In an earlier alert, Taft discussed some of the higher-level details of the DoD’s Oct. 15, 2024, Final Rule for the program requirements of the forthcoming Cybersecurity Maturity Model Certification (CMMC). Below are a few more specifics on what contractors that will be seeking the CMMC can expect in the new standard:

• Record-Keeping Requirements: Though the Rule is clear that Contracting Officers do not have to review anything used as evidence for a CMMC assessment and must instead focus only on the resulting scores and certificate validity period, contractors receiving a certification must retain such “artifacts” for the duration of the validity period of the certificate of assessment, and at minimum, for six years from the date of certification assessment. The Rule expanded this requirement to apply even to Level 1 and Level 2-type self-assessments. It also stated that it is up to the certified entity to determine the best way to ensure artifact availability during the six-year retention period before notably adding that it incorporated the requirement for such a six-year retention period based on input from the Department of Justice (DoJ).

In light of that clarification, it is worth pointing out that the statute of limitations for any False Claims Act (FCA) violations, such as those pursued by the DoJ’s Civil Cyber-Fraud Initiative in the matters of cybersecurity related misrepresentations by government contractors and grant recipients, is six years from the date of the violation.

• POA&MS: The CMMC Program will allow contractors to delay satisfying some requirements for a certification at CMMC Level 2 or above that contractors cannot immediately meet with a Plan of Action & Milestones (POA&MS), which is effectively a corrective action plan. However, even where allowed, any delayed capabilities have to be met and closed out by a POA&M closeout assessment within 180 days of any initial assessment for a final certification. If the contractor cannot meet that 180-day due date, then any conditional CMMC certification that the contractor received in the meantime will expire, and the government’s standard contractual remedies (e.g., terminations) will extend to the entity.
• Waiver Process: The DoD internal policies, procedures, and approval requirements will govern the process for the DoD to waive the inclusion of the CMMC requirement in the solicitation. Once applicable to a solicitation, there is no process for offerors to seek waivers of CMMC requirements from the DoD.
• Subcontractors: Prime contractors will have to flow-down CMMC requirements to any subcontractors that will process, store, or transmit FCI or CUI and ensure that they are not disseminating FCI and CUI to subcontractors that do not meet those requirements. Their subcontractors must do the same with any lower-tier contractors that may require access to FCI or CUI. Subcontractors at each tier, however, will remain responsible for submitting their own assessment and affirmation information in SPRS. Therefore, the DoD noted its expectation that defense contractors will share information about their CMMC status, assessment scores, or certificates with other entities to facilitate effective teaming arrangements when bidding for DoD contracts.

• External Service Providers: The final version of the CMMC Program Rule reduced the burdens of the forthcoming standard for External Service Providers (ESPs). Among other things, the DoD confirmed that only ESPs that process, store, or transmit CUI require CMMC assessment or certification. As another example, the DoD has clarified that any ESP that is used for on-site staff augmentation only – e.g., where the contractor still provides all processes, technology, and facilities – will not have to get a CMMC assessment. The DoD will also not consider service providers who only need temporary access to perform services (e.g., penetration testing, cyber incident response, or forensic analysis) to be ESPs for the purposes of the CMMC Program.
• Cloud Service Providers Must be FedRAMP Compliant: The DoD has updated the CMMC Program to ensure that the only requirements that CMMC imposes for the use of Cloud Service Providers (CSPs) are those already addressed in the DFARS 204-7012 clause. When a CSP is used, it must meet the requirements of the FedRAMP moderate baseline or its equivalent as defined in the DoD policy.
• Forthcoming Shift to NIST SP 800-171 Revision 3: As explained in both the Program Rule, and associated guidance, the DoD relied on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 to establish the current set of requirements in the CMMC Model. However, the DoD expects to update the CMMC Model to the standards defined in NIST SP 800-171 Revision 3 in the future following a separate rulemaking.
• Disputes Process: Any assessing organization that can certify an entity as CMMC-compliant (e.g., a CMMC Third-Party Assessor Organization or C3PAO) must allow for a process by which a contractor seeking certification can dispute its assessment decision with that certifying entity’s staff. The procedure for those disputes will vary depending on the C3PAO and should be considered both in any contractor’s selection of a C3PAO and during its negotiation process with that C3PAO. Contractors will be able to appeal the eventual decision of its dispute with the assessing organization to the CMMC Accreditation Body, which is the entity that the DoD has selected to oversee and implement the program.
• Supplemental Guidance: The DoD has released extensive guidance to assist entities in understanding the CMMC Program and the assessment process and scope for each CMMC level. These guidance documents are available on the DoD CMMC website and on the DoD Open Government website.

Takeaways.

As discussed in the first part of Taft’s alert, contractors should not wait until the release of the Final Acquisition Rule for the CMMC standard to continue their preparations for a CMMC assessment. In fact, as the recently released Program Rule notes, nothing precludes entities from completing their CMMC assessments prior to the release of that forthcoming Acquisition Rule. At the very least, though, contractors should (1) continue working with their technical teams to get their systems in the state necessary to obtain those certifications whenever the Acquisition Rule is out and (2) carefully negotiate their agreements with any subcontractors, external service providers, and assessing organizations (i.e., C3PAOs) to allow them the rights necessary to most effectively address any forthcoming CMMC requirements.