DoD Cybersecurity Maturity Model Certification requirements go into effect

What is CMMC 2.0?

This initiative introduces a new tiered cybersecurity regulatory framework for defense contractors and subcontractors. It also provides assessments DoD plans to use to verify implementation. As expected, the more sensitive the information a contractor handles, the higher the CMMC level and the stricter the security standards. Once the CMMC 2.0 rules become effective, the requirements will be implemented in a four-phase plan over a three-year period. DoD contractors handling Federal Contracting Information (FCI) and Controlled Unclassified Information (CUI) will need to meet the requirements of their corresponding CMMC level. 

CMMC levels explained:

• Level 1: For contractors handling FCI, which is information provided by or generated for the government under a government contract not intended for public release. Contractors must comply with 15 security requirements set by Federal Acquisition Regulation 52.204-21. They must complete annual self-assessments and affirmations regarding their compliance with the requirements. The affirmation is forward-looking—the contractor must attest that it “has implemented and will maintain implementation” of its applicable CMMC security requirements.
• Level 2: For contractors handling CUI. Contractors must comply with 110 requirements from NIST SP 800-171. Depending on the type of CUI that the contract involves, they may be required to perform a self-assessment or be required to secure an outside assessment from an approved Third Party Assessor Organization (C3PAO).
• Level 3: For contractors handling CUI “associated with a critical program or high value asset,” as determined by DoD. Contractors must comply with the 110 requirements from NIST SP 800-171 plus 24 additional requirements from NIST SP 800-172. They will be assessed directly by the DoD Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBAC). 

Flow-down requirements

The CMMC requirements “flow down” from contractors to subcontractors to ensure the entire defense industrial base supply chain is protected. If a contractor subject to CMMC 2.0 requirements employs subcontractors to fulfill the contract, those subcontractors must also meet certain CMMC 2.0 standards depending on the kind of FCI or CUI they process, store, or transmit. Prime contractors must require that their subcontractors comply with the flow down CMMC requirements. Thus, a framework that might seem narrow in scope, can pick up a large number of parties. 

Remediation

Some flexibility is built into the CMMC 2.0 program’s requirements. For example, select CMMC Level 2 and 3 contractors may be allowed conditional CMMC certification even when they cannot meet all the security controls. This conditional status requires the contractor to prepare a Plan of Action and Milestones (POA&M) to remediate the controls that it has not met. Failure to remediate in a 180-day window leads to the expiration of the conditional certification.

Looking ahead

Contractors and subcontractors must be diligent in their CMMC 2.0 cybersecurity implementation and assessments, whether internal or external, due to the increased risk of compliance under the new regulatory scheme. The Department of Justice recently launched its Civil Cyber-Fraud Initiative and is paying close attention to contractors’ cybersecurity practices in relation to the False Claims Act (FCA). The growing popularity of claims under this program suggests that gaps in CMMC 2.0 compliance expose DoD contractors to FCA risk, including the risk of whistleblower claims. Given the numerous and varied security and assessment requirements under CMMC 2.0, it will be essential for contractors and subcontractors to ensure their cybersecurity representations to DoD are accurate.