The U.S. Department of Defense (“DOD”) is moving towards implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. When finally launched, the CMMC program will require many companies in the DOD supply chain with Controlled Unclassified Information (“CUI”) to obtain a third-party certification confirming that they are compliant with applicable cybersecurity controls. The impacted companies will not only affect prime contractors, but also subcontractors through the supply chain – even purveyors of commercial products and services.
The CMMC program contains three levels covering self-certifications, third-party certifications and governmental certifications:
- Level 1 includes contracts where there is Federal Contract Information (“FCI”) and requires compliance with the 15 security controls enumerated in Federal Acquisition Regulation (“FAR”) 52.204-21. DOD’s position is that all contractors in the Defense Industrial Base (including subcontractors) hold FCI, at the very least. This is a self-certification.
- Level 2 includes contracts with CUI and requires compliance with the 110 security controls in National Institute of Standards and Technology (“NIST”) Special Publication (SP) 800-171, Revision 2 (for now; compliance with Revision 3 is forthcoming). Some contractors (by DOD’s own estimates, there will eventually be 4,000) will be able to utilize a self-certification while others (more than 76,000) will need a third-party certification.
- Level 3 also includes contracts with CUI, but CUI that DOD concludes is especially sensitive. The prime contractor and some subcontractors in the supply chain for Level 3 contracts will have to separately comply with 24 controls in NIST SP 800-172 and obtain a certification from the DOD Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) after receiving a third-party assessment under Level 2.
While the program has been delayed, recent developments indicate that adoption is rapidly approaching:
- The new $50 billion Army Marketplace for the Acquisition of Professional Services (“MAPS”) solicitation (which is currently on hold) asks whether contractors have at least an assessment scheduled to receive a third-party Level 2 CMMC assessment.
- In a recent interview, Katie Arrington, who is performing the tasks of the DOD Chief Information Officer, said that DOD remains committed to CMMC and will seek to “federalize” it across the federal government.
- The final CMMC rule that will be put into contracts is currently under review by the DARS Regulatory Control Officer, the final step before a review at the Office of Management and Budget and subsequent publication in the Federal Register.
- DOD announced in rulemaking and on its CMMC website that it can require CMMC compliance earlier than announced in the rule.
The CMMC program is being rolled out and implemented through two separate rulemaking processes. The first, in Title 32 of the Code of Federal Regulations (“CFR”), lays out the CMMC program in detail, specifying the requirements for assessments and the roles and responsibilities of the various parties in the program. The final rule under Title 32 was effective on December 16, 2024, and assessments are currently underway. Separately, forthcoming rulemaking under Title 48 of the CFR would include the CMMC requirement in defense contracts.
Once the final rule is in the Defense Federal Acquisition Regulatory Supplement (“DFARS”), DOD will move through an implementation process with four phases, but DOD has maintained in rulemaking and on its website that it may accelerate requirements in advance of the rulemaking. (“In some procurements, DoD may implement CMMC requirements in advance of the planned phase.”) Once Phase 1 begins, DOD solicitations issued after that date will require a Level 1 or Level 2 self-certification. One year later, Phase 2 will take effect, which will require a Level 2 third-party certification (or conditional certification) for contractors holding certain types of CUI. Subsequent phases over the next two years will require implementation in option years and Level 3 assessments. As noted above, Level 3 assessments are reserved for companies possessing more critical CUI and are conducted by the DIBCAC.
The impact on the Defense Industrial Base (“DIB”) will be broad. By DOD’s own estimates, more than 220,000 companies in the Defense Industrial Base will be impacted by CMMC, including more than 76,000 companies that will eventually require a third-party certification. Even so, the ecosystem is rushing to meet demand. There are currently fewer than 70 companies that have been certified by the Cybersecurity Accreditation Body (which has a no-cost contract with DOD to manage the ecosystem) to allow those companies to conduct assessments that will be recognized by the DOD. This may create a potential bottleneck for companies that wait too long to get assessed.
Before an assessment may occur, companies must ensure they are compliant with the security controls in NIST 800-171. DOD’s position is that companies out of compliance are out of excuses because compliance with these security controls (if a company possesses CUI as part of a defense contract or subcontract) has been a requirement since December 31, 2017. Despite these longstanding requirements, many small and medium businesses, and non-traditional contractors, have had difficulty justifying the costs associated with compliance. DOD’s rollout of the CMMC program will require companies to make the choice to comply or not be in the DOD supply chain any longer.