In 2019, the Department of Defense (DoD) announced the development of the Cybersecurity Maturity Model Certification (CMMC) Program, which was then implemented in 2020 as an interim rule. We blogged about that way back in 2020. This program was designed to give a certification to contractors based on the depth and effectiveness of their cybersecurity systems to help ensure that contractors implement required security measures. As DoD put it, “[t]he CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community.” In late December 2023, the DoD issued proposed changes to the CMMC program for “CMMC 2.0,” a plan that DoD began work on back in 2021. In this post, we will take a general look at these proposed changes.
FCI and CUI
It might be helpful for context to give an idea of what the CMMC Program protects. After all, many might wonder what there is to protect if the information is unclassified. The CMMC Program aims at protecting two kinds of information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FAR 52.204-21 defines FCI as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.” Essentially, it’s information that comes from a contract that isn’t marked for public release.
CUI, per 32 C.F.R. § 2002.4, “is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Essentially, CUI is information that, while unclassified, agencies must or are permitted to safeguard or otherwise control the dissemination of. The National Archives provides a good rundown of the difference between FCI and CUI.
The CMMC Program, then, basically is aimed at ensuring the information that falls in between “classified” and “meant for public release” is properly protected. This program became all the more crucial with the rise of electronic data creation, collection, and processing. “Classified information” generally has to do more with information that must be protected for national security reasons. Just because information is unclassified, that does not mean it is meant to be disseminated to the public. Personal data and financial information all might well be unclassified, yet still improper to disseminate publicly. This is what the CMMC Program seeks to protect.
Current CMMC
Under the current CMMC program, federal contracts have five levels of security requirements. For CMMC Level 1, contractors and applicable subcontractors must follow FAR 52.204-21, which has 15 security requirements for the transfer of FCI outside the government. For CMMC Level 2, contractors and applicable subcontractors must follow DFARS 252.204-7012, which has 65 of 110 security requirements for the transfer of CUI outside the government by its reference to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” along with 7 CMMC practices and 2 CMMC processes. CMMC Level 3 consists of all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes. CMMC Level 4 consists of all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes. Finally, CMMC Level 5 consists of all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
CMMC 2.0
If implemented, CMMC 2.0 would add 32 C.F.R. Part 170 to the CFR if implemented. It would create a number of new requirements for assessment and affirmation that requirements are being met for CMMC Levels 1 and 2. For CMMC Level 1, contractors and applicable subcontractors would need to verify they are meeting the security requirements through self-assessment and affirm the same annually. For CMMC Level 2, program contracts will either include a self-assessment requirement or a certification assessment requirement at what appears to be the discretion of the contracting officer, the latter of which would involve assessment of contractors and applicable subcontractors by a third-party on whether they are meeting the CMMC Level 2 security requirements. In either case for CMMC Level 2, the contractor and applicable subcontractors would need to affirm continuing compliance after each assessment.
However, the biggest change with CMMC 2.0 is that it appears it would simplify the leveling system and make CMMC Level 3 the highest level. Per the proposed rule, it would eliminate Levels 2 and 4, and rename the remaining three CMMC Levels as follows:
- Level 1 will remain the same as CMMC 1.0 Level 1 (15 security requirements for the transfer of FCI outside the government);
- Level 2 will be similar to CMMC 1.0 Level 3 (110 security requirements from NIST SP 800-171); and
- Level 3 will be similar to CMMC 1.0 Level 5 (110 security requirements from NIST SP 800-171.
But, furthermore for CMMC Level 3, contractors and applicable subcontractors would also be required to implement 24 selected security requirements (outlined in what will be 32 C.F.R. § 170.14) from NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.” Under CMMC Level 3, contractors and applicable subcontractors would need to verify through a DoD-conducted assessment that they are meeting the Level 3 requirements. They would then get a certification that is valid up to three years. Naturally, the contractor and applicable subcontractors would also be required to affirm compliance after the assessment and then annually thereafter until the next assessment.
It is worth noting that this CMMC Program applies to defense contracts, and that the implementation will be a phased rollout. Specifically, the proposed rule states: “The DoD is implementing a phased implementation for the CMMC Program and intends to introduce CMMC requirements in solicitations over a three-year period to provide appropriate ramp-up time. The Department anticipates it will take two years for companies with existing contracts to become CMMC certified.” As such, it would seem it should not apply to existing contracts but will apply over time to more and more new solicitations until all such DoD solicitations incorporate this program.
Summary
CMMC 2.0 expands upon the CMMC Program in multiple ways, such as simplifying the security requirement level structure, assessment requirements, and affirmation requirements. No doubt there will be further tweaks to the program in the years to come even if CMMC 2.0 is implemented, but contractors should be aware of the potential for this new program. As of this posting, comments are still welcome on the CMMC 2.0 proposed rule and will be until February 26, 2024. It seems safe to assume that CMMC 2.0 will be implemented in some form or another, so familiarization now may help prevent headaches down the road.
Questions about this post? Email us. Need legal assistance? Call us at 785-200-8919.
Looking for the latest government contracting legal news? Sign up for our free monthly newsletter, and follow us on LinkedIn, Twitter and Facebook.