Background
The DoD has been working on various iterations of CMMC 2.0 since 2019. The DoD established the CMMC program as a direct result of the government’s concerns about the steadily increasing number, and evolving sophistication, of cybersecurity intrusion events affecting defense contractors. The DoD has historically relied on defense contractors’ “self-attestation” of their ability to protect different categories of sensitive, unclassified, nonpublic information — such as federal contract information (FCI) and controlled unclassified information (CUI) — but in September 2020, the DoD issued an interim rule to establish a formal CMMC 1.0 program. However, defense contractors pushed back on this iteration, complaining that it was too complicated and rigid, and that it did not appropriately take risk into account. Accordingly, the DoD abandoned the first version of the program and announced a 2.0 version of the program in November 2021. This 2.0 version has finally made it to the proposed-rule stage and represents the government’s attempt to align the goals of the program with the industry’s concerns about its impact on the way defense contractors manage cybersecurity risks.
CMMC 2.0
The DoD will use CMMC 2.0 to impose major cybersecurity requirements, assessment requirements, and affirmation requirements specific to each CMMC level. Program managers will identify the applicable CMMC level for a given contract based upon the specific responsibilities associated with contract performance. Once implemented, CMMC 2.0 will require many defense contractors to obtain a third-party certification that they have successfully implemented the cybersecurity controls set forth in National Institute of Standards and Technology Special Publication (NIST SP) 800-171 Rev. 2. Currently, defense contractors in possession of CUI are required to implement these NIST SP 800-171 Rev. 2 cybersecurity controls but are permitted to self-report to the DoD that they have done so, with minimal oversight. Going forward, CMMC 2.0 will bar a defense contractor from performing an awarded contract if it has not been certified as CMMC 2.0 compliant.
CMMC 2.0 Level 1
The first CMMC level will focus on protecting FCI and will continue to consist of the 15 basic security requirements specified in Federal Acquisition Regulation (FAR) 52.204-21. In terms of assessment, CMMC 2.0 adds a requirement for contractors and applicable subcontractors to affirm — in the Supplier Performance Risk System (SPRS) — that all applicable security requirements outlined in FAR 52.204-21 have been implemented. In addition to this self-assessment, CMMC 2.0 requires a senior company official to annually affirm continuing compliance with the specified security requirements. To the extent that a defense contractor’s self-assessment reveals that it has not implemented one or more of the 15 basic security requirements above, POA&Ms are impermissible at this level.
CMMC 2.0 Level 2
The second CMMC level will focus on protecting CUI and will require defense contractors to implement 110 security requirements identified in NIST SP 800-171 Rev. 2. To verify a defense contractor’s implementation of these cybersecurity requirements, the procuring defense agency will require defense contractors to either conduct a self-assessment or undergo a certification assessment.
To the extent that the procuring agency requires a self-assessment, the defense contractor must perform this self-assessment on an annual basis, and the results must be entered electronically in SPRS. If a solicitation requires a third-party assessment, however, a triennial certification assessment will be performed by an independent CMMC third-party assessment organization (C3PAO). The C3PAO will be required to enter the certification assessment information electronically into the CMMC 2.0 Enterprise Mission Assurance Support Service (eMASS), which will transmit the results into SPRS.
In addition to either the self-assessment or the certification assessment, a senior official from the company will be required to annually affirm continuing compliance with CMMC Level 2 security requirements. Unlike at CMMC Level 1, POA&Ms are permissible at this level.
CMMC 2.0 Level 3
Level 3 focuses on protecting CUI associated with what the DoD determines to be “a critical program or high value asset.” CMMC Level 3 requires DoD contractors to implement 24 specific security requirements as identified in NIST SP 800-172 and detailed in Table 1 to § 170.14(c)(4). To achieve CMMC 2.0 Level 3 certification, defense contractors must already have a CMMC 2.0 Level 2 certification.
At CMMC Level 3, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (part of the DoD) will conduct the assessment to determine whether defense contractors have implemented the requisite security controls above and, after verifying implementation, will certify that all applicable CMMC Level 3 security requirements from NIST SP 800-172 have been implemented. The DoD assessor will enter the assessment results electronically into eMASS, which will transmit assessment results into SPRS. Once granted, this DoD certification is valid for up to three years. Like CMMC Levels 1 and 2, CMMC Level 3 requires a senior official from the company to annually affirm continuing compliance with the specified security requirements. Under specific circ*mstances, POA&Ms are permissible at this level.
Takeaways
Defense contractors should take a very close look at the requirements that will flow from CMMC 2.0’s implementation as currently drafted. Many of these requirements are new and will require additional protocols. The failure to fully understand these requirements may result in defense contract ineligibility due to noncompliance and increase False Claims Act risks, especially considering the newly imposed senior-official affirmations. At minimum, defense contractors and subcontractors should conduct an analysis of their existing cybersecurity posture in relation to the security controls set forth in the NIST SP 800-171 Rev. 2. Although CMMC 2.0 is expected to be implemented by early 2025, now is the time to comment on the proposed rule and begin to ascertain whether your company has any major gaps in its cybersecurity program or practices that would make compliance with CMMC 2.0 challenging.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.
