CMMC Proposed Rule Is Finally Here! 

On December 26th, 2023, the much-awaited proposed rule for the CMMC program was published on the Federal Register. The proposed rule establishes the requirements for a “comprehensive and scalable assessment mechanism” to ensure that members of the DoD supply chain implement various required security measures to protect FCI and CUI. When finalized, it will implement the CMMC 2.0 program. Presently, contractors and subcontractors handling CUI must implement security measures specified in NIST SP 800-171Rev. 2. However, there hasn’t been a clear framework to check whether these requirements have been fully implemented. The CMMC proposed rule seeks to establish this framework, ensuring that the contractor or subcontractor has fully implemented the required security requirements before a contract is awarded. Compliance with the requirements of the rule will be assessed by third-party assessors accredited and certified by the DoD and in some instances, self-assessments will be allowed.   

Origins of the CMMC Program

CMMC was first announced by the Department of Defense in 2019. However, there was a lot of pushback, mainly because of cost concerns for SMBs. The DoD had to review the proposed program, culminating in a considerably revamped CMMC 2.0 released on November 4th, 2021. The new program scaled back on some certification requirements for contractors and subcontractors handling less sensitive data. It also reduced the maturity levels from 5 to 3.   The public can now comment on the CMMC proposed rule until the lapse of 60 days from the date of publishing. The requirements in the proposed rule will come into effect after DoD finalizes it, after the lapse of the public comment period.  

READ MORE: What are the Main Changes in CMMC 2.0? 

CMMC Model Overview

The CMMC proposed rule maintains the three-tiered model introduced in CMMC 2.0. Level 1 includes the 15 requirements of FAR 52.204-21(b)(1) and will apply to contractor and subcontractor information systems that process, store, or transmit FCI. CMMC 2.0 Level 2 includes all security requirements in NIST SP 800-171 Rev. 2 and will apply to contractors and subcontractors that deal with CUI. Finally, contractors that deal with high-value CUI are expected to complete a Certification Assessment by DIBCAC on the 24 selected items listed in TABLE 1 TO § 170.14(c)(4) of the proposed rule. They also must have fully met the requirements of CMMC Level 2. The DoD will determine the applicable CMMC maturity level for each procurement.  

CMMC Assessments

Depending on the sensitivity or criticality of the data, the contractor may conduct Self- or third-party assessments. Under the CMMC proposed rule, all CMMC Level 1 assessments will be self-assessments requiring contractors to verify their compliance with CMMC security requirements. For CMMC Level 2, the contractor may use a Certification Assessment or a Self-Assessment. C3PAOs will conduct certification assessments, where if a Final Certification Assessment is granted, it will have a validity of three years. For CMMC Level 2, affirmations are required annually and immediately after assessment. At Level 3, Certification Assessments will be required and conducted by the DCMA DIBCAC. Final Certification Assessments in CMMC Level 3 also have a validity of 3 years, and annual affirmations are also needed. Assessment scores must be submitted to the DoD’s SPRS prior to a contract award.   

Phased Implementation

The CMMC proposed rule outlines a structured four-phase implementation plan (32 CFR § 170.3) for incorporating CMMC program requirements into DoD solicitations and contracts. This aims to “address ramp-up issues, provide time to train the necessary number of assessors, and allow companies the time to understand and implement CMMC requirements.” Phase 1, starting from the CMMC rule’s effective date (the effective date of the CMMC revision to DFARS 252.204-7021), mandates CMMC Level 1 or Level 2 self-assessments as a condition for award in relevant solicitations and contracts. Phase 2, commencing six months later, integrates CMMC Level 2 certification assessments. Phase 3, which starts a year after Phase 2 commences, introduces CMMC Level 3 certification requirements. The inclusion of CMMC requirements as conditions for contract award is at the discretion of DoD Program Managers until Phase 4’s full implementation. From October 1st, 2026, DoD plans to include CMMC requirements in all applicable solicitations. Although there currently are no such plans, the DoD may consider extending the implementation period or other solutions to mitigate C3PAO capacity issues in the future.  

READ MORE: Phased Implementation of CMMC Program requirements 

Plan of Action and Milestones (POA&M)

While CMMC certification won’t be required when submitting proposals, defense contractors and subcontractors must be certified at an appropriate maturity level to be eligible for an award. This is, of course, unless a waiver is granted. The contractors may use POA&Ms to address some requirements scored as “NOT MET” during a CMMC assessment. However, POA&Ms will be limited and only permitted for CMMC Levels 2 and 3 and must meet the requirements in 32 CFR § 170.21. Additionally, they must be closed out within 180 days of the initial assessment. However, where POA&M exists and meets the aforementioned requirements, a contractor or subcontractor will be granted Conditional Assessment. Failure to close out the POA&M in 180 days will result in revocation of the certification assessment.   

Affirmations in The CMMC Proposed Rule

The CMMC proposed rule requires an annual affirmation of compliance from contractors and subcontractors with the mandated security requirements. At CMMC Levels 2 and 3, contractors must additionally confirm compliance after each CMMC assessment, (whether a Self- or Certification Assessment) and after closing out the POA&M, if any. These affirmations, like Self-Assessment scores, will be electronically submitted through SPRS. It is crucial for contractors to thoroughly validate their CMMC compliance status before making affirmations. Submitting affirmations that misrepresent a contractor or subcontractor’s CMMC compliance status may be considered false. This may result in fines or damages under the False Claims Act and other procurement consequences like debarment and contract termination.  

Key Takeaways

The CMMC proposed rule covers various important topics such as the CMMC scoping, security requirements, POA&M requirements, scoring methodology, assessment appeals, requirements for Cloud service providers (CSPs) and external service providers (ESPs), and subcontract flow-downs. However, it fails to address certain issues like inconsistent CUI marking. Ultimately, the proposed rule is a clear reminder that cybersecurity requirements are and will remain a must for most companies engaging with the DoD. Time to implement the various CMMC security requirements is running down. If you are planning to apply for DoD contracts in the near future, start taking steps to attain CMMC compliance as early as now.  

At Cleared Systems, we specialize in helping companies like yours achieve compliance. We’ll help you scope your environment, conduct a gap analysis, remediate any gaps found, and help you prepare an SSP. By the time we are done, you will be prepared for an upcoming CMMC Certification assessment. Contact us today for CMMC compliance consulting and other CMMC related services.  

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High? For ITAR & CMMC 2.0

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

Schedule an initial meeting

2

Arrange a discovery and assessment call

3

Tailor a proposal and solution

How can we help you?