Cybersecurity Alert: DoD Issues 2023 CMMC Proposed Rule!
A few days ago on December 23rd, in the wee hours of an early Saturday morning, the U.S. Department of Defense (DoD) came to town. Perhaps more like the Grinch in the eyes of some defense contractors, DoD, at last, delivered on its long-awaited promise of Cybersecurity Maturity Model Certification (CMMC) Program regulations. The bundle that DoD left behind in its early morning post is a Proposed Rule that describes in some detail DoD's proposed CMMC Program, including requirements that defense contractors will have to meet at each of the three proposed certification levels. Comments to the Proposed Rule must be received by February 26, 2024. While we intend to offer a more detailed examination of DoD’s December 23 Proposed Rule in the near future, for now we highlight below a few important aspects of the rule and the CMMC Program described in it.
One More CMMC Proposed Rule Is On The Way
The December 23 Proposed Rule reflects DoD’s decision to release the CMMC Program regulations in two separate rulemakings. The December 23 Proposed Rule implements the CMMC Program in Part 170 of DoD's Title 32 National Defense regulations. According to the preamble of the Proposed Rule, however, another rulemaking is expected to follow that sets forth CMMC contractual processes. Consequently, we should expect to see in the not too distant future another DoD Proposed Rule under Title 48 that unveils the actual Defense Federal Acquisition Regulation Supplement (DFARS) CMMC clauses that will be included in DoD contracts after all CMMC proposed regulations become final.
Even without the proposed DFARS clauses that are expected to be included in their contracts, with the December 23 Proposed Rule defense contractors now have a concrete and specific view of what the CMMC Program may look like. Therefore, contractors that do business with DoD, or hope to in the future, should review the December 23 Proposed Rule to determine if they need to increase their efforts to prepare for program compliance. In informal guidance and prior regulations, DoD provided glimpses of CMMC's future, so some of the CMMC certification requirements described below may not be entirely new or unfamiliar.
Certification Levels
Under the proposed CMMC Program, DoD contractors and their subcontractors will have to maintain cybersecurity hygiene that meets one of three certification levels, depending on which certification level is applied to their DoD contracts. As described more fully below, each cybersecurity level has corresponding requirements for (1) the security safeguards that must be implemented at each level, (2) how often compliance with those safeguards will be assessed and by whom, and (3) how often a company official has to affirm the company’s compliance with the security safeguards.
CMMC Level 1
- Security requirements – DoD contractors and subcontractors must meet the 15 security requirements under FAR clause 52.204–21 that they already have to currently meet.
- Assessment requirements – DoD contractors and subcontractors must perform self-assessments of compliance with FAR 52.204-21 at least annually and enter the self-assessment in the Supplier Performance Risk System (SPRS).
- Affirmation – A DoD contractor or subcontractor senior official must annually affirm compliance with the FAR 52.204-21 requirements and enter the affirmation in SPRS.
CMMC Level 2
- Security requirements – Contractors and subcontractors are required to implement the 110 NIST SP 800–171 Rev 2 security requirements, which are currently already required under DFARS clause 252.204–7012.
- Assessment requirements – Depending on program criticality, information sensitivity, and the severity of cyber threat, compliance with Level 2 requirements will be assessed either by the contractor/subcontractor or by an authorized or accredited Third-Party Assessment Organization (C3PAO). The assessments are valid for three years. A self assessment must be entered into SPRS. The C3PAO will enter its assessment in the Enterprise Mission Assurance Support Service (eMASS), which will transmit results into SPRS. For some requirements, contractors or subcontractors are allowed to have plans of action and milestones that close out within 180 days of the assessment.
- Affirmation – A DoD contractor or subcontractor senior official must affirm compliance with the security requirements after every assessment and then annually thereafter, and must enter affirmations in SPRS.
CMMC Level 3
- Security requirements – DoD contractors and subcontractors must already meet all of the Level 2 security requirements and must also meet the 24 security requirements from NIST SP 800-172 that are specified in the new regulation under 38 CFR 170.14(c)(4).
- Assessment requirements – DoD contractors and subcontractors must be assessed by a DoD Assessor and will have to be re-assessed every three years. The DoD Assessor will enter the assessment in eMass, which will transmit results into SPRS. For some Level 3 requirements, contractors will be allowed to have plans of action and milestones that must be closed out within 180 days of the assessment.
- Affirmation – A DoD contractor or subcontractor senior official must affirm compliance with the security requirements after every assessment and then annually thereafter, and must enter affirmations in SPRS.
Contractors Should Already Be Preparing To Meet Assessment Requirements
Although DoD contracts will not begin to include CMMC certification requirements until after the anticipated DFARS Proposed Rule is issued and becomes final, defense contractors are already required to meet the security safeguards required for CMMC Levels 1 and 2. Moreover, as we have noted previously, the 110 security safeguards under NIST SP 800-171 that are required for Level 2 and Level 3 certifications are detailed and extensive and it may take contractors significant effort and time to document compliance with each of them. Defense contractors, therefore, should not delay working with staff and any required outside consultants to review their compliance with the cybersecurity safeguards.
