RGCI - The Final Rule on the Cybersecurity Maturity Model Certification (CMMC) Program is Here

On October 15, 2024, the Department of Defense (“DoD”) published the final rule of the Cybersecurity Maturity Model Certification (“CMMC”) requirements in Title 32 of the Code of Federal Regulations, effective December 16, 2024. The Final Rule updates DoD national security regulations to ensure contractors have implemented cyber security measures to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC will be contractually required when the Defense Federal Acquisition Regulation (“DFARS”) clause has not been finalized (see our article, “DoD Issues CMMC Proposed Rule – Submit your comments by October 15, 2024”). We will refer to this DFARS clause throughout this blog as the DFARS CMMC Clause Final Rule.

The Key Features of CMMC Include:

  • Tiered Model with three levels depending on the type of information processed through a contractor’s systems;
  • Assessment Requirements; and
  • Phased implementation over a 4-year period.

How Will I Know What Level I Will Have to Comply With?

Each solicitation will state the level of CMMC required based on the kind of information to be handled and the type of work to be performed. There has been no specific DoD guidance issued as to how DoD contracting officers will be making this determination.

Since the CMMC requirement applies to information systems that process, store, or transmit FCI or CUI information, offers/subcontractors as part of a Joint Venture will need to ensure they are compliant. Companies involved in mergers and acquisitions can also trigger a new or updated CMMC assessment. The final rule does not address the timing of certifications when there is a merger or acquisition since it is not a quick process.

What are the CMMC Requirements/Levels?

There are three levels related to cyber security controls for FCI and CUI:

Level 1 – Self-Assessment – required for contractors to secure FCI.

Contractors must:

Level 2 – Self-Assessment – required for contractors to secure CUI.

Contractors must:

  • Meet all 15 security requirements outlined in FAR 52.204-21(b)(1)(i) through (xv) – no exceptions;
  • Meet all 110 requirements in NIST SP 800-171;
  • Perform a documented self-assessment;
  • Upload the assessment to SPRS;
  • Conduct full self-assessment every 3 years; and
  • Upload an annual contractor affirmation in SPRS.

Level 2 – Certified 3rd Party Assessor Organization (C3PAO) Assessment – required for contractors to secure CUI.

Contractors must:

Level 3 – Certified 3rd Party Assessor Organization (C3PAO) Assessment – required for contractors to secure CUI.

Contractors must:

The Level 3 requirements are not clear, but we think this means you must get the C3PAO Level 2 updated every three years and a DIBCAC Level 3 certification every three years. In addition, the annual affirmation must be made by a senior-level contractor representative responsible for ensuring compliance with the CMMC Program requirements.

What is the Phase in Period?

The effective date of the implementation of the CMMC Program will be addressed in the DFARS CMMC Clause Final Rule. CMMC will be incrementally phased in to allow the C3PAO assessors to be trained and the contractors time to understand and implement CMMC requirements. The phases are as follows:

  • Phase 1 – Level 1 and Level 2 self-assessments will be included in solicitations upon finalization of the DFARS CMMC Clause Final Rule.
  • Phase 2 – 12 months after Phase 1 begins.
  • Phase 3 – 24 months after Phase 1 begins.
  • Phase 4 – all solicitations and contracts will include appropriate CMMC-level requirements.

Will the Contractor Have Time to Correct Issues Found During the Assessment?

The 15 requirements outlined in FAR 52.204-21(b)(1) must be in operation for all Levels and assessments. No grace period will be provided to allow for contract award. So, for a Level 1 self-assessment, it is all or nothing.

For all requirements beyond the 15 requirements outlined in FAR 52.204-21(b)(1), the contractor who scores at least 80% of the criteria, including critical requirements, will be given a 180-day grace period to establish and complete a Plan of Action and Milestones (POA&M). If the contractor fails to complete the POA&M and have the requirement assessed as operational, the Contracting Officer can apply standard contractual remedies – including termination of the contract.

Yes, it appears the Government will be playing hardball on this.

What about Subcontracts?

Prime contractors are responsible for determining the information (i.e., any FCI or CUI) a subcontractor will need to perform the required scope of work. The prime will then be required to notify the subcontractor of the required assessment level and flowdown the necessary contract terms and conditions. The prime will then be required to document its actions to ensure the subcontractor and any lower-tier subcontractors comply.

The CMMC requirement flows down to all subcontracts, including commercial (i.e., FAR part 12), if FCI or CUI are required for subcontract performance.

Full CMMC Implementation

Upon full implementation, Contracting Officers will not award, exercise an option, or extend the period of performance on a contract if the Contractor does not have passing results of a current certification/self-assessment or fails to make an annual affirmation of continuous compliance in SPRS. CMMC will apply to all DoD solicitations and contracts exceeding the micro-purchase threshold, including the acquisition of commercial products or commercial services (excludes commercially available off-the-shelf items).

Takeaway

It is very important that contractors read and understand the CMMC program requirements and determine what CMMC certification level will be required based on current or future work. There is no exception to the Level 1 assessment -- all 15 security requirements in FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems must be met if you or a subcontractor processes FCI. Seeing as most subcontracts refer to the prime contract number, which is federal contracting information (i.e., FCI), we believe all contractors and subcontractors will need to be Level 1 compliant.

Contractors and subcontractors who believe they will need to be assessed above Level 1 need to start the process sooner rather than later. The requirements are extensive, and the availability of C3PAOs may be limited.

Additional guidance is available from the DoD CMMC website.

How Can Redstone GCI Help?

Redstone GCI can provide our clients with more information and guidance in working with established industry-leading partners who can assist in fulfilling numerous cybersecurity compliance requirements, including but not limited to penetration testing, incident response, security assessments, and POA&M development and resolution. Redstone GCI, along with our trusted partners, can bring you a full solution by ensuring cyber security policy and flow-down requirements are accomplished, including but not limited to purchasing policy requirements. We would be happy to be part of your team.

Contact Us for a Consultation

Written by John Shire, Director & Lynne Nalley, Director

John Shire, Director & Lynne Nalley, Director

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: Contracts & Subcontracts Administration, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity