CMMC Archives - Government Contracts Navigator

This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule

After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.

How Will CMMC Work?

Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).

What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level

Michael Joseph Montalbano ●

The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

Department of Defense Issues Final CMMC Rule

Michael Joseph Montalbano ●

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Understanding the Basics of CMMC Level 3

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2. In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply. DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.” We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI. DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification. First, the contractor must obtain a CMMC Level 2 certification. This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements. Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Understanding the Basics of CMMC Level 2

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

Understanding the Basics of CMMC Level 1

Michael Joseph Montalbano ●

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano ●

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.

The Department of Defense Releases Proposed CMMC Rule

Michael Joseph Montalbano ●

The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Accreditation Body Releases CMMC Assessment Guidance

Michael Joseph Montalbano ●

In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).

The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.

CMMC 2.0 Brings Much Needed Relief to the Defense Industrial Base

Michael J. Montalbano

In response to more than 850 public comments, the Department of Defense (“DOD”) has decided to significantly revamp the Cybersecurity Maturity Model Certification (“CMMC”) program. On November 4, 2021, DOD announced that it was replacing the current CMMC program with CMMC 2.0, which is expected to significantly reduce the regulatory burden on companies in the Defense Industrial Base (“DIB”). DOD made three significant changes through the new CMMC 2.0 program:

Reduces the number of CMMC levels. As we explained in earlier posts, CMMC 1.0 originally had five CMMC levels of ascending sophistication. CMMC 2.0 now only has three levels:

- - CMMC 2.0 Level One: This level will apply to most DIB companies and requires compliance with 17 basic cyber hygiene practices.
  - CMMC 2.0 Level Two: This level applies to DIB companies who will receive controlled unclassified information (“CUI”) and is expected to align with the requirements under NIST SP 800-171. Notably, DOD already requires most DIB companies receiving CUI to comply with NIST SP 800-171 through the cybersecurity DFARS clause 252.204-7012.
  - CMMC 2.0 Level Three: DOD is still developing the requirements for this level, but we expect that this level will apply to only the most sensitive and high-risk DOD projects.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: