On December 22, 2023, the Department of Defense (DoD) released a new proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program, which aims to enhance the protection of sensitive information in the defense supply chain.

The rule would require all DoD contractors and subcontractors to meet one of three levels of cybersecurity standards, depending on the type and sensitivity of information they handle, and to undergo periodic assessments and affirmations of compliance. The rule would also establish reporting requirements and breach procedures for contractors and related subcontractors. If adopted, the rule would be implemented in four phases over four years.

Tiered Security Requirements

The practical requirements under the new CMMC standards vary by the level of certification that contractors and subcontractors need to achieve based on the information they process, store, or transmit. The three levels of certification are:

• Level 1 Self-Assessment: For contractors and subcontractors that handle Federal Contract Information (FCI), which is any information not intended for public release provided by or generated for the government under a contract. Under the old CMMC requirements, Level 1 contractors and subcontractors had to implement 15 basic FCI safeguarding requirements, as specified in FAR Clause 52.204-21. Under the proposed rule, contractors must annually certify (through a self-assessment process) that all security requirements have been met and must submit the results of the assessment to the Supplier Performance Risk System (SPRS).
• Level 2: For contractors and subcontractors that handle Controlled Unclassified Information (CUI), which is any information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, or government policies. Level 2 contractors and subcontractors must implement 110 CUI security requirements, as specified in NIST SP 800-171 Rev 2. Contractors and subcontractors can comply with Level 2 requirements by either self-assessment or certification. Under the self-assessment framework (which will be the first used by the DoD upon implementation of the new rules), contractors may submit, as with the Level 1, a certification of compliance with the necessary security requirements (i.e., NIST SP 800-171 Rev 2 and DFARS clause 252.204-7012). This certification must be submitted to the SPRS on a triennial basis (as opposed to annual basis under Level 1). Alternatively, where required within an awarded contract, contractors may be required to undergo third-party assessments by a CMMC Third-Party Assessment Organization, which will perform the assessment and provide the results to the SPRS.
• Level 3: Contractors and subcontractors that handle CUI with advanced persistent threat protection, which is any CUI that requires additional protections against sophisticated cyberattacks, must implement 24 additional CUI protections (over those required under Level 2) as specified in NIST SP 800-172. These assessments must also be performed by a third-party as with Level 2 certifications and will last for three years, after which they must be renewed.

Phased Implementation

If enacted, the new rule will be implemented over four phases in order to reduce the overall burden. These four phases are:

• Phase 1: On the effective date of the proposed rule, DoD will begin to require CMMC Level 1 or Level 2 Self-Assessment as a condition for a contract award.
• Phase 2: Six months after the start of Phase 1, the DoD will move to require a Level 2 Certification Assessment (not just a self-assessment) as a condition of contract award.
• Phase 3: One calendar year after the start of Phase 2, the DoD will begin including Level 3 Certification Assessment as a condition for contract award. During this phase, the DoD may choose to delay the inclusion of Level 3 Certification to an “option period” instead of a condition of contract award.
• Phase 4: One calendar year after the start of Phase 3, the DoD will begin including Level 3 Certification Assessment as a condition for contract award. Unlike Phase 3, the DoD is not given discretion to place this certification in an option period.

Practical Changes

The primary requirements with which government contractors and subcontractors will need to comply under the new CMMC standards include:
Implementing the cybersecurity standards for their respective level of certification, as described above.

• Conducting assessments of their compliance with the cybersecurity standards, either by themselves or by a third-party or government assessor, depending on their level of certification. The assessments must be conducted annually for Level 1, triennially for Level 2, and triennially by the government for Level 3.
• Providing annual affirmations of compliance with the cybersecurity standards and assessment results to the DoD. The affirmations must be submitted in the SPRS.
• Flowing down the requirements for their level of certification to their subcontractors and ensuring they comply with the same or lower level of certification, depending on the information they handle.
• Reporting any breach of the cybersecurity standards to their assessor, either a Certified Third-Party Assessment Organization (C3PAO) or the government, depending on their level of certification. The assessors must notify the Accreditation Body or the DoD, respectively, of any breach reported by the contractors or subcontractors. The contractors or subcontractors may have their certification status revoked and become ineligible for new contracts if they fail to report or remediate a breach. The assessors must also report any breach discovered during an assessment to the C3PAO or the government, and may have their accreditation revoked if they fail to do so. The CMMC Program Management Office (PMO) will investigate any breach and determine the appropriate actions.

The new CMMC standards represent a significant change in the way the DoD manages the cybersecurity of its supply chain and will require contractors and subcontractors to invest in improving their cybersecurity practices and processes. The proposed rule provides some examples of how the CMMC levels will be incorporated into the DoD solicitations and contracts, and how the DoD will verify and validate the contractors' and subcontractors' compliance. However, the rule also leaves some questions unanswered, such as how the DoD will handle waivers, exceptions, or deviations from the CMMC requirements, how the DoD will resolve disputes or appeals regarding the assessment or certification results, and how the DoD will coordinate with other federal agencies or non-federal entities that may have different or overlapping cybersecurity requirements. Therefore, contractors and subcontractors should closely monitor the development and implementation of the rule. Please contact our Data Privacy and Cybersecurity Team if you would like to discuss or have any questions regarding the DoD’s upcoming rule.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.