On October 15, 2024, the Department of Defense (DoD) published the long-anticipated first part of its final rule (the Final Rule) for the Cybersecurity Maturity Model Certification (CMMC) program. After the implementation of the entire program, the CMMC program and accompanying regulations will attach a minimum cybersecurity requirement to almost all DoD contracts. The specific tiered Level of cyber security requirements for a contract will vary depending on the sensitivity of the information handled under the contract. The program will require third-party verification for contractors working with controlled unclassified information (CUI) confirming that contractors are meeting existing DoD cybersecurity standards and a self-assessment by contractors that have Federal Contract Information (FCI) showing that they are in compliance with the 15 controls in Federal Acquisition Regulation (FAR) 52.204-21.
The long-awaited Final Rule and CMMC program presents contractors with a significant new set of compliance challenges. While the extent of these new requirements may vary by contract, all DoD contractors should expect some level of increased requirements after the CMMC rollout is complete and should start taking steps toward ensuring compliance as soon as practicable.
CMMC Program Purpose and History
DoD’s stated goal for the CMMC program is to strengthen cyber security across the Defense Industrial Base by verifying that defense contractors are compliant with existing protections for FCI and CUI and are protecting that information at a level commensurate with the risk from cyber security threats.
The DoD’s release of the Final Rule was a significant step in the process of launching the CMMC program. To date, this process has garnered a fair share of negative feedback from defense contractors. The DoD’s development of the CMMC began in 2019 but was quickly stalled in 2020 after DoD received robust criticism from contractors in response to its September 2020 interim rule. Contractors generally argued that the interim rule was both too complex and not targeted at the appropriate risks. To address these criticisms, DoD released a draft Version 2.0 of CMMC in November 2021 and a proposed rule in December 2023. The Final Rule largely tracks the proposed rule and sets forth a framework of three cyber security tiered Levels that contractors must meet after the phased rollout is complete.
Phased Implementation
The Final Rule kept the same phased approach as the proposed rule but extended the timeline for implementation of each phase so that there is now a year buffer between each phase in the implementation timeline:
Phase 1
The DoD plans to finalize the second part of the CMMC rule in early 2025. Once the rule is finalized, new DoD solicitations will include CMMC Level 1 and CMMC Level 2 self-assessment requirements for all bidders.
Phase 2
One year after the start of Phase 1, DoD will require that all bidders for solicitations with Level 2 cyber security requirements obtain the appropriate third party/outside certification as a condition of award. (Approximately the start of 2026)
Phase 3
One year after the start of Phase 2, DoD will require bidders to meet Level 3 certification requirements on applicable solicitations and will require contractors to meet Level 2 certification requirements as a condition of exercising an option in already existing applicable contracts. (Approximately the start of 2027)
Phase 4
Beginning one year after the start of Phase 3, all CMMC program requirements and conditions will come into effect. (Approximately the start of 2028)
Key Takeaways and Areas of Potential Compliance Risk
As with any new compliance regime, contractors must establish new internal practices to ensure that all of the CMMC program’s requirements are met at the correct time. A few areas of potential risk (not meant to be exclusive, of course) that contractors should be aware of include:
Potential Lengthy Wait Times for Third-Party Assessments
As the date for implementing Phase 2 approaches, contractors should expect that there will be a high demand for third-party assessors, which may lead to a crunch in available resources. To avoid this risk, contractors may start the process of receiving third-party assessments as early as December 15, 2024 (the effective date of the Final Rule).
Small Business & Foreign Entity Compliance: Low Threshold for Applicability
The CMMC program requirements will apply to almost all federal contracts above the micro-purchase threshold. Both small business and foreign entities are expected to comply with the applicable requirements in the CMMC program under the same timelines as their large business and U.S. entity counterparts. Contractors in these categories should not expect a compliance carve out and should begin preparing for implementation.
Accelerated Adoption
The Final Rule provides DoD with the option to accelerate the requirement that third-party assessments be in place for certain contractors as soon as mid-2025. Contractors that handle highly sensitive information should be prepared to comply with this potentially accelerated timeline.
Next Steps
Now that the Final Rule is published, contractors can start looking ahead and working on CMMC self-assessments and third-party assessment requirements. While the above provides a brief overview of what contractors should expect moving forward, the Final Rule is 470 pages and sets forth a comprehensive and complex compliance program. Contractors should not wait until the last moment before preparing for the coming changes.