Two years after announcing the second iteration of the U.S. Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program, the DoD released its proposed rule that, if adopted, will implement the program. The DoD expects CMMC to be the cornerstone of its efforts to protect information held by contractors in the Defense Industrial Base (DIB).

The proposed rule was not released alone: Besides numerous proposed additions to the Code of Federal Regulations (CFR), the DoD also released a CMMC Model Overview, CMMC Assessment Guides, CMMC Scoping Guides and CMMC Hashing Guide. All told, there are more than a dozen ancillary documents that support the CMMC program.

If adopted, the CMMC program will require most contractors handling Controlled Unclassified Information (CUI) to obtain a third-party certification that they have successfully implemented the 110 cybersecurity controls in National Institute of Standards and Technology Special Publication (NIST SP) 800-171. It should be noted that contractors handling CUI are already required to comply with NIST SP 800-171 through Defense Acquisition Regulatory Supplement (DFARS) 252.204-7012, but only a self-attestation is currently required. Failure to obtain a CMMC certification will mean a contractor is prohibited from performing an awarded contract.

Contractors not handling CUI – but instead, Federal Contract Information (FCI) – will also be required to obtain a Level 1 assessment, which is a self-certification consistent with the requirements in FAR 52.204-21.

Highlights of the Proposed Regulations

While the proposed regulations are comprehensive, the following are some highlights:

• The DoD proposes an aggressive rollout, with self-assessments required on all new contracts immediately after the final rule is effective and third-party assessments on all contracts at the start of Phase 2, which is six months after final rule implementation.
• While Level 2 is a split level (with some assessments being self-assessments and some being third-party assessments), the DoD assumes the vast majority of Level 2 assessments will be conducted by a Certified Third-Party Assessment Organization (C3PAO) (4,000 entities conducting a self-assessment versus 76,598 entities receiving a third-party assessment).
• Third-party assessments are to last for three years, although the time may be shortened if the contractor makes modifications to an assessed system. Companies waiting on a third-party assessment may be competing with companies that are getting a second assessment when trying to schedule an assessment with a C3PAO.
• The proposed rule contains enormous False Claims Act (FCA) risk: Level 1 assessments must be certified by a company executive to the DoD, and third-party Level 2 assessments require a company executive to file an affirmation with the DoD upon the close of the third-party assessment and annually thereafter. There is no doubt that the DoD will argue that these certifications are material.
• Managed service providers (MSPs) play a crucial role in the CMMC ecosystem, particularly for small and medium-sized businesses. It is not clear what MSPs will be required to do (i.e., a Level 2 assessment) to be able to continue in that role for their clients.
• Small businesses, subcontractors and non-U.S. companies will be required to comply with the same set of requirements consistent with the type of information they are creating or handling. There are no blanket exemptions except for contracts for the purchase of commercial off-the-shelf products or contracts under the micro-purchase threshold.
• It remains to be seen how this rule will be implemented through the federal supply schedule and other agency-agnostic contracts such as NASA's Solutions for Enterprise-Wide Procurement (SEWP).

Additional Information 

Taken together, the release of the proposed rule and ancillary documents is an important step for the CMMC program and signals the DoD's commitment to implementing the program. Contractors that wait too long risk losing contracts, whether as a prime contract or a subcontractor.

Holland & Knight's Government Contracts Group will issue follow-up blogs that address specific parts of the proposed CMMC rule in the days and weeks to come.