On October 21, 2016, the DoD adopted a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) that required new cybersecurity safeguards and cyber incident reporting for certain types of controlled unclassified information (CUI)1 for DoD contractors by December 31, 2017. As this deadline has passed, and various requirements have been established since, the DoD has shifted its focus to the development of a broad cybersecurity model derived from various standards and leading practices. Through collaboration with DoD stakeholders, CMMC 1.0 was designed to be that model and will be essential in the effort to make cybersecurity the foundation of DoD acquisition.

While CMMC shares certain aspects with previous DFARS cybersecurity requirements, one of the notable differences with CMMC is that self-attestation will not be permitted for certain contracts (i.e., independent third-party certification will be required). The Cyber Accreditation Body (AB) has been established to train and certify the third-party auditors (i.e., CMMC Third-Party Assessor Organizations or C3PAOs) responsible for performing CMMC certifications for DoD contractors, as well as others (e.g., Registered Practitioners) who wish to provide CMMC-related services, such as consulting or advising, to their clients.

CMMC 2.0 was announced in November 2021 and the proposed changes build upon the CMMC 1.0 framework. The changes in CMMC 2.0 will be implemented through the rulemaking process and codified in the Code of Federal Regulations (CFR). CMMC 2.0 consists of three levels of cybersecurity, ranging from Level 1 to Level 3, with increasing requirements at each successive level.

1 US Department of Defense, Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, September 21, 2017, 
https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf.

The CMMC model was designed with a focus on protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and has evolved since the first iteration was released in early 2020.

Source: https://dodcio.defense.gov/cmmc/About/

In support of the DoD's initiative to make cybersecurity an integral part of the acquisition process, contractors in the supply chain must adhere to the requirements as incorporated into their contract. Level 1 will be the minimum requirement for contractors who handle FCI*, with higher levels being required for those who handle CUI and information deemed critical to national security.

*DoD has stated that companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification. However, other aspects of the contract may deem such companies CMMC relevant and should be considered on a case-by-case basis.

Recent incidents have brought the cybersecurity weaknesses of defense contractors and subcontractors to light. To address these vulnerabilities and the increasing cybersecurity risks, the DoD has made cybersecurity compliance a critical and mandatory part of the acquisition process.

Additionally, on September 29, 2020, the DoD published an interim rule (effective November 30, 2020) codifying: (1) the NIST SP 800-171 DoD Assessment Methodology; and (2) the CMMC Framework. Building onto DFARS clause 252.204-7012, the interim rule includes the following:

• DFARS provision 252.204-7019, which requires contractors to complete a NIST 800-171 assessment at least every three years and post the results the Supplier Performance Risk System (SPRS) in order to be considered for award.
• DFARS clause 252.204-7020, which requires contractors to provide the DoD access to their systems, facilities, and personnel in order to validate NIST 800-171 compliance via independent assessment. Additionally, contractors are responsible for ensuring that their subcontractors supporting a potential DoD contract also have completed a NIST 800-171 assessment and have posted the results to SPRS prior to award.
• DFARS clause 252.204-7021, which covers the implementation of the CMMC requirements.

Until CMMC is codified through the rulemaking process, the DoD Assessment Methodology will be used in the interim to assess contractor adherence to NIST SP 800-171 across the DoD supply chain. These interim assessments consist of three levels ranging from Basic, which is a self-assessment by the contractor, to Medium and High, which are conducted by the Government and based on the criticality of the program or sensitivity of the information handled by the contractor. For Medium and High Assessments, a review of the contractor’s system security plan (SSP) is performed to identify how each of the NIST SP 800-171 requirements are met. For a High Assessment, in addition to the review, the contractor must also demonstrate their SSP. The results of these assessments will be documented in the SPRS for verification by the respective DoD agency to confirm that the required assessment has been completed prior to contract award and is current (i.e., completed within the past three years or less if required in the respective contract) ¹ .

While the CMMC requirement may not yet be included in a contract that you are interested in pursuing, the interim requirement is applicable now so you should not wait to prepare. Additionally, taking early action to prepare for the DoD assessment is a step toward CMMC compliance – as the foundation of CMMC is based on the NIST 800-171 requirements.

 ¹ US Department of Defense, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041), September 29, 2020, https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf, accessed April 2021

The Cyber Accreditation Body (AB) was formed in early 2020 and serves as the governing body around CMMC C3PAOs. The AB began accepting C3PAO applications in June 2020. On August 31, 2020, the AB kicked off its Provisional Assessor Program, which is a pilot program intended to be foundational to the official C3PAO program. We are pleased to announce that Deloitte professionals were among those selected to participate in this program. In June 2021, the AB began authorization of C3PAOs. These organizations will be permitted to assess DoD contractors who wish to obtain a CMMC.

The long-awaited final rule (32 CFR Part 170) for the CMMC program was published in the Federal Register on October 15, 2024 (effective December 16, 2024). With this publication, organizations have accelerated their timelines for CMMC compliance and shifted resources and investment to uplifting their security posture in a short amount of time.

CMMC will be implemented in four phases – with Phase 1 beginning on the effective date of the final Title 48 CFR CMMC acquisition rule which allows inclusion the CMMC requirement in a solicitation or contract¹. The DoD has indicated that it may include CMMC requirements on contracts awarded prior to 48 CFR becoming effective, however, doing so will require bilateral contract modification after negotiations ².

CMMC Implementation ³
While there have been many changes in the CMMC rollout, your obligation as a DoD contractor to secure sensitive data has not changed. Cybersecurity is a top priority for the DoD and the need to protect against cyber adversaries has never been more important given the increasing and persistent threats made by adversaries to obtain access to sensitive data. While CMMC 2.0 may permit some programs to self-attest, the need to implement the required controls to secure such data does not change. In fact, the integrity of your self-attestation becomes even more important. The government intends to utilize the civil False Claims Act to pursue contractors that do not appropriately self-attest.

We will continue to keep a close eye on the CMMC rollout and share pertinent information as it becomes available. Check back with us for additional information regarding CMMC.

1. https://dodcio.defense.gov/cmmc/About/
2. https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
3. Image Source: https://dodcio.defense.gov/cmmc/About/

Now more than ever, information security leaders are challenged by evolving information security requirements as well as the threat of intrusion and data leakage. Contractors are ultimately responsible for addressing the risks specific to their business environments and providing adequate cybersecurity. To safeguard Controlled Unclassified Information and adhere to the incident reporting requirements, contractors are required to identify CUI and take the applicable steps to protect that information.

Common challenges associated with this requirement include:

• CUI identification and management
• Media protection and tagging
• Training, policies, and procedure development and implementation
• Supply chain/subcontractor risk mitigation