Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.
With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.
Who Is Impacted by CMMC 2.0?
CMMC 2.0 applies to “all Department of Defense contract and subcontract awardees that will process, store, or transmit information that meets the standards for Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems.” Likewise, private sector organizations seeking to conduct business as authorized assessors and certifiers of CMMC compliance, such as CMMC Third-Party Assessment Organizations (C3PAOs) or CMMC Certified Assessors (CCA), are also required to meet a designated CMMC level.
Will prime contractors and subcontractors be required to maintain the same CMMC level?
Yes. Assuming the contractor and subcontractor are handling the same type of FCI or CUI, then the same CMMC level will apply. If the primary only flows down select information, then a lower CMMC level could apply to the sub.
Our organization never adopted CMMC 1.0. Do we need to comply with 1.0 before moving on to 2.0?
No. DoD has confirmed it has no intention to approve the inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified, DoD will require companies to follow the 2.0 framework according to requirements set forth in the final regulation.
What is Required under CMMC 2.0?
CMMC is designed to standardize information security environments across the Defense Industrial Base (DIB). The DIB continues to be a high-priority target for frequent and complicated cyberattacks intended to compromise the confidentiality, integrity, and availability of FCI and CUI. Prior attempts to standardize information security requirements created significant friction in contractors’ attempts to comply, because it assumed that all contractors processed the same types of information in the same way. In response to these challenges, CMMC simplified expectations by creating three levels of “cybersecurity maturity,” and scaling those expectations based on the sensitivity of the information processed by the contractor or subcontractor. CMMC 2.0 is intended to balance the increased assurance that sensitive unclassified information will be protected, while also making the lift to reliable cybersecurity resilience more manageable.
What are the CMMC 2.0 “levels of maturity?”
For government contractors that have a history of processing FCI or CUI , the requirements set forth in each Level of Maturity should come as no surprise.
CMMC Maturity | Impacted Contractors | Security Requirements |
Level 1 | Contractors and subcontractors who will process, store, or transmit FCI on unclassified contractor information systems. | 15 basic safeguarding requirements and procedures designed to protect covered contractor information systems. All 15 requirements are currently required under FAR Clause 52.204-21. |
Level 2 | Contractors or subcontractors responsible for processing, storing, or transmitting CUI on unclassified contractor information systems | 110 security requirements specified in NIST SP 800-171. |
Level 3 | As determined by DoD on a contract-by-contract basis, based on the sensitivity of the CUI involved in the performance of that contract. | 110 security requirements specified in NIST SP 800-171. AND 24 selected security requirements from NIST SP 800-172. |
Level 1 applies to contracts and subcontracts that involve handling FCI, but not CUI. The DoD estimates that 63% of contractors impacted by CMMC 2.0 will only be subject to Level 1. Accordingly, those impacted organizations will be responsible for basic security controls, such as limiting physical access to information systems/equipment, performing periodic scans of information systems and real-time scans of files from external sources, and escorting visitors/monitoring visitor activity.
Level 2 applies to contracts and subcontracts requiring CUI processing. The 110 security control requirements applicable to Level 2 are identical to the requirements set forth in NIST SP 800-171 Rev. 2. DoD estimates that Level 2 will impact 36% of the organizations required to comply with CMMC 2.0. Although 110 controls is overwhelming at first blush, the controls fall into familiar categories of cyber hygiene, such as access control, awareness and training, audit and accountability, incident response, physical protection, and risk assessment amongst other security domains.
DoD estimates that Level 3 will impact less than one percent of defense contractors, and as such this Level of Maturity is the most customizable. In addition to the 110 security controls identified in Level 2, Level 3 includes specified controls from NIST SP 800-172, such as requirements to establish and maintain a security operations center that operates 24/7, conduct annual penetration testing, assess and monitor supply chain risks, and employ advanced automation and analytics capabilities to predict and identify risks to systems and their components. Level 3 will also identify “Organization-Defined Parameters”.
How will my organization know what CMMC level, if any, is required for a contract?
DoD will specify the required CMMC level in a solicitation or in any Requests for Information, if utilized.
What does the certification process look like?
Unlike many security frameworks where an organization is expected to adopt the framework and non-compliance is identified following a complaint or security incident, CMMC requires certification of the organization’s requisite Level of Maturity before conducting work. Accordingly, the certification requirements differ based on level.
Who does the certifying?
Each Level of Maturity has a different certification process.
CMMC Maturity | Assessment | Affirmation |
Level 1 | Annual self-assessment | Annual affirmation |
Level 2 | Triennial third-party assessment. For select programs, triennial self-assessment may be authorized. | Annual affirmation. |
Level 3 | Triennial assessment conducted by government. | Annual affirmation. |
For Level 1, contractors and subcontractors will be required to complete a self-assessment in DoD’s Supplier Performance Risk System (SPRS) prior to the award of a Level 1 contract or subcontract. After that, contractors are required to make an annual affirmation of continued compliance.
Although a self-assessment similar to Level 1 may be available on a contract-by-contract basis, Level 2 certification assessments are largely issued by C3PAOs, private sector enterprises approved by DoD to issue independent verification of compliance with CMMC security requirements. C3PAOs compare a contractor’s technical controls against the Level 2 requirements and produce a score out of 110, with 88 being a minimum score necessary to achieve Level 2 certification. As of March 14, 2024, only 50 C3PAOs have been authorized by the Cyber Accreditation Body, with 459 candidates still under consideration. With so few C3PAOs authorized to conduct assessments, contractors may experience significant delay in seeking certification as more and more businesses occupy the bandwidth of the limited assessors available.
Level 3 assessments will be performed exclusively by the Defense Contract Management Agency. Similar to Level 2, a scoring methodology will be in place, and contracts may be eligible for certain tailoring of Level 3 standard requirements based on the sensitivity of information to be processed under the contract. However, the scoring system is much more exacting with Level 3 organizations required to have all 110 Level 2 controls, and a score of 20 out of 24 for the remaining Level 3 controls.
If my organization’s assessor determines we fall short of a certain level, can we rely on a Plan of Action and Milestones?
It depends. Level 1 certification does not permit contractors to include a Plan of Action and Milestones (POAM) to comply with unmet requirements in the future. By contrast, Level 2 and Level 3 allow for POAMs to comply with controls not met at the time of assessment, but with some new limitations. For example, POAMs are unavailable for some controls, must be achieved within 180 days of initial assessment, and can only be implemented if the contractor meets a particular assessment score.
When Does My Organization Need to be Certified under CMMC 2.0?
Because CMMC 2.0 exists as proposed rulemaking, there is no set date on the calendar yet that requires contractors to meet a Level of Maturity. Instead, the proposed rule identifies a graduate implementation over the course of three years and four phases.
Phase | Duration | Activity |
1 | Months 1-6 | Once rule-making is finalized, DoD will include Level 1 or 2 self-assessment requirements as a condition of contract award. DoD has the option at its discretion to include third-party certification requirements for some Level 2 solicitations and contracts. |
2 | Months 6-18 | DoD will begin including Level 2 Certification Assessment requirements as a condition of contract award. DoD, at its discretion, may also begin including Level 3 requirements for solicitations and contracts. |
3 | Months 18-30 | DoD will include Level 3 Certification Assessment requirements for all DoD solicitations and contracts as a condition for award. |
4 | Month 30 | At this point, all CMMC Program requirements will be consistently included in all DoD solicitations and contracts, including option periods. |
Because finalization of the proposed rule is not set to any particular timetable, it is difficult to predict when Phase 1 will begin. However, DoD has confirmed that it expects to include CMMC requirements for all levels on or after October 1, 2026. Working backwards, that would place the beginning of Phase 1, at its earliest, at April 1, 2024.
Where Do We Even Begin?
Just start the process. By DoD’s own implementation timeline, there is an understanding that contractors will be coming from wildly different starting points. If your organization conducted self-assessments as part of CMMC 1.0, you have a basic scorecard to build off from. If you are starting from ground zero, begin with the Level 1 requirements. Each level builds off the former, so go for the low-hanging fruit. These requirements are largely rudimentary, and do not require investment in large quantities of technical solutions. Once you have Level 1 under control, map your organization to the categories listed in NIST 800-171 to identify gaps and aim for incremental change through Phases 1 and 2.
You need to start now. For thousands of contractors and subcontractors seeking certification, only a few dozen C3PAOs currently exist. We anticipate that bandwidth and availability for assessments will tighten quickly once the rule is finalized. In addition, the requisite controls also require reinforcement through documentation and policies. This means that in addition to prioritizing the technical side of the rules, you will need experienced legal counsel to build and shape policies that fit your organization and can grow with cybersecurity maturity. Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don’t forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.