the Proposed Rule if the contractor is planning on using the CSP to process, store, or transmit CUI in performance of a contract or subcontract with CMMC requirements. If the contract or subcontract is at a CMMC Level 2 or 3, the cloud service offering (CSO) from the CSP must either be authorized at the FedRAMP Moderate or higher baseline or, if not authorized under FedRAMP, the CSO must meet security requirements equivalent to the FedRAMP Moderate (or higher) baseline. Equivalency is met if the prime contractor or subcontractor has a System Security Plan (SSP) or other security documentation that describes the system environment, system responsibilities, the current status of the Moderate baseline controls required for the system, and a Customer Responsibility Matrix that summarizes how each control is met and which party is responsible for each control that maps to Rev. 2 of NIST SP 800-171.

The Proposed Rule also addresses External Service Providers (ESPs). ESPs are defined as “external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.” Although there is no separate definition of “Security Protection Data” beyond the parenthetical noted above, ESPs appear to include outsourced IT and cybersecurity resources for companies. Consistent with that interpretation, the Proposed Rule notes that small entities are likely to outsource IT and cybersecurity to an ESP. If a contractor is seeking a Level 2 self or certification assessment, the ESP must have a Level 2 Final Certification Assessment. If a contractor seeking a Level 3 CMMC Certification Assessment uses an ESP, the ESP must also have a Level 3 CMMC Final Certification Assessment. For both Level 2 and Level 3, if the ESP is “internal to the [contractor], the security requirements implemented by the ESP should be listed in the [contractor]’s SSP to show connection to its in-scope environment.”

Allowability of Costs

In parallel regimes, such as compliance with the DFARS 7012 clause, DoD has consistently said costs of compliance are allowable. Industry likely expected the same for compliance costs for CMMC. However, the Proposed Rule is not entirely clear on this point. In the preamble, DoD states, “[t]o the extent that defense contractors or subcontractors have already been awarded DOD contracts or subcontracts that include these clauses, and process, store or transmit FCI or CUI in support of the performance of those contracts, costs for implementing those cybersecurity requirements should have already been incurred and are not attributed to this rule.” The preamble does acknowledge that there could be different costs associated with assessments and states that those are new costs imposed by the CMMC program. But the preamble then notes, the “CMMC Program does not levy additional information security protection requirements for CMMC Levels 1 and 2.” Nonetheless, given the need to update licenses, incorporate new and updated technology, and respond to the continually changing persistent threat of cyber incidents, it would be helpful for DoD to clarify that these statements were just about what costs should be attributable to the Proposed Rule rather than a position on allowability of the costs of compliance overall.

Accreditation Body, C3PAOs, and Appeals of Assessment Findings

The Proposed Rule contains a number of specific requirements relating to the third party CMMC Accreditation Body, currently known as the “Cyber AB.” The Cyber AB is generally responsible for accrediting the C3PAOs that will conduct assessments of contractors. The Cyber AB must comply with certain requirements regarding conflicts of interests, achievement and compliance with industry standards, foreign ownership, and employee screening. In addition, the Proposed Rule specifies that C3PAOs should have procedures in place to allow for an internal appeals process in the event of an error or malfeasance during the assessment. Appeal requests will be reviewed by individuals that were not involved in the original assessment, and any further appeals will be decided by the Cyber AB.

Phased Implementation

DoD intends to roll the Proposed Rule out over a multi-year period using a four phased approach where the rule will be fully implemented no earlier than 2026. The phases are as follows:

• Under Phase 1, which is planned to coincide with the effective date of the revision to the DFARS 252.204-7021 clause that will occur in connection with a separate rulemaking under DFARS Case 2019-D041, DoD will begin including Level 1 and Level 2 Self-Assessment requirements in all applicable new DoD solicitations and contracts as a condition of contract award. The inclusion of any CMMC requirements in existing contracts as a condition of option exercises would be discretionary. DoD may also include CMMC Level 2 Certification Assessment in place of a Level 2 Self-Assessment for applicable DoD solicitations and contracts at its discretion.
• Under Phase 2, which is planned to begin six months after the start of Phase 1, DoD will begin including Level 2 Certification Assessment requirements in all applicable new DoD solicitations and contracts (with the discretion to delay the inclusion of Level 2 Certification Assessment to option periods). The inclusion of CMMC requirements into existing contracts as a condition of option exercises will continue to remain discretionary. DoD may also include Level 3 Certification Assessment for applicable DoD solicitations and contracts at its discretion.
• Under Phase 3, to occur one year following the start of Phase 2, DoD will begin including Level 3 certification assessments into applicable new solicitations and contracts (with the discretion to delay Level 3 requirements to option periods) and will begin requiring Level 2 certification assessments for existing contracts as a condition of option exercises.
• Under Phase 4, to begin one year following the start of Phase 3, DoD will incorporate all CMMC requirements, as applicable, into both new solicitations and contracts and existing contracts as a condition of option exercises.

Conclusion

If the Proposed Rule is finalized without significant modification, the amount of effort that may be needed to be compliant could be significant depending on the status of individual contractor systems. Thus, contractors should be assessing their systems for gaps with current requirements, identifying reasonable timeframes for addressing those gaps, and assessing any external services on which they currently rely. Additionally, DoD contractors should begin to closely assess their supply chains given that some subcontractors or service providers may be unable or unwilling to meet these requirements.

If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity and Government Contracts practices.