The Pentagon's CMMC Program Takes a Big Step Forward
The U.S. Department of Defense (DOD) issued the proposed Defense Federal Acquisition Regulation Supplement (DFARS) rules that will implement the Cybersecurity Maturity Model Certification (CMMC) program. These rules, which will be placed into all DOD contracts, will require all contractors to self-certify or obtain a third-party certification prior to beginning work on any DOD contracts. The kind of certification necessary will be dependent on the level of security necessary for the information generated or stored under the contract. Comments on the proposed rule are due on Oct. 15, 2024.
There are two sets of rules that will be utilized when the CMMC program is fully formed. The first, issued under Title 32 of the Code of Federal Regulations (CFR), establishes the CMMC program. These were initially proposed on Dec. 26, 2023, and the U.S. Office of Management and Budget (OMB) is reviewing the final regulations, with release expected before the end of the year. The second set of rules, which are the subject of this blog, are issued under Title 48 and will be placed in DOD contracts and refer back to the Title 32 rules.
If adopted as proposed, these rules will require contractors to have a current CMMC assessment at the time of award and maintain that assessment for the duration of the contract. Contractors without a required assessment will not be awarded a contract, and contractors who fail to maintain an assessment during the contract period will be subject to termination.
Further, to better track compliance, each contractor-assessed system will be tagged with a DOD unique identifier (UID), and if any of the systems supporting the performance of the contract change, the contractor is responsible for updating the UID with the contracting officer. The proposed rules offer important insights into the CMMC program:
Subcontractor Compliance. DOD notes that prime and higher-tiered contractors will not have access to DOD databases to verify that companies have the certification level claimed. It is DOD's position that that is an issue for the parties to work out themselves. Prime contractors or higher-tiered subcontractors should address this issue in subcontract agreements.
Additional Incident Notifications. In the proposed regulation, DOD states that contractors are required to "[n]otify the Contracting Officer within 72 hours when there are any lapses in information security …" It is unclear what a "lapse" in information security is versus incident notifications required under DFARS 252.204-7012. This, of course, adds an additional notification requirement for contractors with Controlled Unclassified Information (CUI) and adds a new one for contractors that have Federal Contract Information (FCI) (which maps to a CMMC Level 1 self-assessment).
Assessment Change Notifications. Contractors will also have to notify the contracting officer within 72 hours if there is a change in CMMC certificate status or assessment level.
International Companies and Systems. DOD makes clear that companies or systems outside the U.S. will be held to the same standards as their U.S.-based counterparts. There are additional challenges, including host nation restrictions on foreign review of information systems and finding a certified third-party assessment organization (C3PAO) capable of conducting a review outside the U.S.
Implementation Timing. DOD notes a phased-in approach, but it is unknown at what point DOD will determine which programs will be part of the initial rollout (or if there will be a coordinated rollout across specific contracts). Because of that, contractors should prepare for the possibility that new DOD contracts will require a CMMC assessment in the first half of 2025.
False Claims. These regulations continue to raise the specter of False Claims Act liability. Information systems will be tied to information-specific contracts, and affirmations will be required annually. Those affirmations will have to attest that no material changes have occurred to the information system. So if a contractor upgrades a system (outside the regular patching process) or merges with another entity, a new assessment will be required in order for the contractor to continue performing, and an affirmation that ignores these changes could open a company up to liability.
Level Determination. Besides the CMMC clause, there is a separate clause where DOD will notify offerors which CMMC level will be required prior to award for each information system that will store/process data as part of performance under the contract. The level determination could raise some pre-award protests tied to DOD's categorization of the information as CUI versus FCI.
Further, confirming the broad applicability of CMMC, DOD confirmed that these requirements will be applicable to contracts below the Simplified Acquisition Threshold (which currently sits at $250,000). The only exceptions are for contracts solely for the purchase of Commercial Off-the-Shelf items or contracts under the $10,000 micro-purchase threshold.
These proposed rules represent continued affirmation to DOD's dedication to rolling out CMMC soon. Contractors in the DOD space should not delay in preparing for the rolling out of CMMC in 2025.