On October 15, 2024, the Department of Defense (“DoD”) published the final version of its Cybersecurity Maturity Model Certification (“CMMC”) rule in Title 32 of the Code of Federal Regulations (the “Final Rule”). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking effort under Title 48 will update the Defense Federal Acquisition Regulation (“DFARS”) and trigger requirements for DoD contractors.)
Brief History/Background
On December 26, 2023, DoD published the Proposed Rule for the CMMC program under Title 32 (the “Proposed Rule”) (which we previously covered here). The release of the Final Rule follows publication of the CMMC Title 48 proposed rule (on August 15, 2024) that we analyzed here (“DFARS”). CMMC 2.0 was first announced back in November 2021 (which we previously discussed here).
As a refresher, the goal of CMMC is to strengthen cybersecurity across the Defense Industrial Base by implementing a framework to ensure contractors and subcontractors adequately protect Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) under DoD contracts. The framework requires contractors to implement cybersecurity standards at various levels (Levels 1-3) depending on the sensitivity of the information they hold, and to undergo related assessments and provide affirmations regarding compliance.
Final Rule Overview
The DoD received hundreds of public comment submissions, which are addressed in the 470-page Final Rule. For the most part, the structure of the program and security requirements for DoD contractors and subcontractors remain the same. Notably, however, DoD did make some helpful changes, updated key definitions, and provided welcome clarity – particularly with respect to requirements for external service providers.
Below are our initial takeaways and noteworthy updates included in the Final Rule.
Revised Timeline for Phased Roll-Out – Phase 1 Extended to One Year
In response to public comments critiquing the roll-out timeline, the implementation for Phase 1 is extended by six months with parallel adjustments to later phases. This means Phase 2 will start one calendar year after the start of Phase 1. This additional time is intended to address any issues during ramp-up, allow for training of new assessors, and provide companies the necessary time to understand and implement new requirements.
Phase 1 will begin on the effective date of the complementary CMMC Title 48 rule, which is estimated to be early to mid-next year. Below is an updated overview of the four phases for CMMC implementation.
Phase | Start Date | Impact |
Phase 1 | On the date the CMMC Title 48 rule becomes effective. | Inclusion of Level 1 (Self) or Level 2 (Self) requirement in applicable solicitations/contracts (as a condition of award). |
Phase 2 | One calendar year after Phase 1 begins. | Level 2 (C3PAO) (third party certification assessment) requirement in applicable solicitations/contracts (as a condition of award). |
Phase 3 | One calendar year after Phase 2 begins. | Level 2 (C3PAO) as a condition for exercising option periods; and Level 3 (DIBCAC) requirement for all applicable solicitations/contracts (as a condition of award). |
Phase 4, full implementation | One calendar year after Phase 3 begins. | Full implementation of the CMMC requirements in all applicable solicitations and contracts, including option periods. |
Updates Relating to Security Protection Assets & Security Protection Data
Commenters strongly criticized the Proposed Rule’s treatment of Security Protection Assets and Security Protection Data, where the Proposed Rule suggested for Level 2 that Security Protection Assets were to be assessed against all security requirements even where a Security Protection Asset did not store, process, or transmit CUI.
The Final Rule updates definitions and requirements, clarifying at Level 2 and Level 3 that Security Protection Assets that do not process, store, or transmit CUI need only be assessed “against Level 2 [or Level 3] security requirements that are relevant to the capabilities provided,” and not all security requirements. See Table 3 §170.19(c)(1).
The new and updated definitions are as follows:
- Security Protection Assets (“SPA”) are “assets providing security functions or capabilities for the [contractor’s] CMMC Assessment Scope.”
- Security Protection Data (“SPD”) is “data stored or processed by Security Protection Assets (SPA) that are used to protect [the contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.”
32 CFR §170.4(b). The added specificity here is a welcome update and will alleviate some of the burden associated with performing a CMMC assessment at Level 2 and Level 3.
Clarification of Requirements for External Service Providers
The Final Rule updates requirements for External Service Providers (“ESPs”) and, related to the above, clarifies that where an ESP processes, stores, or transmits Security Protection Data (and not CUI), the ESP does not need its own CMMC certification; its services can be assessed as Security Protection Assets as part of the contractor’s assessment.
The Final Rule includes the below chart as a helpful tool to determine requirements applicable to ESPs.
