The Department of Defense, and now War, (DoD) has issued its final rule updating the Cybersecurity Maturity Model Certification (CMMC) program through changes to the Defense Federal Acquisition Supplement (DFARS). CMMC is a DoD program that requires defense contractors and subcontractors to undergo an internal assessment, and in some cases a third-party assessment, of their cybersecurity practices to ensure they adequately safeguard sensitive unclassified information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The CMMC program has existed for several years already, but to date, DoD program offices had considerable discretion to include its requirements in a contract. CMMC will soon be a condition of eligibility for all DoD contractors and subcontractors who handle FCI or CUI. Companies interested in working with the DoD need to immediately take measures to achieve CMMC compliance.
CMMC requirements will apply to all prime contractors and subcontractors at any tier if they process, store, or transmit FCI or CUI for DoD work. Although coverage extends to DoD contracts for the acquisition of commercial products and commercial services, commercially available off-the-shelf (COTS) items are excluded.
The prescribing clause for the existing DFARS provision (DFARS 252.204-7021 -Jan 2023) provided program offices with discretion imposing CMMC requirements on the contractor. This discretion will continue until November 9, 2028. During this time, the CMMC clauses will appear only in certain DoD contracts, as chosen by program offices. Beginning November 10, 2028, in accordance with the newly issued rule, CMMC requirements will apply to all covered DoD contracts.
For existing contracts, any option exercise requires evaluation of the contractor’s CMMC status. DoD agencies also have the discretion to add CMMC requirements when modifying an existing contract or extending the period of performance, where the agency deems that additional cybersecurity measures are necessary.
The final rule recognizes four CMMC levels that will be determined by the DoD program office:
Conditional status is allowed at Levels 2 and 3 for up to 180 days with an approved Plan of Action & Milestones (POA&M), but final certification is required to maintain the work.
Contractors must post CMMC assessment results and annual affirmations of ongoing compliance in the Supplier Performance Risk System (SPRS) for each information system used in contract performance. Contractors must also provide the CMMC unique identifier (UID) for each relevant information system to the contracting officer and update these as changes occur.
CMMC requirements must be flowed down to all subcontractors handling FCI or CUI. A subcontractor must meet the appropriate CMMC level before a prime contractor can award it a subcontract involving the processing, storing, or transmitting of FCI or CUI. A prime cannot share FCI or CUI until the subcontractor is compliant. There is no automated tool for verifying a subcontractor’s CMMC status in SPRS.
DoD estimates the new rule will eventually affect 338,000 entities (including 230,000 small businesses). The phased rollout is intended to allow time to prepare, but subcontractors should not wait. Prime contractors will increasingly ask for proof of compliance before awarding subcontracts.
The rule removes duplicative or unnecessary reporting requirements, such as notification to contracting officers of lapses in information security, relying instead on existing incident reporting under DFARS 252.204-7012.
CMMC is not an evaluation factor or set-aside requirement but is a condition of award when included in a solicitation.
We expect DoD and prime contractors to increasingly mark solicitation and contract information as FCI or CUI. Notwithstanding the DoD estimates that 64% of CMMC requirements will only require Level 1 assessments because only FCI is involved, based on current trends, we anticipate that program offices will use the CUI marking frequently and thereby drive contractors to the Level 2 CMMC requirements. This means you may need to be CMMC Level 2-ready just to compete for new contracts, even if you are not currently handling CUI.
To that end, companies can do the following:
Think of CMMC as a “no certification = no contract” rule for doing certain (and eventually almost all) DoD work. Do not wait until your next contract bid; start mapping your systems, fixing gaps, and tracking your compliance.