DoD’s Proposed New CMMC 2.0 Contract Clauses Heighten Compliance Risks for Contractors
By now, defense contractors and subcontractors should be aware of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, a suite of mandatory cybersecurity controls being imposed by the U.S. Department of Defense (DoD) to increase the security of certain information being stored or transmitted by the information systems of defense contractors and subcontractors. On August 15, 2024, DoD took an important step in the rollout of the CMMC 2.0 program, by proposing changes to its procurement regulations and contract clauses to clarify how DoD plans to impose the CMMC 2.0 security requirements on defense contractors and enforce them contractually.
Contractors have until October 15, 2024, to submit comments on these proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS). The new or revised DFARS provisions proposed in this new rule will not be incorporated into DoD contracts until DoD issues a final rule after the comment period has expired.
CMMC 2.0 Background
DoD refers to the current iteration of CMMC as “CMMC 2.0,” reflecting the evolution of the program from the initial version proposed by DoD in 2020. As a reminder, CMMC 2.0 establishes three “CMMC Levels,” with each level corresponding to a particular set of cybersecurity requirements that escalate in rigor as the levels increase. CMMC Level 1 would apply to contracts that require the contractor to store, process, or transmit only Federal Contract Information (FCI), not the more-sensitive category of data referred to as Controlled Unclassified Information (CUI). CMMC Level 2 would apply to contracts requiring the contractor or subcontractors to store, process, or transmit CUI using contractor information systems. CMMC Level 3, the highest security level, would apply only to specified contracts necessitating a higher level of cybersecurity.
DoD has proposed different types of security assessments for the different CMMC levels. For all CMMC Level 1 contracts and for some CMMC Level 2 contracts, contractors must perform a self-assessment of their compliance with the required controls. Other CMMC Level 2 contracts would require an assessment of the contractor’s information system by a CMMC Third-Party Assessment Organization (C3PAO). CMMC Level 3 contracts likewise require an external compliance assessment, but it will be performed by a DOD assessor rather than by a C3PAO.
DoD intends to roll out the CMMC program over a three-year period, starting in the first quarter of 2025. After this three-year period, all DoD prime contractors and subcontractors will need to comply with the applicable requirements in the CMMC contract clause, except for contracts or subcontracts exclusively for commercially available off-the-shelf (COTS) items.
Enforcing Contractor Compliance with CMMC 2.0
The recently proposed rule reveals how DoD proposes to enforce compliance with the CMMC 2.0 security requirements against defense contractors and subcontractors—including how DoD contracting officers will screen for CMMC 2.0 compliance as a precondition for a contractor receiving a new contract or even having options under an existing contract exercised.
- No CMMC, No Award
The proposed rule formalizes the procedure contracting officers will use to validate that a contractor has the required CMMC Level certification or self-assessment prior to receiving a contract award. Prior to making an award, contracting officers will review the Supplier Performance Risk System (SPRS) to confirm that the apparently successful offeror has the results of a current CMMC certificate or self-assessment entered at the solicitation’s required CMMC level. As part of this eligibility determination, the contracting officer can request the apparently successful offeror to provide the DoD unique identifier(s) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during the performance of the contract or order to be awarded under the solicitation. Offerors without a current CMMC certificate or self-assessment at the required level for each of those contractor information systems will be ineligible for contract award.
- Maintaining a “Current” CMMC Certificate or Self-Assessment
Not only must contractors have a current CMMC certificate or self-assessment to be eligible for the award of a contract or task or delivery order, but they must also maintain it throughout the life of the contract or task/delivery order, and the contracting officer cannot exercise an option if the contractor’s CMMC certification or self-assessment is no longer current. The definition of “current” varies based on the CMMC Level required. For CMMC Level 1, which requires only a self-assessment, the self-assessment must have been performed within one year. For CMMC Level 2, the third-party certificate or contractor self-assessment must not be older than three years. For CMMC Level 3, the certificate for the DoD assessment must not be older than three years. For all three CMMC levels, the definition of “current” includes a requirement that there have been “no changes in CMMC compliance” since the date of the relevant assessment or certificate.
- Notification Requirements
The proposed rule would also require contractors to notify the contracting office within 72 hours “when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.” The proposed rule does not define precisely what DoD means by “lapses in information security.” To the extent DoD intends that term to encompass “cyber incidents” as that term is used in DFARS 252.204-7012, contractors are already under an obligation to report “cyber incidents” that affect their covered information systems within 72 hours of discovery. However, the proposed CMMC notification would add a new burden for contractors, as it would require contractors to notify the individual contracting officer for each DoD contract containing a CMMC certification or assessment requirement, as opposed to the existing “cyber incident” reporting requirement, which allows contractors to file a single, centralized report through the didbnet.dod.mil portal.
- Enforcing Subcontractor Compliance
CMMC compliance obligations flow down to all levels of the supply chain that would be storing, processing, or transmitting FCI or CUI on their information systems, meaning contractors and subcontractors also need to ensure that they are taking the steps necessary to ensure their own subcontractors and suppliers have the necessary “current” CMMC certificate or assessment. Contractors must establish the correct CMMC level requirements for subcontracts and ensure that all subcontractors obtain the requisite CMMC level, or higher, prior to awarding any subcontract. Contractors must also flow down the CMMC contract clause (DFARS 252.204-7021) in subcontracts under contracts with a required CMMC level unless the subcontract is solely for the acquisition of commercial off-the-shelf (COTS) items. Purchases of commercial services or commercial products that are not COTS items must meet any applicable CMMC requirement. Last, contractors must ensure that all subcontractors and suppliers complete and affirm continuous compliance with the CMMC security requirements applicable to the subcontractor based on the applicable CMMC level assigned to the subcontract.
One challenge that DoD did not resolve in the proposed rule is the lack of visibility higher-tier contractors have into their subcontractors’ CMMC status. While a DoD contracting officer can simply look up a company’s CMMC status in SPRS, contractors are not able to access the SPRS records for their prospective subcontractors or suppliers. Thus, contractors will likely need to require prospective subcontractors to submit certifications attesting that the subcontractor has the required current CMMC certification or assessment at the level required for the subcontractor’s performance under the contract.
- Key Takeaways for Contractors
While DoD may ultimately tweak aspects of the proposed rule based on the comments it receives, the overall takeaway from DoD’s proposed rule is clear: DoD is moving forward with its three-year plan to implement CMMC 2.0, and contractors need to begin preparing for these changes if they have not already done so.
Here are several other key takeaways for contractors from DoD’s proposed rule for implementing CMMC 2.0 in defense contracts:
- Identify all the information systems that you would use to store, process, or transmit FCI or CUI during the performance of your DoD contracts and subcontracts, as well as the type of information that is stored, processed, or transmitted through each system. You can then assess which CMMC level requirements will apply to each of those identified contractor information systems and evaluate whether those information systems meet the security requirements for that level.
- Prepare for the requirement to report “any lapses in information security” or changes in your CMMC level status within 72 hours, including ensuring that your company will be prepared to report such information to the DoD contracting officer for each contract subject to this CMMC requirement. As discussed above, the proposed rule would require notification of each contracting officer for a CMMC contract, rather than a single report to a centralized portal for all of DoD (as is the case with the current “cyber incident” reporting requirement).
- Ensure that changes to IT infrastructure and security controls are planned and vetted well in advance, to avoid allegations that a change in that infrastructure or those security controls put the contractor out of compliance with the applicable CMMC requirements. A senior company official is responsible for submitting affirmations of “continuous compliance” with CMMC requirements on at least an annual basis. Changes such as dropping certain security controls or beginning to share FCI or CUI on an information system for which the contractor does not have a “current” CMMC certificate or assessment could give rise to allegations that the contractor’s affirmation of continuous compliance is no longer accurate.
- Start planning for monitoring and enforcing CMMC compliance in your own subcontractors and suppliers. Begin categorizing the level of CMMC compliance you expect each subcontractor will need to achieve for the work they perform. Communicate with the subcontractors and suppliers you currently use, or anticipate possibly using in the future, to perform DoD contracts to assess where those subcontractors/suppliers stand in implementing the security controls required you anticipate they will need once CMMC goes “live.” Consider how you will require subcontractors or suppliers to certify or otherwise document that they have the current CMMC Level certification or assessment required and how you will work those requirements into your subcontract terms and conditions.
Should you have any questions about the proposed rule or the CMMC requirements, please contact Frank Murray, Erin Toomey, or Caitlin Trevillyan.