DoD Gives CMMC the Greenlight. Are You Ready?

The CMMC Title 32 has been published and CMMC Level 2 Certifications Assessment by C2PAOs should be available December 16, 2024.  The final rule’s Stage 1 allows the DoD to expedite the adoption process, potentially requiring third-party assessments by C3PAOs during this initial phase. This means that CMMC could become a requirement in prime contracts as early as the issuance of the DFARS rule, anticipated in the first half of 2025. While widespread early adoption is not expected, contractors dealing with highly sensitive information should be ready for a faster compliance timeline. Additionally, prime contractors might push for earlier compliance within their supply chains, putting subcontractors at a disadvantage if their competitors have already completed a C3PAO assessment.

1. Implementation Phases: The DoD’s proposed rule outlines a four-stage rollout. Stage 1, effective on the date of the Part 48 rule, mandates Level 1 and Level 2 self-certifications as a prerequisite for awards. Stage 2, now set to begin one year after Stage 1 (instead of the initially proposed six months), will require contractors handling Controlled Unclassified Information (CUI) to undergo third-party assessments as a condition for award. These assessments will be carried out by Certified Third-Party Assessment Organizations (C3PAOs).
2. Assessment Start Date: Certified Third-Party Assessment Organizations (C3PAOs) will begin conducting official assessments on December 16, 2024. It is highly recommended that both prime contractors and subcontractors schedule their assessment appointments as soon as possible to avoid any potential delays or shortages of available resources. This early scheduling should also include any necessary preliminary evaluations to ensure readiness for the formal assessment process. By securing their slots early, contractors can better prepare and address any issues that might arise during the assessment.
3. DoD Continues to Use Revision 2 of NIST SP 800-171: Although Revision 3 has been released, The Department of Defense (DoD) will continue using Revision 2 of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Revision 3 of NIST SP 800-171 introduces several changes and while it contains fewer overall controls, it includes more detailed assessment objectives. Additionally, Revision 3 incorporates new supply chain controls that were not addressed in the previous version. These new controls are designed to address emerging threats and vulnerabilities within the supply chain, reflecting the evolving cybersecurity landscape. The DoD clarified that the implementation of Revision 3 will be addressed in future rulemaking efforts. This commitment applies both to the CMMC framework and to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which mandates the safeguarding of covered defense information.
4. Level 1 self-assessments are not required for Level 2 environments: Contractors who have completed a Level 2 self-assessment or have undergone an assessment by a Certified Third-Party Assessment Organization (C3PAO) are exempt from conducting a Level 1 self-assessment. This exemption applies as long as the scope of the Level 2 self-assessment or the C3PAO assessment encompasses all the security controls that would be evaluated in a Level 1 self-assessment. Essentially, if the higher-level assessment (Level 2 or C3PAO) covers the same areas and controls as the Level 1 assessment, there is no need to duplicate efforts by performing the lower-level assessment.
5. Mandatory Annual Affirmations: Any company that has completed a third-party or self-assessment, regardless of the level, must submit annual affirmations from an Affirming Official, who according to the DOD, is “responsible for ensuring the company’s compliance with the CMMC Program requirements and has the authority to affirm the company’s ongoing compliance with the specified security requirements for their respective organizations” (32 CFR 170.4(b)). These affirmations are mandatory every year for all certification levels.
6. POA&Ms Usage: Contractors aiming for a Level 2 or Level 3 assessment can potentially use Plans of Actions & Milestones (POA&Ms) to secure conditional assessments, provided they comply with at least 80% of the required controls. While the rule specifies which controls can be deferred, these must be completed, verified by the C3PAO, and reported to the DOD within 180 days.
7. Mergers and Acquisitions: Significant organizational changes, such as mergers, acquisitions, or expansions of networks, may necessitate a new assessment. If there have been changes to the system being affirmed, the company’s Affirming Official should refrain from filing an annual affirmation and instead pursue a new assessment, regardless of the Level of the previous assessment. According to the DOD’s explanation, “a new CMMC assessment may be required if significant architectural or boundary changes are made to the previous Assessment Scope.
8. Small Business Requirements: Small businesses are expected to comply with CMMC, with the Department of Defense addressing cost concerns. The DOD has consistently addressed small business concerns in this new rulemaking and responded to issues raised by the U.S. Small Business Administration’s Chief Counsel for Advocacy, particularly about the cost implications of CMMC for small businesses. The DOD highlighted that the certification costs are relatively low and clarified that they are not factoring in the engineering costs for compliance with the required security controls, as these were already mandated under previous regulations. Additionally, the DOD pointed out that foreign actors have been and will continue to target small businesses that possess valuable information, especially Controlled Unclassified Information (CUI).
9. Foreign Compliance: The DOD mandates that foreign companies comply with the CMMC standards on the same schedule as all other US businesses. According to the DOD, the CMMC program does not allow for partial exemptions for foreign contractors. The requirements apply equally to both domestic and international prime contractors and extend to subcontractors throughout the supply chain, irrespective of their location. The primary concern for the DOD is whether the company handles information that needs protection.
10. Assessment Appeals Process: If an organization disagrees with the Certified Third-Party Assessor Organization’s (C3PAO) evaluation, the organization has few avenues for appeal. This disagreement can be significant, as it may prevent the organization from obtaining the necessary certification to fulfil certain contracts. The first step is to appeal the assessor’s determination within the C3PAO itself. If this internal appeal is unsuccessful, the organization can then escalate the appeal to the Accreditation Body, which oversees the C3PAOs. It is important to note that there is no provision for appealing these decisions to the Department of Defense (DOD) or any other governmental body, thus leaving the Accreditation Body’s decision as the final administrative recourse. The possibility of seeking judicial review through the courts remains uncertain as the Accreditation Body is a private nonprofit entity, and it is unclear whether the courts would have jurisdiction over such appeals.

BONUS:  Despite considerable progress in the rulemaking process, some questions are still in unanswered. The recent rulemaking has addressed many of the questions that the Defense Industrial Base (DIB) has raised over the past few years. However, several issues remain unresolved. For example, it is still unclear how the Cybersecurity Maturity Model Certification (CMMC) will apply when a Department of Defense (DOD) agency places orders through governmentwide contracts, such as those under the General Services Administration’s (GSA) schedule program.

CONCLUSION:  Although the final rulemaking has provided detailed timelines, it remains uncertain when specific contract opportunities will transition to the CMMC program. The DOD has explicitly stated that there will be no pathfinder program this time, which means there will be no pilot projects to test the implementation of CMMC before it is fully rolled out.

These unresolved questions highlight the complexity of the CMMC program and its far-reaching implications for the DIB, including subcontractors and suppliers deep within the supply chain. Given these complexities, it is crucial for companies involved in the DOD supply chain to act promptly and ensure they achieve the necessary certifications without delay.