What Federal Contractors Need to Know About CMMC

What is CMMC 2.0?

The purpose of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program is to verify that contractors with the Department of Defense (DoD) are meeting their obligations to protect controlled unclassified information (CUI) by meeting standardized cybersecurity requirements. These requirements vary depending on the level of CMMC 2.0 certification required. The program has three tiers with escalating security requirements. DoD request for proposals (RFPs) will include a clause identifying the CMMC level required for a contractor (and its subcontractors) to receive an award.

Verification will take place by self-assessment or third-party assessment depending on the CMMC level requirement. Except for some newly introduced cybersecurity requirements in Level 3, DoD contractors should already be meeting CMMC 2.0’s security requirements when handling controlled unclassified information.

Note: The following information is based on the CMMC proposed rule published 12/26/2023 and the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) proposed rule published 8/15/2024. The content in both proposed rules is subject to change in the final rule.

What are the requirements for each of the three proposed tiers?

• Level 1: Contractors and applicable subcontractors must complete an annual self-assessment to verify their compliance with the 15 security requirements specified in Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” A senior official from each contractor and applicable subcontractors must annually affirm compliance via the Supplier Performance Risk System (SPRS).
• Level 2: Contractors and applicable subcontractors must implement the 110 security requirements specified by DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which are based on the National Institute of Standards and Technology (NIST) standard for protecting controlled unclassified information, NIST SP 800-171 Rev. 3.
  • Level 2 comes in two versions: self-assessment and third-party certification (depending on whether the acquisition involves information critical to national security).
  • Contractors and subcontractors that perform a self-assessment will be required to do so every three years and will affirm continuous compliance annually.
  • Level 2 contractors and subcontractors that must be assessed by a third party must be certified by a third-party assessment organization (C3PAO) every three years and affirm continuous compliance annually.
• Level 3: Contractors must meet all Level 2 requirements as well as 24 select NIST SP 800–172 security requirements. Level 3 contractors must pass an assessment every three years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in addition to Level 2 reporting requirements.

What contracts will CMMC 2.0 apply to?

CMMC 2.0 requirements will be incorporated into DoD contracts above the micro-purchase threshold (MPT) where the contractor provides information systems that “process, store, or transmit” federal contract information (FCI) or controlled unclassified information (CUI). Contracts exclusively for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements. There is no exception for FAR Part 12 commercial product or commercial service contracts.

Who will be required to undergo a CMMC 2.0 self-assessment or third-party certification?

Again, the requirement to meet a certain CMMC level certification will be incorporated into DoD contracts where the contractor or subcontractor will process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) on unclassified contractor information systems:

• Federal regulation defines FCI as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.”
• Contracts where the contractor must handle FCI will require the contractor to meet Level 1 requirements and thus self-assessment.
• CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
• Level 2 or 3 requirements will apply to contracts where the contractor must handle CUI. The exact level required depends on the CUI’s sensitivity[AW1][GW2][GW3] *. Handling less sensitive CUI may only require a self-assessment as part of compliance with CMMC Level 2. For more sensitive CUI, third-party assessment by a C3PAO will be additionally required for level 2 compliance.
  • * According to the 32 CFR CMMC Proposed Rule, Program managers determine the appropriate CMMC level based on the following five factors:
    • Criticality of the associated mission capability.
    • Type of acquisition program or technology.
    • Threat of loss of the FCI or CUI to be shared or generated in relation to the effort.
    • Potential for and impacts from exploitation of information security deficiencies.
    • Other relevant policies and factors, including Milestone Decision Authority guidance.
• Level 3 requirements, reserved for contracts handling the most sensitive CUI, include self-assessment, assessment by a C3PAO, and a DIBCAC assessment.

Does CMMC 2.0 flow down to subcontractors?

Yes—generally speaking, subcontracts will be subject to a CMMC 2.0 level that matches the sensitivity of the information they will handle in the performance of the subcontract. Prime contractors must ensure that their subcontractors have a current CMMC certificate or self-assessment at the required CMMC level appropriate to the information that is flowed down to the subcontractor.

What is the timeline for the rollout of CMMC 2.0?

The CMMC 2.0 implementation timeline will not be available until the CMMC program final rule is published. In its proposed rule, DoD projected the following general two-and-a-half-year, four-phase rollout:

• Phase 1: Will begin on the effective date of the final rule. At this time, CMMC Level 1 and 2 self-assessments will be a condition of award for those contracts that include a CMMC level requirement. Contracts may require Level 2 certification at DoD’s discretion.
• Phase 2: Six months later, DoD will start adding Level 2 certification requirements to applicable contracts. Level 3 certification requirements will be incorporated into applicable contracts at DOD’s discretion.
• Phase 3: One year after phase 2, DoD will extend Level 2 certification requirements to existing contracts, and Level 3 certification will be required on applicable contracts.
• Phase 4: Starting one year after Phase 3, CMMC will apply to all DoD contracts above the MPT where a contractor handles FCI or CUI (except for purely COTS contracts).*

*Applicable contracts that are not awarded or extended during the phased implementation will incorporate CMMC 2.0 requirements upon their award/extension

---

CMMC Law and Regulations:

• 32 CFR Part 170 – CMMC Program Proposed Rule on the Federal Register
• 48 CFR Parts 204, 212, 217, and 252 – Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) on the Federal Register
• Executive Order 13556 — Controlled Unclassified Information
• FAR Clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
• NIST SP 800-171 Rev. 3 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS Clause 252.204-7019 Notice of NISTSP 800-171 DoD Assessment Requirements
  • DFARS Clause 252.204-7020 NIST SP 800-171DoD Assessment Requirements
  • DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements

---

Member Resources:

Rogers Joseph O’Donnell

• Overview & Analysis of DoD’s CMMC Proposed Rule (12/26/23)

Perkins Coie

• DoD Issues Proposed CMMC Rule Requiring Cybersecurity Assessments of Contractors (01/04/24)

Blank Rome

• The Department of Defense Releases Proposed CMMC Rule (12/22/23)
• The Department of Defense Issues Proposed Timeline for CMMC Implementation (01/04/24)
• Understanding the Basics of CMMC Level 1 (01/09/24)
• Understanding the Basics of CMMC Level 2 (01/16/24)
• Understanding the Basics of CMMC Level 3 (01/23/24)

Morris Manning & Martin

• Ringing In The New Year With The Codification Of CMMC 2.0 (01/04/24)
• Not Up for Debate: CMMC 2.0 Gains Additional Traction (07/01/2024)

Holland & Knight

• Department of Defense Releases Long-Awaited CMMC Proposed Rule (12/27/23)
• The Proposed CMMC Rule Is Here: What It Means for Your Organization (01/04/2024)

Mayer Brown

• US DoD Proposes Final Rule for Cybersecurity Maturity Model Certification (CMMC) (01/18/24)

Arnold & Porter

• Department of Defense Issues CMMC 2.0 Proposed Rule (01/05/2024)
• Breaking Down the CMMC Proposed Rule | Podcast (01/16/2024)

Covington

• DoD Issues Proposed Rule Implementing CMMC (01/11/2024)

Crowell & Moring

• DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule (12/27/2023)
• This is Just a Test: Advising Your Client on Real-World Cybersecurity Questions Using Fictional Scenarios Connected to the Department of Defense’s Proposed Cybersecurity Maturity Model Program (07/31/24)
• The Impact Of The Cybersecurity Maturity Model Certification On The Defense Industrial Base (05/01/2024)