On Aug. 15, the DoD issued another proposed rule regarding the forthcoming Cybersecurity Maturity Model Certification (CMMC) standard. As part of the release, the DoD proposed some additional verbiage for the DFARS regarding future cybersecurity obligations and offered clarifications of the requirements that it put out last December. The release also set Oct. 15, 2024 as the due date for any comments.

The rule’s highlights were split between the new, or somewhat new, additional verbiage and DoD’s clarifications of the details that it previously released. Below is a discussion of the most significant highlights:

New Verbiage

The DoD Contemplates Implementing the CMMC Over a Three-Year Period
This proposed DFARS rule will impact certain contracts during a phased-in, three-year implementation period. Based on the rule, during the first three years of the phased rollout, the CMMC requirement will be included only in certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement. However, the rule also suggests that the program office or requiring activity, along with contracting officers, will have some say in the implementation of the CMMC during this period. After three years, DoD component program offices will be required to include the CMMC requirement in all DoD solicitations and contracts, including those for the acquisition of commercial products or commercial services — except those exclusively for commercially-available-off-the-shelf (COTS) items — valued at greater than the micro-purchase threshold that involves processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).¹ This stretched-out implementation period will likely come as a relief to impacted contractors concerned that the certification process from a limited number of qualified CMMC Third-Party Assessment Organizations (C3PAOs) could be delayed with a bottleneck of certifications sought.

CMMC Level Qualifications Will Need To Be Shown at the Time of Award
The proposed rule includes amendments to DFARS 204.7502, Policy. These amendments will require contractors to be able to show the results of a current CMMC certificate or CMMC self-assessment in line with the requirements at the time of award for all information systems that process, store, or transmit FCI or CUI during contract performance when a CMMC level is included in the solicitation. This update ensures that the growing focus on cybersecurity compliance in recent bid protests is likely to continue. However, given the difficulty of establishing another entity’s compliance with these requirements, any challenges may be relegated to supplemental issues.

CMMC Compliance Must Be Maintained Over the Life of the Contract and Will Call for Several New Affirmations and Representations to the DoD
This proposed rule includes the following requirements for apparently successful offerors responding to a solicitation, and contractors awarded contracts, containing a requirement for CMMC:

• Post in SPRS the results of a current CMMC certificate or current CMMC self-assessment at the level required by the solicitation, or higher, for each DoD unique identifier (UID) applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in the performance of the contract and maintain the CMMC level for the life of the contract. However, the rule added that third-party assessment organizations would post the Level 2 certificate assessment results in SPRS, and DoD assessors would do the same for Level 3 certificate assessments.
• Provide the DoD UID(s) applicable to each of those contractor information systems to the contracting officer and provide updates, if applicable; and
• Have a “senior company official” make an annual affirmation of continuous compliance with the security requirements in SPRS for each DoD UID applicable to each of those contractor information systems.

These requirements apply to apparently successful offerors with a CMMC requirement in solicitations prior to award and to contractors with a CMMC requirement in contracts prior to exercising an option.

DoD Proposes a Requirement for Reports of Any Changes to Information Systems Involved With FCI and CUI

The rule promises to require the contractor “to notify the contracting officer of any changes in the contractor information systems that process, store, or transmit FCI or CUI during contract performance and to provide the corresponding DoD UIDs for those contractor information systems to the contracting officer. The contractor is required to provide the DoD UIDS to the contracting officer so the Government can review associated CMMC certificate or CMMC self-assessment results and contractor affirmations of continued compliance in SPRS for those additional contractor information systems.” The rule does not touch on how the DoD intends to address the potentially significant volume of information that these reports would require the contracting officers to receive.

Primes Will Have To Ensure Compliance of Their Subcontractors Before Award and Reference These Requirements Even as part of Non-Subcontract Agreements

The proposed rule will require that prime contractors “ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments.” The rule, however, does not specify the means by which prime contractors must ensure compliance, leaving primes some discretion with respect to enforcement. Primes should consider, in negotiations with subcontractors, prioritizing CMMC representations, indemnification, and audit rights in subcontractor agreements to shield against liability exposure.

Clarifications

Primes Must Rely On Typical Methods for Verifying Subcontractor Compliance With CMMC

“There is not currently a tool established that would allow” subcontractors to share their CMMC certificates and CMMC self-assessments” with prime contractors electronically. For that reason, the DoD expects prime contractors “to work with their suppliers to conduct verifications as they would under any other clause requirement that applies to subcontractors.”

