What is CMMC 2.0?
The purpose of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program is to verify that contractors with the Department of Defense (DoD) are meeting their obligations to protect controlled unclassified information (CUI) by meeting standardized cybersecurity requirements. These requirements vary depending on the level of CMMC 2.0 certification required. The program has three tiers with escalating security requirements. DoD request for proposals (RFPs) will include a clause identifying the CMMC level required for a contractor (and its subcontractors) to receive an award.
Verification will take place by self-assessment or third-party assessment depending on the CMMC level requirement. Except for some newly introduced cybersecurity requirements in Level 3, DoD contractors should already be meeting CMMC 2.0’s security requirements when handling controlled unclassified information.
Note: The following information is based on the CMMC Program Final rule published 10/15/2023 and the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) proposed rule published 8/15/2024. The content in the proposed rule is subject to change in the final rule.
What are the requirements for each of the three proposed tiers?
- Level 1: Contractors and applicable subcontractors must complete an annual self-assessment to verify their compliance with the 15 security requirements specified in Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” A senior official from each contractor and applicable subcontractors must annually affirm compliance via the Supplier Performance Risk System (SPRS).
- Level 2: Contractors and applicable subcontractors must implement the 110 security requirements specified by DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which are based on the National Institute of Standards and Technology (NIST) standard for protecting controlled unclassified information, NIST SP 800-171 Rev. 2. Assessment procedures for compliance with NIST SP 800-171 Rev. 2 are found in NIST SP 800-171A.
- Level 2 comes in two versions: self-assessment and third-party certification (depending on whether the acquisition involves information critical to national security).Contractors and subcontractors that perform a self-assessment will be required to do so every three years and will affirm continuous compliance annually.
- Level 2 contractors and subcontractors that must be assessed by a third party must be certified by a third-party assessment organization (C3PAO) every three years and affirm continuous compliance annually.
- Level 3: Contractors must meet all Level 2 requirements as well as 24 select NIST SP 800-172 security requirements. Level 3 contractors must pass an assessment every three years by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in addition to Level 2 reporting requirements. The assessment procedures for NIST SP 800-172 are found in NIST SP 800-172A.
What contracts will CMMC 2.0 apply to?
CMMC 2.0 requirements will be incorporated into DoD contracts above the micro-purchase threshold (MPT) where the contractor provides information systems that “process, store, or transmit” federal contract information (FCI) or controlled unclassified information (CUI). Contracts exclusively for commercially available off-the-shelf (COTS) items are exempt from CMMC requirements. There is no exception for FAR Part 12 commercial product or commercial service contracts.
Who will be required to undergo a CMMC 2.0 self-assessment or third-party certification?
According to a DoD Guidance Memorandum on the implementation of CMMC, the following CMMC levels will be required of contractors based on the sensitivity of data that the contractor will “process, share, or transmit” under a DoD solicitation:
- Level 1 Self-assessment: Required “if the planned contract, task order, or delivery order may require the contractor (or subcontractors at any tier) to process, store, or transmit only Federal Contract Information (FCI) in its information system.”
- Level 2 Assessment: Required “if the planned contract will require the contractor (or subcontractors) to process, store, or transmit Controlled Unclassified Information (CUI) on a contractor-owned information system, compliance must be assessed against NIST SP 800-171 requirements.”
- Level 2 Self-assessment: Required when a contractor handles CUI that is completely outside of the National Archive’s CUI Registry Defense Organizational Index Grouping.
- Level 2 Assessment by C3PAO: Required by a certified third-party assessor organization (C3PAO) when a contractor handles CUI that is within the National Archive’s CUI Registry Defense Organizational Index Grouping.
- Level 3 Certification: Required by the Defense Contract Management Agency (DCMA) for the following:
- CUI associated with a breakthrough, unique, and/or advanced technology;
- A significant aggregation or compilation of CUI in a single information system or IT environment; and
- A “Ubiquity – when an attack on a single information system of IT environment would result in widespread vulnerability across DoD.”
Does CMMC 2.0 flow down to subcontractors?
Yes—generally speaking, subcontracts will be subject to a CMMC 2.0 level that matches the sensitivity of the information they will handle in the performance of the subcontract. Prime contractors must ensure that their subcontractors have a current CMMC certificate or self-assessment at the required CMMC level appropriate to the information that is flowed down to the subcontractor.
What is the timeline for the rollout of CMMC 2.0?
CMMC 2.0 will be implemented in a three-phase approach over three years. Each phase will last one year. Phase one begins upon the finalization of Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
- Phase 1: Upon the above rule’s finalization, CMMC Level 1 and 2 self-assessments will be a condition of award for new contracts that include a CMMC level requirement. A limited number of contracts may require Level 2 C3PAO assessments at DoD’s discretion.
- Phase 2: One year later, DoD will start adding Level 2 certification requirements to applicable contracts. Level 3 certification requirements will be incorporated into a limited number of applicable contracts at DOD’s discretion.
- Phase 3: One year after phase 2, DoD will extend Level 2 certification requirements to existing contracts, and Level 3 certification will be required on applicable contracts. DoD can begin to include Level 2 C3PAO assessment requirements in options to exercise active DoD contracts.
- Phase 4: Starting one year after Phase 3, CMMC will apply to all DoD contracts above the MPT where a contractor handles FCI or CUI (except for purely COTS contracts). This will include options to exercise active contracts.*
*Applicable contracts that are not awarded or extended during the phased implementation will incorporate CMMC 2.0 requirements upon their award/extension
CMMC Law and Regulations:
- 32 CFR Part 170 – CMMC Program Proposed Rule on the Federal Register
- 48 CFR Parts 204, 212, 217, and 252 – Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) on the Federal Register
- Executive Order 13556 — Controlled Unclassified Information
- FAR Clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
- DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS Clause 252.204-7019 Notice of NISTSP 800-171 DoD Assessment Requirements
- DFARS Clause 252.204-7020 NIST SP 800-171DoD Assessment Requirements
- DoD Memo “Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements”
Member Resources:
Rogers Joseph O’Donnell
Perkins Coie
Blank Rome
- The Department of Defense Releases Proposed CMMC Rule (12/22/23)
- The Department of Defense Issues Proposed Timeline for CMMC Implementation (01/04/24)
- Understanding the Basics of CMMC Level 1 (01/09/24)
- Understanding the Basics of CMMC Level 2 (01/16/24)
- Understanding the Basics of CMMC Level 3 (01/23/24)
Morris Manning & Martin
- Ringing In The New Year With The Codification Of CMMC 2.0 (01/04/24)
- Not Up for Debate: CMMC 2.0 Gains Additional Traction (07/01/2024)
Holland & Knight
- Department of Defense Releases Long-Awaited CMMC Proposed Rule (12/27/23)
- The Proposed CMMC Rule Is Here: What It Means for Your Organization (01/04/2024)
Mayer Brown
Arnold & Porter
- Department of Defense Issues CMMC 2.0 Proposed Rule (01/05/2024)
- Breaking Down the CMMC Proposed Rule | Podcast (01/16/2024)
Covington
Crowell & Moring
- DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule (12/27/2023)
- This is Just a Test: Advising Your Client on Real-World Cybersecurity Questions Using Fictional Scenarios Connected to the Department of Defense’s Proposed Cybersecurity Maturity Model Program (07/31/24)
- The Impact Of The Cybersecurity Maturity Model Certification On The Defense Industrial Base (05/01/2024)
- Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program