Reviewing the Proposed CMMC Regulations: Key Takeaways and Recommendations
The U.S. Department of Defense (DoD) delivered a timely Christmas gift to government contractors and subcontractors last month – the proposed regulations for the Cybersecurity Maturity Model Certification (CMMC) program. After over two years in development, the proposed rule, released on December 26, 2023, aims to enhance cybersecurity compliance across the defense industrial base. This article highlights the key elements of the proposed CMMC rule, offering insights and strategic considerations for businesses navigating the evolving landscape of defense contracts.
How We Got Here
Understanding the context behind the CMMC regulations provides valuable insights. Cyber-attacks on organizations across the Defense Industrial Base represent a grave threat to our National Security. The theft of CUI by our adversaries has diminished our long-standing technological advantage, threatens the integrity of our weapons platforms and munitions, and puts our war fighters at risk. The journey from DFARS clause 252.204-7012 to the current proposed rule, shaped by evolving cyber threats, reflects the DoD’s commitment to fortifying cybersecurity measures.
- Tiered Model for Cybersecurity Requirements
CMMC introduces a tiered model comprising three levels of cybersecurity requirements:
- Level 1 for contracts involving Federal Contract Information (FCI)
- Level 2 for Controlled Unclassified Information (CUI)
- Level 3 enhances protection against Advanced Persistent Threats (APTs)
Specific security measures, aligned with NIST publications, are mandated at each level.
- Assessment and Affirmation Requirements
Contractors and subcontractors must undergo cybersecurity conformance assessments. Assessment results will be submitted via the DoD Supplier Performance Risk System (SPRS). Level 1 requires a self-assessment and an affirmation of conformance by a company senior representative. For Level 2, most organizations will require a triennial assessment conducted by an independent CMMC Third Party Assessment Organization (C3PAO) and annual self-assessment for each 2nd and 3rd year with an affirmation of conformance by a company senior representative. A small percentage of those at Level 2 will be allowed to self-assess annually. Organizations required to certify at Level 3 must complete a Level 2 assessment conducted by a C3PAO; the remaining controls will be assessed by the DoD. Affirmations of compliance are considered express representations for False Claims Act purposes.
Contractors must conduct scoping exercises to determine systems and assets subject to CMMC assessments. Level 2 and 3 assessments include specialized assets, reflecting the increasing complexity of security requirements.
- Level 1 criteria use a simple MET/NOT MET evaluation.
- Level 2 scoring considers a point system with deductions for unmet requirements. An organization can conditionally pass an assessment with a score of 90% as long as all required items have been met. Plans of Action and Milestones (POA&M) must exist for all unmet requirements and all POA&M items must be met within 180 days.
- Level 3 uses a similar point system, adding 24 selected security requirements from NIST SP 800-172.
- Implementation Through Contracts
CMMC level attainment becomes a prerequisite for DoD contract awards upon its implementation, which could be as early as December 2024. Solicitations will specify CMMC levels and assessment types, defining compliance expectations.
- Applicability to Subcontractors
CMMC requirements must be flowed down successively to all subcontractors and suppliers that exchange CUI within a supply chain. Prime contractors will identify required CMMC levels for subcontractors, reinforcing flow down obligations. Subcontractors must meet the assessment and accreditation requirements corresponding to the designated CMMC level.
- Phase-in of Requirements
CMMC implementation spans four phases, gradually introducing assessment and certification requirements. Full implementation is expected by October 1, 2026, subject to program manager discretion.
- Develop and Refine a System Security Plan (SSP):
- A robust SSP is essential for self-assessment or certification assessment preparation.
- Clearly define the presence and flow of regulated data in your network.
- Develop an Enterprise-Wide Compliance Strategy:
- Engage all stakeholders to formulate a comprehensive compliance strategy.
- Address technical gaps, legal risks, and structural considerations for conditional or final certification.
- Consider a Dedicated Federal Environment:
- Segment regulated data into a dedicated environment to streamline implementation and reduce legal risks.
- Conduct Privileged Compliance Assessments:
- Conduct compliance assessments under attorney-client privilege to identify and address gaps without exposing the company to undue risks.
- Develop and Refine Corporate Policies:
- Establish robust internal cybersecurity policies governing technology use and data regulation.
- Regularly update policies to ensure currency and accuracy.
As the proposed CMMC rule paves the way for a more robust cybersecurity enforcement across the DIB, contractors and subcontractors must proactively prepare to satisfy NIST 800-171 requirements. The phased implementation, scoping exercises, and affirmation requirements underscore the importance of the CMMC program. By embracing a proactive approach and adhering to key recommendations, organizations can navigate the evolving landscape of cybersecurity regulations and ensure their eligibility for DoD contracts in the future.
Comments on the proposed rule will be accepted until February 26, 2024, providing stakeholders with an opportunity to contribute to the finalization of the regulations.