When the ESP processes, stores, or transmits: | When utilizing an ESP that is a CSP: | When utilizing an ESP that is not a CSP: |
CUI (with or without SPD) | The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012. | The services provided by the ESP are in the contractor’s assessment scope and shall be assessed as part of the contractor’s assessment. |
SPD (without CUI) | The services provided by the CSP are in the contractor’s assessment scope and shall be assessed as Security Protection Assets. | The services provided by the ESP are in the contractor’s assessment scope and shall be assessed as Security Protection Assets. |
Neither CUI nor SPD | A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. | A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. |
Table 4, 32 CFR §170.19(c)(2)(i).
As a reminder, ESPs are “external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.” 32 CFR §170.4(b). While the definition of ESP did not change, the Final Rule provides additional information to help contractors understand the definition.
- Cloud Service Providers (“CSPs”), Managed Service Providers (“MSPs”), and Managed Security Service Providers (“MSSPs”) to DoD contractors are considered ESPs.
- Service providers needing only temporary access, for services such as penetration testing, incident response, or forensic analysis, do not meet the definition of an ESP and are not considered to process, store, or transmit CUI.
- A CMMC assessment is not necessary for an ESP that provides staff augmentation where the contractor provides all processes, technology, and facilities.
- Not all companies that provide services to a DoD contractor are considered ESPs.
These updates come as a relief to DoD contractors and their service providers where the compliance threshold will be significantly lessened in some cases. DoD contractors still should carefully review their arrangements with any third parties that may handle sensitive DoD information to ensure appropriate security protections are in place even if the third party does not necessarily meet the definition of an ESP.
Revisions Regarding Contractor Affirmations
The Final Rule removes the term “senior official” and now uses “Affirming Official,” which is defined as the senior level representative within the contractor’s organization responsible for ensuring CMMC compliance and with authority to affirm the contractor’s continuing compliance with CMMC security requirements. 32 CFR §170.4(b). The Affirming Official must provide a CMMC affirmation in the DoD’s Supplier Performance Risk System (“SPRS”) at each of the following times: (i) upon achieving conditional CMMC status (as applicable); (ii) upon achievement of final CMMC status; (iii) annually following final CMMC status; and (iv) following a Plan of Action and Milestones (“POA&M”) closeout assessment (as applicable). 32 CFR §170.22.
Other Noteworthy Changes
Additional points worth noting in the Final Rule are below.
International Contractors
The Final Rule confirms both U.S. and non-U.S. organizations will be subject to the same CMMC requirements. No additional timeline or special accommodations will be granted to international contractors solely based upon an international location. The Final Rule emphasizes that the phased implementation will impact both U.S. and non-U.S. contactors equally.
Operational Plans of Action v. POA&Ms
The Final Rule adds the concept of “operational plans of action” as distinct from POA&Ms to address concerns that the CMMC program’s draconian approach to POA&Ms did not align with standard continuous monitoring practices. Operational plans of action are defined as the formal artifacts identifying temporary vulnerabilities and temporary deficiencies (e.g., necessary information system updates, patches, or reconfiguration as threats evolve) in implementation of requirements and documenting how they will be mitigated, corrected, or eliminated. DoD clarifies, “An operational plan of action…is not the same as a POA&M, which is associated with an assessment for remediation of deficiencies that must be completed within 180 days.” 32 CFR §170.4(b). Operational plans of action are part of normal maintenance of a system.
Verification of Subcontractor Compliance
The DoD reiterates in the Final Rule that prime contractors will be responsible for compliance throughout their supply chain and that SPRS, or any other DoD-sponsored tools, will not be made publicly available for contractors to verify CMMC status of other companies. Instead, contractors should share information to ensure verification of CMMC status when arranging contracts, as appropriate. The DoD emphasized the importance of early and effective communication between contractors and subcontractors to verify CMMC statuses. Further, the Final Rule noted that DoD will not be involved with this process and that it is beyond the scope of the Rule.
Conclusion – Takeaways and What’s Next
Now that the Final Rule is available, contractors can finalize their assessment scoping and complete self-assessments or CMMC certification assessments. Even though the CMMC program is not effective for DoD contractors until finalization of the parallel Title 48 rule, DoD makes clear companies can immediately seek CMMC certification and need not wait for the phased roll-out to begin.
DoD contractors should seriously focus on CMMC compliance now (if they have not already) as completing the assessment can take time and we expect DoD to move quickly in finalizing the parallel rule to update the DFARS. Once CMMC requirements are applied to a solicitation, contractors will be ineligible for award, and eventually option periods or extension of performance, if they do not have the required CMMC compliance in place. And, while program managers may seek approval for a waiver of the CMMC requirements in certain solicitations, we expect waivers likely will be rare.