15 Key Takeaways from the Final CMMC Program Rule Issued by DOD

The U.S. Department of Defense (DOD) has long questioned whether contractors and their supply chains have been fully compliant with existing cybersecurity requirements aimed at protecting Controlled Unclassified Information (CUI), namely the 110 cybersecurity controls required by DFARS 252.204-7012. Because of that, DOD has accelerated implementation of the Cybersecurity Maturity Model Certification (CMMC) program and will now require third-party verification that contractors are meeting existing DOD cybersecurity standards when they have CUI. Other contractors that have Federal Contract Information (FCI) will be required to self-assess against 15 controls in Federal Acquisition Regulation (FAR) 52.204-21 and self-certify compliance with DOD.

This acceleration prompted the publication of the final rule in the Federal Register on Oct. 15, 2024, and established the CMMC program under Part 32 of the Code of Federal Regulations (CFR). A separate rule, which will be issued under CFR Part 48, will be in DOD contracts and require a CMMC certification as a condition of award. That rule is expected to be released in early 2025.

Clocking in at more than 400 pages, the latest release lays out the final Part 32 rule, answers comments filed in response to the proposed rule and analyzes the cost of implementation for the Defense Industrial Base. Below are 15 key takeaways from the final rule:

1. Implementation timing remains largely unchanged. In the proposed rule, DOD structured the rollout in four stages. Stage 1, which is on the effective date of the Part 48 rule, requires Level 1 and Level 2 self-certifications as a condition of award. Stage 2, which will now be one year after Stage 1 (instead of six months), will require a third-party assessment for contractors with CUI in most circumstances as a condition of award. These assessments are conducted by a Certified Third-Party Assessment Organization (C3PAO).

2. Disagreements with assessments by C3PAOs cannot be appealed to DOD. An organization seeking a certification may disagree with an assessor's review that certain controls were not met (which could prevent the organization from obtaining a certification necessary to perform a contract). In those circumstances, the organization can appeal that determination within the C3PAO. And if that is unsuccessful, the organization can appeal to the Accreditation Body. Beyond that, there is no right of appeal to DOD or elsewhere written into the rule. Whether the courts can be an avenue once the administrative appeals are unsuccessful remains to be seen, in part because the Accreditation Body is a private nonprofit entity.

3. DOD is wedded to Revision 2 of the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171 for now. During the CMMC rulemaking process, NIST released a Revision 3 of SP 800-171. Though this newer version has fewer controls, it has more assessment objectives and includes additional brand new supply chain controls not previously found in NIST SP 800-171. For now, DOD has committed to utilizing Revision 2 here and in DFARS 252.204-7012. DOD stated in the final rulemaking that implementation of Revision 3 will be the subject of further rulemaking.

4. C3PAO Assessments will begin in December 2024. While the DFARS CMMC rule is not out yet, the program has launched and official third-party assessments can begin after the effective date of this rule, which is Dec. 15, 2024. For companies heavily reliant on government contracts with DOD (as a prime contractor or subcontractor), getting in line early to avoid a resource issue with the availability of third-party assessors may be wise. Also, prime contractors may require compliance earlier than DOD.

5. Contractors are permitted to utilize Plans of Actions & Milestones (POA&Ms). As in the proposed rule, under some circumstances, contractors seeking a Level 2 or Level 3 assessment are permitted to not meet some required controls and still receive a conditional assessment that allows them to maintain and receive contract awards requiring a CMMC certification. Although the rule has further details as to which controls may be delayed, they must be achieved, verified by the C3PAO and reported to DOD within 180 days. To be eligible, the company seeking the assessment must meet at least 80 percent of the required security controls.

6. Frequent affirmations create a False Claims Act risk. A company that has received a third-party assessment or undergone a self-assessment (no matter which level) is required to file annual affirmations from an "Affirming Official." This individual is described by DOD as someone "who is responsible for ensuring the [company's] compliance with the CMMC Program requirements and has the authority to affirm the [company's] continuing compliance with the specified security requirements for their respective organizations." 32 CFR 170.4(b). These affirmations are required annually for all levels of certification and are required after POA&M closeouts.

7. Merger and acquisition activity may trigger a new assessment requirement. A company's Affirming Official should not file an annual affirmation if the system being affirmed has changed and should instead seek a new assessment (whether it is a Level 1 self-assessment or Level 2 or 3 third-party assessment). As described in the commentary from DOD preceding the final rule, "[a] new CMMC assessment may be required if significant architectural or boundary changes are made to the previous Assessment Scope. Examples include, but are not limited to, expansions of networks or mergers and acquisitions."