CMMC Is Not Mandatory But Could Apply in Other Transaction Agreements (OTAs)

The rule reminded contractors that the DFARS does not govern OTAs. It also added, however, that if “the program office or requiring activity identifies a need to include a CMMC requirement in an OTA, it will be included in the solicitation and resulting agreement.” This is consistent with how the DoD has viewed the applicability of other DFARS requirements to OTAs. The authors of this alert, though, would offer that the DoD is unlikely to waive the requirements of cybersecurity protections for OTA-type agreements that the DoD usually reserves for its most innovative efforts.

There Will Be No Exclusions for Foreign-Owned Contractors or Subcontractors

The DoD minced no words in its explanation of the CMMC’s applicability to foreign entities. Instead, it stated explicitly that the “proposed rule does not exempt foreign suppliers from CMMC requirements.

The CMMC’s Exclusion for COTS Items Is Narrow

The DoD offered some limited guidance as to the contracts that it would consider to qualify as “awards that are exclusively for COTS items” and, therefore, not subject to the CMMC. As such, it indicated that it will rely on the FAR 2.101 definition of a “commercially available off-the-shelf (COTS) item’’ to guide those qualification decisions, and “any awards that are exclusively for items falling within that FAR definition would be considered ‘exclusively COTS’ awards.”

In the Case of a Joint Venture (JV), the CMMC Requirements Extend to Any Entities Involved With FCI and CUI

As explained by the DoD, “[e]ach individual entity that has a requirement for CMMC would be required to comply with the requirements related to the individual entity’s information systems that process, store, or transmit FCI or CUI during contract performance.” Presumably, that means that in some cases, the JV members may even hold CMMC certifications at different levels. In other cases, both JV members will need to be certified to the highest level required by a solicitation for which the JV seeks to perform work. As usual, JVs will be wise to read any solicitations themselves closely to identify any JV-specific requirements when contemplating the submission of a proposal for a particular program.

The DoD Will Generally Wait Until the Effective Date of the Final Rule To Incorporate the CMMC in any New Solicitation, But Some Contracting Officers May Choose To Require the CMMC Earlier and Otherwise

The proposed rule promised that any related “amendments to the DFARS [] will not take effect until a final rule is issued. Therefore, the effective date of the clause [addressing the CMMC] would be [set at] the effective date specified in the final rule.” The DoD will start implementation by including the CMMC clause “in solicitations issued on or after the effective date of the final rule and any resulting contracts.” But the rule cautioned that individual contracting officers could also make “a decision to include the clause in a solicitation issued prior to the effective date of the final rule, provided that any resulting contracts are awarded on or after the effective date of the final rule. In fact, it noted “Contracting officers have the discretion to bilaterally incorporate the clause in contracts in effect prior to the effective date of the clause, with appropriate consideration.” The statement confirms that the DoD is not ruling out the possibility of some contracting officers incorporating the requirement as part of modifications or option exercises as long as the government provides some consideration for contractors in doing so.

So What Should Contractors Do Now?

Just start the process. By DoD’s own implementation timeline, there is an understanding that contractors will be coming from wildly different starting points. If an organization conducted self-assessments as part of CMMC 1.0, it has a basic scorecard to build off from. If it is starting from ground zero, it should begin with the Level 1 requirements. Each level builds off the former, so go for the low-hanging fruit. These requirements are largely rudimentary and do not require investment in large quantities of technical solutions. Once Level 1 is under control, map the organization to the categories listed in NIST 800-171 to identify gaps and aim for incremental change through Phases 1 and 2.

Start now. For thousands of contractors and subcontractors seeking certification, only a few dozen C3PAOs currently exist. Taft anticipates that bandwidth and availability for assessments will tighten quickly once the rule is finalized. In addition, the requisite controls also require reinforcement through documentation and policies. This means that in addition to prioritizing the technical side of the rules, experienced legal counsel will be needed to build and shape policies that fit an organization and can grow with cybersecurity maturity. Taft will continue to monitor developments in this area and will provide updates here and on all Taft platforms. As always, seek qualified legal counsel whenever making determinations about a company’s legal or compliance obligations. Taft’s Government Contracts practice group and Privacy and Data Security practice group stand ready to assist with a risk-based, common-sense approach to data governance needs.

 

---

¹ The CMMC Program applies the definitions of FCI from FAR 4.1901 and CUI from 32 CFR 2002.