Less than a year after initially releasing details of its proposed approach for the Cybersecurity Maturity Model Certification (CMMC) 2.0, on Oct. 15, 2024, the DoD issued its Final Rule for the program requirements that will guide the forthcoming standard. While this Final Rule will be effective on Dec. 16, 2024, it notes that it will be the final version of the DoD’s Acquisition Rule for the CMMC standard – that is still at the proposed stage – which will direct the DoD to begin requiring a specific CMMC level in solicitations and contracts. However, Contracting Officers may decide to voluntarily include CMMC requirements in contracts awarded prior to that Acquisition Final Rule becoming effective, as long as they do so with a bilateral modification.

While most of those requirements have remained unchanged from the details of the Proposed Rule, the Final Rule for the program clarified some details about the forthcoming standard and incorporated some revisions of note. In the first part of this two-part alert, Taft discusses the most significant of these details below:

• Revised Implementation Timeline: The DoD still plans to roll out the CMMC over a four-phase implementation period that shall begin 60 days after publication of the final version of the DoD’s Acquisition Rule sometime in Fiscal Year 2025. However, the DoD has updated the rule to extend Phase 1 by six months, with appropriate adjustments to later phases as seen below:

While the DoD did not identify any specific programs that will serve to pilot the CMMC standard, it has confirmed that the majority of the efforts requiring CMMC during the first phases of the implementation will allow for proof of CMMC capability by self-assessment (i.e., Level 1 and Level 2 (Self)-type requirements).

• Scope of the CMMC Levels: The DoD has further illuminated the distinctions between each of the certification levels.

The focus of CMMC Level 1 is on protecting any assets that process, store, or transmit Federal Contract Information (FCI), so the DoD may require that level of protection even where there is no Controlled Unclassified Information (CUI) involved. CMMC Level 2 will address the protection of any assets that process, store, or transmit CUI, as well as those assets that provide security for such systems. CMMC Level 3, meanwhile, will focus on protection of those assets that either (1) process, store, or transmit CUI, or (2) can do so (even where they do not), and those assets that provide security for such systems.

Each of the various levels will carry its own requirements for both contractors and subcontractors to satisfy before any award and thereafter:

Notably, the contemplated approach leaves the DoD with the discretion to specify a CMMC Level 2 requirement in a solicitation or contract that necessitates either a self-assessment or a third-party assessment based on what the DoD deems the most appropriate.

• Project Manager Discretion: The decision as to which CMMC Level and assessment type to require for a particular effort will fall primarily to the DoD’s program managers. To select a CMMC Level for a procurement, program managers will identify the applicable CMMC level based on, but not limited to, the following factors:

(1) Criticality of the associated mission capability;

(2) Type of acquisition program or technology;

(3) Threat of loss of the FCI or CUI to be shared or generated in relation to the effort;

(4) Impacts from the exploitation of information security deficiencies; and

(5) Other relevant policies and factors, including Milestone Decision Authority guidance.

Program managers will also have the discretion to decide whether to incorporate CMMC Status requirements during the implementation period, which they will do in accordance with a forthcoming DoD-wide policy.

Takeaways

The Final Rule for the CMMC Program offers a lot of additional detail on the forthcoming standard, with additional specifics on matters of compliance (e.g., waivers, disputes with assessing organizations, and requirements for service providers and subcontractors) that Taft will address in the second part of this alert to be released shortly. For now, it is worth noting that while the implementation of DoD’s new cybersecurity standard still awaits the release of the Final Acquisition Rule – contractors should not hesitate to continue their preparations for a CMMC assessment. Getting familiar with the new requirements is the first step.