8. Level 1 self-assessments are unnecessary for Level 2 environments. Contractors that obtain a Level 2 self-assessment or C3PAO assessment do not need to also grade their security controls required under a Level 1 self-assessment. However, this is applicable only when the scope between the two assessments is identical.

9. Small business are expected to comply with CMMC. DOD referenced small businesses throughout this new rulemaking. In fact, DOD restated and addressed concerns raised by the U.S. Small Business Administration's Chief Counsel for Advocacy including several pertaining to the cost of CMMC for small businesses. In response, DOD repeated that the relative cost for certifications is low, and they are not accounting for the engineering costs for compliance with the required security controls because such compliance was already mandated under previous rulemaking. DOD is also of the opinion that foreign actors have targeted and will continue to target small businesses that hold valuable information – particularly CUI. The Chief Counsel also sought further guidance on the use of enclaves, but DOD demurred as it was outside the rulemaking.

10. Foreign companies are expected to comply with CMMC like their U.S. counterparts. As with small businesses, DOD expects foreign companies to meet the compliance requirements in CMMC on the same timeline as every other company. As stated by DOD in response to a comment, the CMMC program "rule does not permit partial exemption of assessment requirements for foreign contractors … CMMC requirements apply to both domestic and international primes and flow down to subcontractors throughout the supply chain … regardless of where the company is headquartered or operates." DOD is most concerned with whether the company has the type of information that requires protection.

11. External Service Providers (ESPs) do not necessarily need a Level 2 certification. In the proposed rule, certain ESPs, such as managed service providers, would have been required to obtain a Level 2 certification. In order to lower costs and open up the marketplace to additional ESPs, DOD deleted that requirement. If the contractor's information flows to the ESP, however, that ESP will be in the scope of an assessment. Further, cloud service providers (CSPs) are required to be Federal Risk and Authorization Management Program (FedRAMP) moderate or equivalent.

12. CMMC may come earlier for some companies. Stage 1 of the final rule permits DOD to accelerate adoption and require third-party assessments by C3PAOs as part of Stage 1. That means CMMC can be a requirement in prime contracts as soon as the issuance of the DFARS rule, which is expected in the first half of next year. Although it is not expected that this will be widespread, contractors holding or creating particularly sensitive information should be prepared to comply under an accelerated timeline. As mentioned above, prime contractors may also demand earlier adoption from their supply chain, and subcontractors with competitors that have undergone a C3PAO assessment may be at a competitive disadvantage.

13. Contractors may challenge a level designation with a pre-award protest. The required CMMC level designation will be made by DOD program managers or requiring activities. It is possible that the level choice made by DOD is inconsistent with what is necessary based on the information that will be used, stored or created during the performance of the contract. In those instances, contractors can ask questions if there is a Q&A opportunity and, if that is unsuccessful or unavailable, file a pre-award protest. The timing and venue available will be dependent on the solicitation, but such a protest must always be filed by the deadline for RFP responses and potentially sooner.

14. CMMC will be applicable to a wide swath of contracts. CMMC will be applicable to every contract above the micro-purchase threshold (currently $10,000) that is not solely for commercial off-the-shelf products. As noted above, there is no exemption for small businesses. There are also no exemptions for contracts for commercial products and services. For businesses doing business with DOD, this will likely transform their compliance regime with respect to cybersecurity.

15. Even with extensive rulemaking, some unknowns remain. This new rulemaking resolved many unanswered questions posed by the DIB over the last few years. Even so, some open questions remain. For instance, it has not been clarified how CMMC will be applicable when a DOD agency is ordering off of a governmentwide contract, such as the General Services Administration's schedule program. Also, even though the timing has been detailed in final rulemaking, it is impossible to know when certain opportunities will be moved to the CMMC program. DOD has been clear that there will not be any pathfinder program this time around.

The above is just the tip of the iceberg when thinking about the intricacies of the CMMC program and the implications for the DIB (including contractors far down the supply chain). Companies in the DOD supply chain would be wise to not delay and further and ensure they are properly certified.

CMMC Webinar

For additional information, register for The Wait Is Over ... The Final CMMC Rule Explained, a webinar on Oct. 17, 2024, at 3 p.m. ET where Holland & Knight Partner Eric Crusius will discuss the CMMC program with thought leaders from NeoSystems and FutureFeed.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.