The US Department of Defense published a new rule in the Federal Register on August 15, 2024, outlining how it will integrate the requirements of its Cybersecurity Maturity Model Certification (CMMC) program into the contracting process.
The program, known as CMMC, is the Department of Defense’s plan for assessing companies that handle sensitive but unclassified information to ensure they meet the department’s cybersecurity requirements.
Since its announcement in 2019, the program has undergone several iterations, and the current version, known as CMMC 2.0, incorporates three progressively complex certification levels, which vary based on the type and sensitivity of the information a company manages. While all companies at Level 1 and some at Level 2 can conduct self-assessments to confirm compliance, other Level 2 contractors will need to have their assessments conducted by a certified third-party assessment organization, and government assessors will conduct all Level 3 assessments.
The proposed rule incorporates a new provision mandating the Department of Defense to inform offerors about the CMMC level necessary for a particular solicitation. Additionally, the successful offeror must post the CMMC certificate or self-assessment results in the department’s Supplier Performance Risk System before the contract award.
The proposed rule also includes amendments to the Defense Federal Acquisition Regulation Supplement, which will require at the time of award the results of a current CMMC certificate or CMMC self-assessment at the required level for all information systems that process, store, or transmit federal contract information or controlled unclassified information during contract performance where a CMMC level is included in the solicitation.
Tara Lemieux, a CMMC consultant at Redspin—one of the third-party assessors authorized to conduct CMMC assessments—said that another critical part of the proposed rule is the flow-down of cybersecurity requirements from prime contractors to their subcontractors.
According to Lemieux, the proposed rule requires all subcontractors, at every tier, to pass down all CMMC requirements if they process, store, or transmit federal contract information or controlled unclassified information, data, or information. This means that prime contractors are now responsible for ensuring their subcontractors not only understand these compliance requirements but also meet the appropriate CMMC levels.
Additionally, she stated that the proposed rule would mandate that contractors annually affirm their continued compliance with the required CMMC level for the contracts they work on and that they must report any changes to their compliance status.
Lemieux noted that news headlines are filled with information about False Claims Act violations, and this affirmation of continued compliance will really form the basis for some potential repercussions for those organizations that fail to maintain their CMMC compliance.
To minimize disruptions in the supply chain and the financial impact of CMMC on the industry—especially small businesses—the Department of Defense outlined a three-year phased rollout of the program in the proposed rule. The proposed rule stipulates that the CMMC Program Office will only mandate the Pentagon’s component program offices to include the CMMC requirement in certain contracts during the first three years of the phased rollout. After three years, the Pentagon’s component program offices will be required to include the CMMC requirement in solicitations and contracts that will require the contractor to process, store, or transmit FCI or CUI in contractor information systems during contract performance.
Lemieux stated that the department must do everything possible to implement CMMC within the three-year timeframe, given the complexity and persistence of the types of cyberattacks seen in just the last two years. She noted that some of the major national security agencies and contractors have been involved in data breaches, proving that no one is immune to cyberattacks.
She added that there’s likely going to be a lot of resistance to the rollout plan, but that resistance is ultimately not something one can continue to account for over the next five years, given the propensity for these attacks and the criticality of the defense supply chain.
In the proposed rule, the Department of Defense estimated that after the three-year rollout, 35 percent of companies would need to have Level 2 third-party certification, but Lemieux said this estimate is likely understated. She explained that it’s really because controlled unclassified information (CUI) is new to much of the defense supply chain. She pointed out that contracts have not always included it, which poses a challenge in conducting such assessments.
Lemieux added that she thinks there is a lot more CUI that has been documented in contracts that have not yet come to the attention, and sharing this information just exponentially increases the potential target in terms of the number of companies that will be required to obtain third-party certification.
The proposed rule does include a definition of controlled unclassified information: “information that the government creates or owns, or that an organization creates or owns for or on behalf of the government, which a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
The Department of Defense will accept public comments on the proposed rule until October 15, 2024, after which it will review the feedback and do everything possible to make a decision in a way that is fair to the defense supply chain but also reinforces the best practices desperately need, according to Lemieux. Lemieux said that Redspin and other third-party assessors are already seeing a significant increase in the number of prime contractors who want to get their suppliers to where they need to be so that they can continue fulfilling their existing contracts without interruptions—or so that there won’t be any delays or issues with their planned future contracts.